Eye and Voice Logins Compromised

John Lister's picture

Two biometric security measures have come into question after reporters and researchers claimed to have overcome them. A phone's iris recognition and a bank's voice log-in both appear to be less than perfectly secure.

The Samsung Galaxy S8 - arguably the most high-profile and hyped phone currently running the Android system - includes an option to unlock the phone by simply looking at the camera. In a similar way to fingerprint recognition, it works on the idea that the patterns in the eye's iris are unique. Samsung described these patterns as "virtually impossible to replicate."

Contact Lens and Color Printer Aid Attack

However, an organization of "ethical hackers" known as the Chaos Computer Club say it was able to defeat the security measure in a remarkably simple way: using a photograph of the phone owner's eye with a contact lens placed above it to make it appear three-dimensional.

While it was possible in theory to use a photo the person had uploaded to a social media page, the group says the easiest way is to take a photo of the person with a digital camera which either had a night-shot mode switched on or the infrared filter switched off. The photo worked when taken from five meters away, so could viably be taken without the phone owner's knowledge. Ironically the group found they got the best results by printing the image out on a Samsung color laser printer. (Source: ccc.de)

Twin Brother Pulls Off Voice Trick

Meanwhile a report at the BBC tested security at the HSBC bank which offers customers the option of authenticating themselves for telephone banking using only their voice, rather than needing a PIN code or password. The customer records the phrase "my voice is my password" and repeats it on future calls, with HSBC saying a voice has 100 different measurable characteristics.

The reporter's non-identical twin brother was able to access the account by imitating the reporter's voice. It took him eight attempts to do so, which in turn raises questions about whether users are allowed too many failed attempts before being locked out. (Source: bbc.co.uk))

The good news is that the system doesn't allow users to withdraw money with the voice command. However, they can access balance and transaction information and move money between accounts belonging to the same person. That could prove extremely useful for would-be fraudsters or people looking to cause disruption.

What's Your Opinion?

Are you surprised the identification measures had these flaws? Are these realistic attack methods or is it more of a theoretical concern? Do you use any biometric logins and do you believe they are more secure than traditional passwords and PINs?

Rate this article: 
Average: 5 (3 votes)

Comments

Dennis Faas's picture

I have been using fingerprint logins for my Windows machines for many years and it is extremely convenient as well as being very secure. Not only can I unlock a Windows PC with my fingerprint, I can also use my fingerprint scanner to login to websites using my password manager, Roboform. I suspect a fingerprint would be a lot harder to pull off in terms of long distance hacking compared to a photo of an iris or a voice recording.

Kalisun's picture

Did the Bank security guy who wanted everyone to use the phrase "My voice is my password" Just got done watching the movie Sneakers?

nospam_5346's picture

The main problem with these things as passwords is that once they're compromised they can't be changed. And everything can be hacked.