How to steal a fingerprint

Apple announced that the new iPhone will include TouchID to allow users to make purchases by identifying themselves with a fingerprint. Sounds great, right? But while biometrics (such as fingerprints, palm prints, and retina scans) do have some advantages over passwords, they have their weaknesses too. And, yes, fingerprints can be stolen.

I’m not talking about someone pressing a gummy bear against something you touched like I saw on CSI once. I’m also not talking about gangs of thugs cutting off fingers so they can buy songs off of  iTunes. I’m talking about a fundamental misconception about biometric data.

Many people like biometrics because the security is based on something you are. A password is something you know. It can be forgotten. A token is something you have. It can be lost. But you can’t lose or forget your fingerprint! And barring dramatic and gory hand chopping off scenarios from the movies, your fingerprint can’t be stolen. Supposedly.

The problem is that Apple iPhone TouchID and other biometric security systems aren’t actually authenticating you based on your fingerprint. They are authenticating you based on a digital interpretation of your fingerprint. Just a series of ones and zeros like your other computer data. If that digital version of your fingerprint is intercepted or otherwise stolen it can be sent to the system you use your fingerprint to access just as if you were putting your finger on the screen.

A good security system will of course have a lot of controls to prevent someone from being able to do that, but what if someone finds a way to break those controls as they do with so many other systems? How are you going to reset your fingerprint?

Subscribe to Listing Toward Forty. Type your email address in the box and click the “create subscription” button. My list is completely spam free, and you can opt out at any time.

You can also find me on Twitter, Google+, and Facebook.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.