blog

If Your Biometrics Security Is Compromised? (Part 1)

No Likes No Comments

Why does biometrics security fail to be secured?

Introduction

Hello Explicit Facter!

Welcome to explicitfacts.com! A place where ignited minds come to get inspired!

If you have not subscribed to our website, then you are missing out.

Biometrics security frequent psychic has become a mainstream norm of authentication and login security.

It’s convenient, unique, and user friendly, but it also could be the most stupid security token you could use.

Welcome to explicitfacts.com, a place where future successful brains come to get inspired.

In this article, we will discuss a particularly important problem, when one’s biometric security itself is compromised! This leads to an exceedingly demanding situation.

Consider this!

If somebody steals your password all you need to do to secure your account is to change the password, but what if somebody steals your fingerprint?

biometrics security

You leave your fingerprint everywhere.

You can’t change it and yet you are encouraged to use it as a security token.

When it comes to pure entropy, fingerprints or facial recognition can generate a stronger security key than a bad password.

Weak Password Etiquettes

The problem is that if someone has a bad password practice, you can teach them to do better but you can’t change their face, well without help from a bear wrestler from Dagestan.

The whole promise of biometric security stands and falls on, how easy it is to replicate and abuse biometric models, and the short answer is: – It’s a cat-and-mouse game.

Why? In the long enough timeline, someone will be able to recreate a copy of your face or fingerprints that work just fine enough to the full authenticating system.

Once your biometric data is compromised it affects all applications at once, and you will be affected for the rest of your life.

Enterprise-level multi-factor biometric systems could improve the security of the premises but consumer-grade biometric authentication is more of a convenience measure than a security enhancement.

Apple’s Touch ID – A Failed Saga?

When Apple first released touch ID for iPhone in 2013, it was touted as the next step in the evolution of secure authentication.

In just 24 hours, hackers found a cheap solution to break it!

A photograph of your fingerprint taken from a glass surface such as a very iPhone is enough to recreate a replica that Apple’s Touch ID would accept as a genuine finger.

This complete process takes about just 30 minutes, flat!

Now, you may think this still reduces your attack surface because hackers must get physical access to your device and a
fingerprint.

But boy! It’s way worse than that.

How Hackers managed?

Security researchers attending the annual Black Hat hacker convention in Las Vegas have managed to bypass the iPhone Face ID user authentication in just 120 seconds.

The way they did it may well surprise you, but should it worry you as well?

Black Hat?

Black Hat is always guaranteed to produce some exciting security headlines, and this year’s convention certainly hasn’t disappointed.

Everything from a demonstration of how WhatsApp messages can be intercepted and manipulated to Microsoft confirming it had paid hackers $4.4 million (£3.6 million) for example.

However, for sheer ingenuity and that “WTF” factor, what the researchers from Tencent did is hard to beat.

The researchers found a flaw in the liveness detection function of the biometric authentication system that is used by Apple for unlocking an iPhone using FaceID.

During the session, Threatpost reported, the researchers said that “Liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture.”

This is to get around the problem that so many biometric ID systems suffer from hackers bypassing the authentication with the help of wax hands or 3D-printed heads. It’s clever stuff and will prevent someone from unlocking an iPhone while the owner is asleep, for example.

Except it doesn’t.

Assuming you can follow the hacking, process demonstrated by Tencent, which is unlikely in most scenarios.

Not that the method isn’t unusual and has that wow-factor, but it would be a difficult one to pull off in the real world.

It would be a lot easier to access a TouchID-protected iPhone using the finger of a sleeping victim.

All these kinds of hacks require physical access to both the device and the unresponsive owner. Ironically, I don’t think you need to lose too much sleep over this one.

An excellent video by the Wall Street Journal demonstrates, how fingerprint ID is hacked, is shown below.

Courtesy – YouTube

How do Hackers play with Face ID Biometrics?

The researchers discovered that the FaceID liveness process, wouldn’t extract full 3D data from the area around the eye if it recognizes the owner is wearing glasses.

biometrics security

Instead, it looks for a black area for the eye with a white point upon it for the iris.

So the researchers created a pair of spectacles with white tape covered by black tape in the center.

A hole in the black tape was allowing the “white point” to be visible to FaceID.

This is enough to fool FaceID and unlock the iPhone

But it’s also the last time you can use the word “simply” in connection with the hack. Sure, the researchers showed how they placed the “X-glasses” onto a “sleeping” victim, unlocked the iPhone, and managed to transfer money using mobile payment. But you try and do that in the real world.

It’s not impossible by any means, but it does require a sleeping or unconscious victim who happens to have an iPhone protected with FaceID and who won’t wake up when you are stuffing a pair of specs onto their face.

Playing with Photos!

Even just a high-resolution photo of your hands will give hackers enough data to construct a fake fingerprint.

A German hacker was able to use press photographs of Germany’s defense minister to duplicate her figure prints.

A quick scan of their photos posted all over social media may give hackers exactly what they need to achieve that.

biometrics security

Now before you start scrolling through your social media to delete any photo that has your fingertips facing the camera, let me reassure you that it’s already too late, your fingerprint may be all over the Internet and there is nothing you can do about it.

What did the researchers do?

The researchers were able to demonstrate that they could bypass the FaceID user authentication and access the iPhone of the victim in less than 120 seconds. To do so, they needed three things: a pair of spectacles, some tape and, erm, a sleeping or unconscious iPhone user.

An excellent video by the Wall Street Journal demonstrates, how Face ID is hacked, is shown below.

(Source:- https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/#2ebd9a4821bc)

Courtesy – YouTube

Remember!

You have to remind yourself that your phone isn’t the only thing that has your fingerprints.

Your biometric data is most likely stored on multiple databases that often act as lucrative targets for hackers.

Kaspersky found that up to a third of biometric systems that store biometric data were targeted by malware attacks.

Further analysis showed, there is an emerging market for mass-distributed malware aimed at stealing biometric models from banks and financial systems.

If you are rich or dumb you spend a thousand dollars on an iPhone with face ID. And face ID is ten times better than touch ID because there is an aliveness detector, and you are not going around slamming your face all over the place.

You believe the full sense of security Apple gives you by claiming your facial recognition data is only stored on your iPhone. 

Apple’s Face ID is among the most secure of facial authentication systems available for consumers, but your iPhone is not the only device that can scan your face.

Facial recognition can be used anywhere without your consent.

Taylor Swift used a kiosk that showed a rehearsal of her clips to entertain fans, which is a disguise of its true purpose to use facial recognition to identify her stalker.

Facial Profiling

Facial recognition is used by advertisers in public places were banners and posters can be used to identify you and even link to your social media accounts.

As you are stomping around from one foot on to another on a bus stop facial recognition banner can get detailed scans of your face from all angles, more than enough to craft a perfect copy of your face.

Even Vimeo, a video hosting site was sued for using people’s facial biometrics and storing this data taken from their videos without their consent.

You could easily be socially engineered into rotating your face in front of a hidden camera while staring into banners somewhere in a mall right next to an Apple Store.

Hackers are very patient people and cybercrime is a multi-trillion-dollar business.

Your facial biometrics is a lucrative target.

Apple’s Face ID security is majestically falling apart as researchers and hackers get crafty in tricking face ID using 3d printing of facial models in VR systems to perform facial animation.

Hackers can make masks that look hideous to the human eye but they are good-looking enough to fool face ID and if you are on a budget Android phone using some sort of face unlock the situation is even worse for you.

The price tag of the true depth 3d sensor used in the iPhone 10 is $60 per unit.

This is prohibitively costly for budget Android vendors so they default much less secure mechanisms that are even easier to fool than an Apple’s face ID.

Social Media Blues!

In the age of social media, surveillance cameras can algorithmically be marketing.

Your face is virtually everywhere and the biometric data generated from it is stored in remote data centers with pathetic security.

The breach is not a matter of If but When!

Cyber Attacks

In 2015 the US, Office of Personnel Management suffered a severe cyberattack, where fingerprints of 5.6 million people associated with the US government were stolen.

In the UK fingerprints and facial recognition data of more than a million people have been found on a publicly available database in an unencrypted form, in an unsophisticated attack vector.

Researchers were able to access a total of 27.8 million records filled with biometric information and login credentials. Among the most luring targets of profit-seeking hackers are major airliners.

In cooperation with airport security and border control, airlines also rely on facial recognition to facilitate the process of travel and boarding.

Price of Security!

The convenience comes at the price of the security.

Cathay Pacific breach exposed the data of 9.4 million customers in 2018.

While British Airways- a record-breaking fine of 183 million pounds by the European Union for exposing passport credit cards and other personal details of 500,000 customers.

On top of that biometric security will always be susceptible to the false rejection rate and false acceptance rate.

In the former, you might downgrade the less secure authentication mechanism to bypass the faulty recognition system.

Most phones with fingerprint sensors or face-on features including iPhone offer a backup solution to unlock your phone through a pin or passcode which means your phone is only as secure as the secondary unlocking mechanism which for most non-security minded people is not secure at all.

A false positive among family relatives including twins, parents, and their children and siblings are not uncommon and significantly increases your attack surface.

Your close relatives may share just enough similarities in their faces to confuse facial recognition.

On the other hand, they all might be using different pins or passcodes that are not known to one another.

Unlike passwords, biometric data will always have a greater than zero probability of false negatives and false positives.

At the end of the day, biometrics is just a long password, and just like long passwords, it can be eventually brute force.

The best use of your biometrics is as part of multi-factor authentication, where you have to enter something you know, something you have, and something you are.

No modern smartphones are offering this level of protection.

Security tokens such as authentication USB keys from yubico or nitro key are still the most secure way of authentication because for as much as we know they are the least replicable if at all.

For device encryption the long-established device still prevails, the longer the passcode is, the stronger the security of the encryption key.

In many jurisdictions, the police may unlock your phone by forcefully using your fingers or your face but in the U.S. you can invoke the Fifth Amendment to refuse to give out your password because you can’t be compelled in any criminal case to be a witness against yourself.

Strong Passwords or Passcodes

As right now biometric security as a one-off authentication event isn’t going to be more secure than a strong passphrase or multi-factor authentication.

It truly secures a biometric implementation that would be a continuous pattern recognition that constantly scans our behavior, gate, keystrokes, movement, voice as well as face and fingerprints.

For now, we will end this article with a quote from the German hacker group that broke Apple’s Touch ID in 24 hours.

“It is plain stupid to use something that you can’t change that you leave everywhere every day is a security token”.

Courtesy – YouTube

To explain this issue with more details, Team Explicit Facts has also published articles on Government surveillance by tracking your smartphone is covered in other article Is your smartphone being Tracked? Beware!

What to do?

In our other related article Best Tricks to Protect Your Online Privacy (Part 1) and Best Tricks to Protect Your Online Privacy (Part 2) some general privacy-related things on the Internet to be aware of, including website policies and targeted advertising practices.  

Then, we’ll teach you some basic and advanced methods of staying private on the Internet and explain why doing these things protects your online privacy. 

In the article Best Tricks To Protect Your Smartphone Security (Part 1), we will explain how you can save your online privacy by increasing your smartphone’s security.

Lastly, we’ll go over some of the neat technologies that help keep your online life strictly your own business.

Thank you for spending some time with us!

We at Explicit Facts want our followers to stay safe with mental peace and zero impact through the enhanced knowledge base.

So, stay safe and keep reading our articles.

Also, “Like” and “Subscribe” to our website, so that you never miss our future articles. We keep updating them at regular intervals to ensure that you get to know the “Explicit Facts of Life”.

If you like this content, then please “Share” it with your family and friends.

Sharing is Caring.

We also have a YouTube Channel “Explicit Facts and we request you to subscribe to it by clicking on the link below.

https://www.youtube.com/channel/ExplicitFacts

Our other websites with great and exclusive content are mentioned below: –

https://explicitfiles.com

https://explicitwellness.com

https://explicitwealth.com

To support our channel please donate on PayPal at [email protected].

Now before, you leave our website, we are curious.

Do you agree with our worry about weaknesses involved with biometric security passwords?

What is the solution to this problem?

Share your story with us in the comment section below…. we will be right there with you.

Courtesy:- www.youtube.com

https://support.apple.com/en-us/HT201371

https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/#2480b46721bc

https://www.forbes.com/sites/daveywinder/2019/08/07/whatsapp-hack-attack-changes-your-messages-and-facebook-doesnt-seem-to-care/

https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-it-has-paid-44m-to-hackers/

https://www.forbes.com/sites/daveywinder/2018/12/29/fake-news-how-a-wax-hand-ai-fingerprints-and-3d-printed-face-broke-biometric-security-in-2018

#explicitfacts #explicit_facts #explicit-facts #biometrics #biometricsecurity #biometricspassword #securitypasswords #passwords #faceid #apple #nordvpn #vpn #fingerprintid #datasecurity #irisbiometrics #irisid

 

0

Click Here

No Likes No Comments

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!

+ 58 = 68