Threat Level: green Handler on Duty: John Bambenek

SANS ISC: Am I using my Fingerprints yet? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Am I using my Fingerprints yet?

I came across an article today that demonstrates a compromise of the new Apple 5S fingerprint reader:
http://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked#!
http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

In other words, a copy of your fingerprint is your fingerprint.  And as Johannes discussed in the first article on this (https://isc.sans.edu/forums/diary/In+Defense+of+Biometrics/16553/), the screen on your phone is one of the better fingerprint collectors out there !
For me, this brings up both sides of "the fingerprint discussion"

  • You can't change your fingerprints - once a real copy of them are compromised, they are compromised forever
  • A representation of your fingerprint is stored on the device.  So if the device is lost or stolen, this representation could be used to compromise other things, if they use the same representation of your fingerprint (ie - any other device that uses the same manufacturer's hardware).  Again, once stolen, they are stolen forever.
  • After a couple of years, you'll likely trade your phone in for a new one, and today there isn't a way to know that a wipe of the phone wipes the saved representation of your fingerprint
  • Your fingerprint may be backed up with your phone backup.  Historically, your phone's backups have been easier to pillage than your phone.
  • If your phone is damaged, you may not have a way of wiping it


On the other hand:

  • On any given day, using your fingerprint is likely MUCH more secure for you than the 4 digit code you are likely using
  • Since your phone code likely matches either your phone number or your bank code, either it's very easy to guess, or compromising it might have other unpleasent consequences for you.


There's lots of discussion on this online, I think we're still waiting on Apple to respond definitively on any of them.

Anyway, none of these arguments are new, we've been round and round on them anytime these last 10 years, since they started putting readers on laptops for login.  What's changed is that there are way more phones than there are laptops, and in most cases the 4 digit unlock code on your phone is all that protects your chequing account, your facebook, paypal, twitter and email accounts.

So, am I using my fingerprints yet?  Not on any of my laptops, but once I upgrade my 4S to the new model, it'll be awfully tempting to take the plunge - I guess I'm still thinking about it.  If Apple would implement a "fingerprint + PIN" two factor authentication solution, it'd be an easier decision.

We welcome your comments in our discussion forum (comment button below).

===============
Rob VandenBrink
Metafore

Rob VandenBrink

478 Posts
ISC Handler
A really humorous thought.

Since your fingerprints are all over the phone, soon there will be developed techniques to lift the fingerprints off the phone and try each one till a match is found. All it takes is one that matches the datapoints stored in the phone to defeat its own security.
Anonymous
People are concerned with Google having all your Wifi passwords. Anyone backing up your devices with fingerprint "credentials" may have the same type of info stored.

Anyone who has ever gained a Federal security clearance, worked or volunteered in education (at least in California), worked in kids church (at any church that doesn't want to be sued for lack of background checking workers), obtained a firearms permit (fingerprint/background check required everywhere I've applied), etc. has their fingerprint "credentials" already stored at the State and/or Federal level.

IMHO, Fingerprints are very much not "something you are" when it comes to authentication. It is very much "something you know" (stored data), "something you have" (lifted prints or a synthetic copy), and for one person "something you are." Of course, tokens are very much the same way - if the seed and algorythm are known/obtainable, then it is reduced to "something you know" and not "something you have."

At untrusted locations (e.g. anywhere other than a law enforcement office rolling your fingers), fingerprints should only be used as an additional piece of information and never a sole verification.
Anonymous
People give too much data to their phones already, before we get started with biometrics and wearable computing. I muse whether someday the CIA will use an iPhone fingerprint recognition to carry out a drone assassination.
Steven C.

171 Posts
I'm not sure about the iPhone's reader, and others are definitely hit or miss, but some fingerprint readers are really tough to fool even if you have access to the known good fingerprint. I saw an article on a biometric fingerprint lock that required an actual 3d casting (etching a mold from an image wasn't good enough) and even then for reasons the crackers never figured out, these thin, molded 'fingerprint' covers would not work for everyone. i.e. Andrew could never open Bob's lock, though Charley and David could, and all three could open Andrew's. And since then the tech has been improved. On the other hand, there are complaints the tech has been 'improved' to the point that supposedly you sometimes need 2-3 tries to get in even if you are authorized.

I'll stick with my (redacted) digit number-which-is-not-from-anything-like-phone-bank-or-id-numbers-I-use-thanks. And the setting which, while annoyingly wasting several hours of my time restoring the darn thing when some kid sat there playing with my tablet, zaps it after 6 failures.
Eric

12 Posts
The National Spy Agency of the United Spies of America already has access to my phone. Fingerprint, passcode or not.
So the protection is against the thieves stealing the phone to get access to random data or trying to wipe the phone before a resale. iOS 7 stopped the wipe (needs the iTunes password). So now we are up against the criminals, that don't see any purpose of spending the resource to break into the phone. For me, the fingerprint is fine. And there is the added security of you being able to wipe the phone. So if the thief tries to use the phone to access online content, et gets reset, and keeps password protection for activation. Fingerprint is fine.
Povl H.

71 Posts
Sir,

The iPhone 5s does implement use of the pin code in certain circumstances. For instance, after reboot you are required to enter your passcode. Also, I have enable passcode plus fingerprint and I am using a stronger password because of the new fingerprint technology.

I agree with all the issues you brought up. We need to consider these in depth.

Thanks,

TJT
Povl H.
1 Posts
It would be nice to incorporate more options for multi-factor authentication along with the fingerprint reader like geo fencing to keep the benefits the finger reader provides plus the added security.
Jason`

1 Posts
A lone fingerprint (something you are) for identification is a terrible and dangerous idea. As a previous post, and many articles on the subject, have already pointed out: once it is compromised, it is compromised forever. I fear that mass authentication is already haphazardly moving from "something you know" to "something you are". And you can't change "something you are" if it is compromised. This migration from PIN/passwords to biometrics is being done not for security but for cost-savings and convenience... convenience to the user and cost-savings for every company/app that relies on passwords for user authentication. It's costly using resources to support password issues: forgotten passwords, lost passwords, password resets, etc. However, I would prefer to deal with the password issues in a system where I can change what has been compromised (PIN, password, token, etc.) vs. a system where I can't change what has been compromised. Because let's be honest, it's just a matter of time before a headline reads:

"XYZ company fingerprint database hacked and 10,000,000 fingerprint ID's have been compromised. XYZ company is advising users to register a different finger ASAP to reduce the risk of ID theft, information theft, and financial theft".

The problem is, we only have 10 fingers (at least most of us do) to select from vs. a virtually unlimited supply of cards. Imagine if your credit card company provided you with 10 cards, and no more than 10, for life. You would probably be on your 10th card by age 40 (given that most heavily used credit cards are compromised in under 2 years). And if using fingerprints, good luck calling Apple/company asking them to "reset your fingerprint" because it was compromised when you lost your phone. Even worse, some banks are considering moving from card+PIN for ATM's to fingerprint+PIN. Let's think about this:

...Today (with card+PIN), if your ATM card is compromised, they cancel your old card and send you a nice new fresh card. You can change your PIN as well for added security. Problem solved.

...Tomorrow (with fingerprint+PIN), if your fingerprint is compromised, what do they do? Ask you to register a new finger? Send you a new fingerprint in the form of some kind of latex "finger glove"? Instead, what will probably happen, is that your fingerprint will end up on a national blacklist of known compromised fingerprints (think credit bureau style), and the bank will force you to use a 20 digit PIN to make up for it (since you can no longer use your compromised fingerprint). And they'll require you to change your 20 digit PIN every 30 days because your fingerprint has been blacklisted and now your PIN is the only means of authentication. Or, they'll force you to migrate back to a card+PIN and your innocent fingerprint will forever be on the "compromised" list.

If banks do move to fingerprint+PIN, then it's also just a matter of time before ATM card skimmers are replaced with fingerprint skimmers and latex fingerprint printers. And how exactly would they respond to compromised fingerprints... ask you to get a new set of fingerprints? I can't think of a worse idea for authentication than fingerprints (convenient... yes, but secure... definitely not). Ok, maybe using "password" as your password is worse than a fingerprint but that's about it. Biometrics is not the way to go for mass market identification/authentication. Something you know + something you have is still the better solution. I'm hoping, for security's sake, that this biometric movement is just a short-lived phase/fad.

I would even prefer an implanted chip (VeriChip/PositiveID/etc.) to biometric fingerprints. Ideally, a microchip solution would include a chip that can be disabled (if needed) and most importantly, reprogrammed (if compromised). This is slightly more invasive but a good compromise to vulnerable and unchangeable human biometrics.

I'm sure the masses will flock (they already have thanks to IOS 7) to biometric fingerprints because they are so easy and so convenient. How long, though, before we see people wiping their glasses down at restaurants, wiping their carts down at grocery stores, or questioning every item that someone asks them to hold... wondering if it has a secret capability to scan fingerprints. How long before you have to wipe down your rental car or hotel room hoping that you didn't leave any prints behind?

Unfortunately, a world full of people wearing latex gloves to protect their ID's isn't too far away.
da1212

69 Posts
I miss the most important implication of the fingerprint on phones. In countries where you are not obligated to help your own conviction happen you can always say "sorry, I don't remember my password anymore..."... You can not say "I forgot my fingerprints". Besides, fingerprints are something you HAVE, not something you know, so laws helping you not incriminate yourself are not applicable...
da1212
1 Posts
Should fingerprints be considered only identification, not authentication? If you are leaving them all over, then they are almost as well know as you name. The strongest authenticators ideally should only be usable by the real holder of the identity. The trouble lies in part with the implementation and the sophistication of the technology to "read" the authenticators. By adding a temperature sensor, a pulse sensor, a capacitive sensor, and/or a "life" sensor to the fingerprint reader; the authentication is improved. But do all these additional sensors simply represent more factors to the authentication? Weak storage of the validation reference of the authenticator creates a weak link in the I&A process.
G.Scott H.

48 Posts
Yes, fingerprints should only be considered identifiers in the I&A process. However, unlike a card that you keep in your wallet or a username that you have memorized, your fingerprints are everywhere and much easier to obtain. Even worse, if your fingerprints are stored in a database that is compromised, then the attacker(s) now have your one-single-ID that you use for everything... from banking to email to medical records. Now, all they need is your PIN or password to pair with it... to have the proverbial keys to your kingdom. Or in the case of IOS-7, they just need your fingerprint since no PIN/password is required.

Fingerprints are similar to SSN's in the sense that they are "unique" to an individual. But look at the epic mess caused by SSN's every year:
~ Almost 11 million people/year are victims of ID theft.
~ Approx. $21 billion/year of financial fraud/loss.
~ Recovery from ID theft can take years (fixing credit reports, etc.)
source: http://www.statisticbrain.com/identity-theft-fraud-statistics/

Fingerprint ID's for identification are a bad actor's dream-come-true and a bad idea overall... no better than using SSN's for identification. Actually, fingerprints could be worse than SSN's because it will be more difficult to prove your innocence (that it wasn't you or your finger) if you're a victim of ID theft.
da1212

69 Posts

Sign Up for Free or Log In to start participating in the conversation!