How secure is the fingerprint scanner on your phone?
The fingerprint scanner on smartphones have changed the way we use our phones. A new study has even shown that the convenience of a fingerprint scanner has made more people lock their phones now than ever before. Keying in a password is cumbersome and inefficient while just rubbing your finger against a sensor is simple and works like magic. It also makes you feel that your device is now as secure as Fort Knox and you and only you can get access to it. Thus, people are adding things on their phones they would never even dream of having before. Important documents, dodgy picture and videos, ATM pins and passwords, credit card information – secure in the knowledge that their phone is protected by the highest form of technology the world can offer. But is the fingerprint scanner a false god? Is it the single most vulnerable area of your phone? Can it be easily hacked? The answer to all three questions is simple. Yes!
Let’s first understand how the fingerprint scanner on your phone works. A detailed all points human fingerprint is almost impossible to falsify. That’s what leads to this false sense of security. Unfortunately, fingerprint scanners on phones and other devices are extremely small and thus record just partial information. Typically, your phone asks you to constantly press your finger to the scanner as it takes six to eight images of your finger. That’s it. That’s all it does. These images are then used to make a match the next time you place your finger there. And then the awesome wizardry behind it magically opens up your phone. But, it doesn’t need just your finger to open the phone for others. There are other ways.
Researchers at New York University and Michigan State University were able to create a finger ‘Masterprint’ (like hotels have a master key to open any room) by using the most common elements that
exist in all our finger lines. Shockingly, that ‘Masterprint’ was able to open 65 per cent of all phones. That means seven out of 10 phones could be opened with just one Masterprint. Imagine a glove Masterprint available for criminals to buy off the Internet. They could get into most phones within two or three attempts. As that common feature technology improves, so will the Masterprint! But the story doesn’t stop here. It gets worse.
Biometrics firm Vkansee used dental mould to take a fingerprint cast and play-doh to fill it up, resulting in a perfect print that opened up a phone every time. Analysts at research firm CITER used a 3D-printer to make a finger mold, which had fingerprints taken from a stored image. There have been demos where a fingerprint lifted of a glass or piece of plastic was converted into a high- res image and then 3D printed. Then there’s the glue method. Take high-res image of a fingerprint, print it out onto a transparency film with a laser printer, smear glue and glycerol on the print, and you get a rubbery-glue fingerprint that works perfectly.
With use of biometrics everywhere (Aadhar, visas for travelling, bank accounts, phone connections), the chances of your finger prints being made available to criminals is growing. Even worse, your fingerprints once stolen, can’t be changed. It’s out there, being freely exchanged on criminal underground networks and it’s also sitting on your fingers. It is not a passcode that you can now change. It’s permanent on you and now with the next hacker!
So is there a way out? Well, a larger fingerprint sensor that scans professional level images would be a good start. Unfortunately, that’s expensive and most phone brands won’t invest in it. They are worried that people will get irritated about rubbing their finger two or three times. They would rather claim the fastest fingerprint scanner in the world, which may not be the most secure.
Fingerprint scanners also create other issues. Imagine a court order that forces your finger on your phone for the police to get access to everything within. Imagine you being forced to scan your phone at the immigration department when you enter a country. You can refuse to tell them a password, but you can’t do much in this case. Think about all of this when you make your fingerprint the only security system into your phone. Use the fingerprint to open up your phone, but put all important things within under a passcode and use another line of defence like a pattern code. It may be a little less convenient but it sure is a whole lot more secure.
Rajiv Makhni is managing editor, Technology, NDTV, and the anchor of Gadget Guru, Cell Guru and Newsnet 3
From HT Brunch, April 30, 2017
Follow us on twitter.com/HTBrunch
Connect with us on facebook.com/hindustantimesbrunch