Oh ApplePay don't you hate it when I'm right?
Well, I wasn't 100% correct about where the initial hacks might come from but the point remains the same. ApplePay is far from as secure as they would want you to believe. Here is the link. Honestly, spoofing a fingerprint from photos would only be a secondary measure. The initial hack where they spoofed the TouchID sensor days after the iPhone 5s was unveiled using fingerprints on the screen is actually much scarier and presumably easier.
While the thought that someone can get your fingerprint with enough consumer grade photos is scary, since no one has shown any man in the middle attacks or other dupes it means that they would still need your phone to exploit it. And, if I've stolen your touch centric smart phone, chances are I have plenty of fingerprints to use for the original hack.
So, now I have your phone and a means to spoof your TouchID. If you're setup for ApplePay your safety net is the period of time it takes you to realize what has happened, accept what has happened and remote brick your phone. The funny thing is that middle step. With a $700+ phone many people (who even remember the feature exists) will hesitate for quite some time before permanently bricking their phone.
And, if you turn out to be a valuable target, someone has your fingerprints and all they need to do the next time is steal your phone and start stealing your cash right away. And even that part is easier than it sounds. Apple went out of their way to make this work with tech already widely available. Which means virtually anyone can get a PoS machine that they could use to funnel the money.
The note from the hacker was basically, if my password is compromised I can change it, but I can't change my fingerprint if that gets compromised. It is a weakness of biometric passwords of all sorts. They aren't even as resilient as other 2nd factor authentication measures available today. But, if it is only being used in concert with another authentication method, like a proper password, it is better than JUST having a password.
I don't own an Apple device so I'm not sure what the options are for remote securing a device. I know that there is a kill switch which bricks it, and there may also be a remote lock feature. If there is a remote lock feature which can be removed by the user, that makes for a safer way to someone to shut down the device ASAP while they look for it. But, I still don't think even amongst those who would remember in such a scenario that they can do those things that would unless there was a clear cause. On rare occasions my phone falls in the car somewhere or I leave it somewhere unexpected. I might not even notice it gone for several hours, and depending on situations may not try and find it for hours more. Plenty of time for someone to run up some charges on my TouchID protected smart phone.
PS - I realize there aren't roving gangs of people stealing TouchID enabled smartphones and using them to spoof peoples fingerprints. The criticism isn't about current threat, but potential threat. If this becomes lucrative, such a scenario may actually come to pass. The folly is believing that a fingerprint is more secure than a password. The fingerprint is essentially a complex password, but it is one that can't be changed. Even a simple password changed often provides more security.
While the thought that someone can get your fingerprint with enough consumer grade photos is scary, since no one has shown any man in the middle attacks or other dupes it means that they would still need your phone to exploit it. And, if I've stolen your touch centric smart phone, chances are I have plenty of fingerprints to use for the original hack.
So, now I have your phone and a means to spoof your TouchID. If you're setup for ApplePay your safety net is the period of time it takes you to realize what has happened, accept what has happened and remote brick your phone. The funny thing is that middle step. With a $700+ phone many people (who even remember the feature exists) will hesitate for quite some time before permanently bricking their phone.
And, if you turn out to be a valuable target, someone has your fingerprints and all they need to do the next time is steal your phone and start stealing your cash right away. And even that part is easier than it sounds. Apple went out of their way to make this work with tech already widely available. Which means virtually anyone can get a PoS machine that they could use to funnel the money.
The note from the hacker was basically, if my password is compromised I can change it, but I can't change my fingerprint if that gets compromised. It is a weakness of biometric passwords of all sorts. They aren't even as resilient as other 2nd factor authentication measures available today. But, if it is only being used in concert with another authentication method, like a proper password, it is better than JUST having a password.
I don't own an Apple device so I'm not sure what the options are for remote securing a device. I know that there is a kill switch which bricks it, and there may also be a remote lock feature. If there is a remote lock feature which can be removed by the user, that makes for a safer way to someone to shut down the device ASAP while they look for it. But, I still don't think even amongst those who would remember in such a scenario that they can do those things that would unless there was a clear cause. On rare occasions my phone falls in the car somewhere or I leave it somewhere unexpected. I might not even notice it gone for several hours, and depending on situations may not try and find it for hours more. Plenty of time for someone to run up some charges on my TouchID protected smart phone.
PS - I realize there aren't roving gangs of people stealing TouchID enabled smartphones and using them to spoof peoples fingerprints. The criticism isn't about current threat, but potential threat. If this becomes lucrative, such a scenario may actually come to pass. The folly is believing that a fingerprint is more secure than a password. The fingerprint is essentially a complex password, but it is one that can't be changed. Even a simple password changed often provides more security.
Comments
Post a Comment