iPhone Turns Fingerprints into Credit Cards

There are a variety of new features that have come with Apple’s latest development, the iPhone 5S. Perhaps the most remarkable feature is a fingerprint scanner known as Touch ID.

Touch ID is designed to replace the need for four digit PINs by allowing users to lock their phones with their fingerprints. In addition to this security option, users can also buy apps and other downloads through iTunes with nothing more than a fingerprint. This brings biometric technology to the forefront of society.

Of course, there is another side to Touch ID. While it may seem like a foolproof system, it could still cause some security problems. People inadvertently leave fingerprints everywhere they go, and they are easy to pick up with the right know-how. Some experts suggest that it’s only a matter of time before people catch on and hack into iPhone 5S devices.

“We think it’s an interesting approach to e-commerce and distinctly different from what several other players in the market are trying to do,” said Bill Kreher, an Apple analyst at Edward Jones. “Using iTunes as a starting point is an excellent proof of concept and could lead to outside apps being able to use the technology.”

eMarketer estimates that over 75% of smartphone users compare products and make purchases through their phones these days, totaling nearly $15 billion in mobile commerce this year. Making purchases easier by adding fingerprint technology to the credit card system may drive those numbers even higher.

That said, it’s worth considering in the wake of Apple’s announcement this week that the next generation of (high-end) iPhones will come with a fingerprint sensor: is that two tech steps forward, or two steps back, if you’re trying to keep your Snapchats from prying eyes?

Turns out, it’s kind of standing still. While fingerprint sensors might seem like a nifty way to shorten the steps to your next brilliant tweet and keep your buddy from punking your Facebook with a fake status update, they’re more likely to create a false sense of security, thanks to statements like this, from Apple Senior Vice President Dan Riccio, in the introductory video for the new iPhone 5s:

“Your fingerprint is one of the best passwords in the world. It’s always with you, and no two are exactly alike.”

Riccio is half-right. Your fingerprint is always with you, and no two are exactly alike. But that doesn’t make it one of the best passwords in the world. That actually makes it a potentially lousy password, says Gene Meltser, technical director for Chicago-based security firm Neohapsis Labs, because there’s nothing you can do to change it, to keep the cyberthugs guessing.

Any goober can stick a piece of tape on a greasy thumb depression left on a soda can, peel it off, scan it into a computer, and figure out a way to trick a fingerprint sensor.

“All we have are 10 fingers,” Meltser told The Daily Beast. “That means we can only authenticate successfully 10 times. Once that data is compromised, we are for the rest of our lives unable to authenticate.”

We leave fingerprints everywhere, every day, all day long. Any goober can stick a piece of tape on a greasy thumb depression left on a soda can, peel it off, scan it into a computer, and figure out a way to trick a fingerprint sensor into letting him inside.

Passwords, on the other hand, are stored (or should be stored) only inside the brain. You don’t walk around all day slapping your PIN code on toilet seats and door handles. And even if you did do that, or you figured out someone had peeped over your shoulder and swiped your password, you could change it, and you’re back in Secureville. If someone grabs your fingerprint, and that’s what you use to get into your phone, they’ll always have it. And unless you find some sweet 007 technique for burning your fingertips off and creating a whole new set, you will not be able to do anything to set a “new” password.

“If somebody fakes your fingerprint” and then uses that to make a bunch of fraudulent purchases, “you’d have a very hard time proving that person was not you,” Jennifer Lynch, staff attorney at the Electronic Freedom Foundation.  “It’s your fingerprint.”

But wait! Apple says its fingerprint sensors will be activated only by the tips of the fingers/thumb, which is not quite the same pattern as those left on street lamps and steering wheels. Anyone who uses Apple’s Touch ID sensor (that’s the official name) will have to create a backup  passcode on the phone that will be necessary any time the device has been rebooted or hasn’t been unlocked for two days. So maybe that resolves the security problem.

Maybe. But the only truly secure authentication, Meltser says, is a three-legged stool: something you are, something you carry, and something you know. So a fingerprint is something you are, and a password is something you know. But because both of those can be stolen, only the addition of that third thing—something you carry—can truly keep your Instagram safe.

Something you carry could be something like a “cryptographic RSA token,” a physical dongle that you carry around to authenticate things with, and of course there are very few people aside from corporate spies and very determined cheating spouses who would go to all those steps. But the takeaway is the takeaway: fingerprint sensors don’t make anything more secure. Unless you’re one of thosepeople: “A lot of iPhone users aren’t using a passcode to lock their phone at all,” said the EFF’s Lynch.

But what about that new M7 chip, also available on the iPhone 5s? The one that aggregates data from the phone’s accelerometer and GPS to use with health and fitness apps, to allow people to record their every jaunt from couch to bathroom? Doesn’t that make us easier to track?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s