A Blog by Jonathan Low

 

Sep 18, 2013

Putting a Finger On It: How Impenetrable Is Biometric Security Technology?

One can only imagine the delicious challenge Apple has just thrown to the hacking community: be the first in your digital neighborhood to crack the biometric code.

Beyond that, however, the use of biometrics as a consumer feature raises some thought-provoking questions about priorities and purposes.

We recognize that convenience continues to be the defining advantage of our commercial culture. The perception among business managers, especially those selling consumer products and services is that more convenience means greater sales, profits and customer loyalty (which prolongs the application of the first two).

We remain astonished by the inclination to trade almost any personal identifier for a discount: bank accounts, credit card numbers, children's names, DNA...damned if there's anything many consumers wouldn't consider sharing. But experience suggests that while concerns about the use of such information resonate, behavior has yet to reflect a change.

Biometric security has generally been reserved for the last line of defense in work or personal safety. Making it widely available serves to make it, well, even more widely available than it was. And once compromised, most people are unlikely to demand surgery to get new fingerprints. Or eyeballs.

It may well be that we have no secrets and that we accept that state of affairs. But the betting is someone will eventually figure this out so for those who believe they still have something to protect and the desire to do so, taking this next step may warrant some further consideration of the alternatives. JL

Charlie Osborne reports in ZDNet:

Should we trade our biometric data and privacy for the sake of convenience?
Has Apple managed the fine line between security and convenience? Some security experts aren't so sure.
Speaking to German publication Der Spiegel, Hamburg Commissioner for Data Protection and Freedom of Information John Caspar believes that the use of biometric technology for the sake of consumer convenience could become a hacking treasure trove, granting them access to permanent data which cannot be deleted or changed.
Biometric technology is used to verify a person's identity based on their physical or behavioral characteristics through digital means. Identifying features including a fingerprint, retina scan and facial features are key markers and are used in surveillance, laptops, smartphones and passports. These physical elements cannot be altered in the same way as a traditional password, and therein lies the worry associated with putting such data on a mobile device. Caspar told the publication:
"Biometric features you can not delete. [It is] life long. Fingerprints should not therefore provide for everyday authentication method, especially if they are stored in a file."
Apple's Touch Id fingerprint scanner for the recently announced iPhone 5s -- which already has Japanese consumers queuing up around the block -- allows users to scan their fingerprint to access the iPhone and download media or apps from iTunes without the need to type in a PIN code.
The Cupertino, Calif.-based firm has attempted to soothe privacy worries associated with the use of biometric data in mobile devices by starting that information gathered by the feature, Touch Id, will only be stored on the device and will be encrypted rather than saved as an image of the fingerprint.
However, Caspar remains unconvinced, saying that while the iPhone's fingerprint readings would only be stored on the device and not on centralized servers, cyberattackers who compromise a smartphone through malicious applications could still be able to access the biometrics. The IT commissioner said:
"The current user is not in a position to control what his applications do with the information he puts in them."
While the technology may be quicker for consumers than traditional PIN codes, biometric scanning is still dogged with problems. Motorola first launched its Atrix smartphone with the technology, but reportedly dropped it as consumers complained of errors. A report published on Elcomsoft's blog highlighted a "huge security hole" with fingerprint-based security in laptops sold by companies including Acer, ASUS, Dell and Samsung, and retina scanners used at U.K. airports were dropped following errors and slow processing rates.
The introduction of biometric data in to the mobile device industry has also raised privacy worries in the United Kingdom, relating to its potential use as a way to track employees. A British trade union, the London chapter of the National Union of Rail, Maritime and Transport workers (RMT) -- which represents London Underground cleaners -- has instructed its members to refuse to use biometric fingerprinting devices to clock in to and out of shifts.
The union says that such methods to keep an eye on staff activity is a "draconian attack on civil liberties" after receiving almost unanimous support for industrial action, short of strikes.
Fingerprint scanning may be a useful tool for businesses, but as Caspar told the publication, biometric data is a permanent feature of a person, and storing such data is fraught with risk:
"Furthermore, [it is] the principle of data minimization. If it doesn't have to be there, remove the biometric data, no matter how convenient it might be."
Apple is not the only company looking at the potential of merging biometrics and mobile technology. in a recent images leak, the rumoured HTC One Max appears to also come equipped with a fingerprint scanner on the back of the smartphone.

0 comments:

Post a Comment