Vein authentication, a biometric security method that scans the veins in your hand, has been cracked, reports Motherboard. Using a fake hand made out of wax, Jan Krissler and Julian Albrecht demonstrated how they were able to bypass scanners made by both Hitachi and Fujitsu, which they claim covers around 95 percent of the vein authentication market. The method was demonstrated at Germany’s annual Chaos Communication Congress.

While imprints of fingerprints can often be left behind on surfaces just by touching them, vein patterns cannot, and are considered to be much more secure as a result. However, this wasn’t a problem for the researchers, who were able to copy their target’s vein layout from a photograph taken with an SLR camera modified to remove its infrared filter.

30 days and 2,500 test photos

Although constructing the wax hand eventually only required a single photograph and a construction time of 15 minutes, getting to that point took 30 days and over 2,500 test photos. Even the demonstration didn’t go entirely to plan; the researchers had to put one of the scanners underneath a table to stop the hall’s light’s from interfering with the hack. However, now that the method has been proven to work, other researchers will likely build upon it to create a process that’s more efficient and reliable.

Vein authentication isn’t currently used in any mainstream smartphones. Instead it is more commonly used to control access to buildings such as Germany’s signals intelligence agency. In a statement provided to Heise Online, a Fujitsu spokesperson sought to downplay the implications of the hack and said that it could only succeed under laboratory conditions and that it would’nt likely work in the real world.

This is not the first time that Krissler, also known by the alias Starbug, has bypassed a major biometric security technology. Back in 2013 Krissler bypassed Apple’s Touch ID within 24 hours of its launch in Germany and the following year he was able to construct a model of the German defense minister’s fingerprint. He’s also demonstrated vulnerabilities in iris scanning technology using an infrared image and a contact lens.