Story image

Fingerprint security & biometrics: Three major myths busted

08 May 2017

Fingerprints have long been viewed as the ultimate identifier, unique only to you and impossible to steal, which is why fingerprint readers have become integral to smartphone and mobile device security.

So, it seems, these gadgets must now be at their most secure. Well, not quite. We debunk three myths in this short feature to bring some clarity to the subject of fingerprint security.

Myth 1: Fingerprint security more secure than passwords

Contrary to what many people assume biometric readers are not foolproof. They have their own set of unique vulnerabilities, the technology can be exploited and fingerprints can be stolen (and even from photographs).

For example, in America, it is Homeland Security policy to collect fingerprints from non-US citizens between the ages of 14 and 79 as they enter the country. Meanwhile, the FBI keeps a file of an estimated 100 million prints, of which more than 30 million are “civil prints”, i.e. not linked to criminal activity.

These two cited examples equate to repositories of sensitive information, which will appeal to cybercriminals. If this information can be accessed, then, just like credit cards and pin numbers, it is entirely possible for them to be stolen and used maliciously.

Myth 2: You can’t copy a fingerprint

In 2013, Apple ushered in the era of the biometrical mainstream by announcing the addition of a fingerprint scanner to its iPhone 5s. It promised to keep your phone super protected while providing a Touch ID method of purchasing things from iTunes and the App Store – effectively removing the need for passwords (not totally, mind you).

But within two days of the new handset launching a German security researcher called Starburg used publicly available software called VeriFinger to recreate the fingerprints of Germany’s Minister of Defence using high-resolution photos – claiming the copy was good enough to trick fingerprint systems for biometric authentication.

More recently, in 2016, Biometrics firm Vkansee demonstrated that the “technology can be spoofed” – all you need is clay and some Play-Doh and you can capture enough fingerprint details to dupe a sensor into thinking it’s the real deal. However, the firm did state that the process is rather convoluted and unlikely to result in breaches of this ilk. Nevertheless, it does suggest that fingerprints can be copied.

Myth 3: Fingerprints will replace passwords in the future

Given that fingerprints can be stolen, copied and used to bypass today’s readers, it’s clear we have a long way to go before passwords are made obsolete. And even then, the likelihood is that passwords are going to be around for a long time.

What this highlights is there is no single solution to security, with many experts advising an approach that embraces multiple measures so that ultimately, there is more than one entry point into whatever it is you seek to protect.

In practice, this means a mix of fingerprints, passwords and additional security in the shape of two-factor authentication may be required, especially in instances where the information or assets – digital or physical – is of a particularly sensitive nature.

Article by Welivesecurity.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.