Eye and Voice Logins Compromised
Two biometric security measures have come into question after reporters and researchers claimed to have overcome them. A phone's iris recognition and a bank's voice log-in both appear to be less than perfectly secure.
The Samsung Galaxy S8 - arguably the most high-profile and hyped phone currently running the Android system - includes an option to unlock the phone by simply looking at the camera. In a similar way to fingerprint recognition, it works on the idea that the patterns in the eye's iris are unique. Samsung described these patterns as "virtually impossible to replicate."
Contact Lens and Color Printer Aid Attack
However, an organization of "ethical hackers" known as the Chaos Computer Club say it was able to defeat the security measure in a remarkably simple way: using a photograph of the phone owner's eye with a contact lens placed above it to make it appear three-dimensional.
While it was possible in theory to use a photo the person had uploaded to a social media page, the group says the easiest way is to take a photo of the person with a digital camera which either had a night-shot mode switched on or the infrared filter switched off. The photo worked when taken from five meters away, so could viably be taken without the phone owner's knowledge. Ironically the group found they got the best results by printing the image out on a Samsung color laser printer. (Source: ccc.de)
Twin Brother Pulls Off Voice Trick
Meanwhile a report at the BBC tested security at the HSBC bank which offers customers the option of authenticating themselves for telephone banking using only their voice, rather than needing a PIN code or password. The customer records the phrase "my voice is my password" and repeats it on future calls, with HSBC saying a voice has 100 different measurable characteristics.
The reporter's non-identical twin brother was able to access the account by imitating the reporter's voice. It took him eight attempts to do so, which in turn raises questions about whether users are allowed too many failed attempts before being locked out. (Source: bbc.co.uk))
The good news is that the system doesn't allow users to withdraw money with the voice command. However, they can access balance and transaction information and move money between accounts belonging to the same person. That could prove extremely useful for would-be fraudsters or people looking to cause disruption.
What's Your Opinion?
Are you surprised the identification measures had these flaws? Are these realistic attack methods or is it more of a theoretical concern? Do you use any biometric logins and do you believe they are more secure than traditional passwords and PINs?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Fingerprint logins
I have been using fingerprint logins for my Windows machines for many years and it is extremely convenient as well as being very secure. Not only can I unlock a Windows PC with my fingerprint, I can also use my fingerprint scanner to login to websites using my password manager, Roboform. I suspect a fingerprint would be a lot harder to pull off in terms of long distance hacking compared to a photo of an iris or a voice recording.
Some one is watching to many movies..
Did the Bank security guy who wanted everyone to use the phrase "My voice is my password" Just got done watching the movie Sneakers?
Problem with bio metrics
The main problem with these things as passwords is that once they're compromised they can't be changed. And everything can be hacked.