Fingerprint identification and its security implications

Today I decided to talk about security, just because it's one of the subjects I really enjoy. I hope you'll find this informative.

In recent days, there's a lot of noise on the interwebs about fingerprint security and how it can be easily compromised. Recent examples can be found here, here and here. It all started when Apple made fingerprint authentication a commodity with the introduction of Touch ID on iPhone 5. Subsequently, other phone manufacturers followed and today there are many high-end devices with a fingerprint scanner.

Security researchers expect that by 2019 over 50% of smartphones will have a biometric sensor! Similarly, 770 million biometric authentication apps will be downloaded each year by 2019. This is a huge increase from the 6 million downloads forecast for the mobile phone market in 2015. You can read the full report here. And it's not just phones you need to worry about. Gartner estimates that by 2016, 30% of companies will be using biometric identification on their employees. You can view the full Gartner report here.

Some claim that the use of biometrics is more secure than a simple username and password or a PIN. They certainly offer many advantages. While you may forget your password or identity card, you always carry your biometric info (eyes, fingerprints etc). However, for biometrics to be secure, they need to be implemented correctly. At the Black Hat conference, researchers proved that iris recognition and fingerprint biometrics can be hacked. In 2015, Yulong Zhang, a security researcher, showed 4 different ways that hackers could steal or circumvent fingerprint scanners.

Zhang proved that he could access fingerprint data on an HTC One Max and Samsung Galaxy S5. Worryingly, all fingerprint data was stored as a bitmamp file in an unprotected location. Though altered, the data could easily be reassembled into an image. A hacker could use that image for impersonation.

In another attack, he was able to load extra fingerprints to the device without the user's knowledge. The user was unable to see the fingerprints, yet Zhang was able to use them to unlock the device. Although both companies have released a patch for these devices, one can only wonder how many more devices are vulnerable to these or similar attacks. The problem is exacerbated with delays in patching when the phone companies are involved as is the case with most Android phones.

You may think that fingerprint data hacking is not important, but there is one big catch: "You can't replace your fingerprints"! At the moment, if you fall a victim of identity theft, it's possible to request a new credit card, identity cards etc. If your online account on a website is compromised, you can change the password or contact the website support for help. But if your biometric data is stolen, there is not way to reset it! If your gym, phone, doctor who all my hold your biometric info get hacked, your data is compromised for ever. What worse, remediation may prove extremely difficult if not impossible.

If the future of identity is all about biometrics, then the future of identity theft will involve stealing and compromising biometrics, and thieves and scammers are already hard at work circumventing these systems [1]

Personally, this sounds quite scary a problem I would like to avoid all together. I'm not against biometric security, but until it's implemented correctly, I do my best to avoid it. Username/password authentication has been around for a really long time. Yet, we all know how time and time again companies get it wrong and they end up all over the web after some infamous hack.

My advice is that if you value your identity you should try avoiding the use of biometrics for identification. At the current state, I wouldn't trust any of the companies to implement biometric security effectively. In fact, I'm a bit suspicious about the whole practice and so far I've been proven right. There's also the question on whether these companies collect and store this information outside the phone.

While username and passwords are not much more secure or easy to remember, there are ways to safeguard your online identity by following some best practices. I've included some examples below but the list is nowhere near complete.

  • Never use the same username and password across multiple sites
  • Store all your unique passwords in a password manager tool
  • Create strong, complex passwords for each registration
  • Use 2-factor authentication where available
  • Never share your password (obviously)
  • Be vigilant and ensure that if your account gets hacked, you mitigate the threat immediately
  • Register your email with Have I been pwned website to get notified every time one of your accounts turns up in a hacked site

Stay safe and try not to give away important identification data so easily, even if it's just on your phone.

[1] Future Crimes: Everything Is Connected, Everyone Is Vulnerable, and What We Can Do About It, Marc Goodman

  • Share this post on