Search This Blog

Saturday, 14 November 2015

Why I'm Not a Fan of Smartphones With Fingerprint Scanners

The smartphone has become a must-have item for most people now, from entry-level Android phones to high-end iPhones that can cost close to a lakh. But these devices have gone from basic calling and texting devices, to storehouses for a lot of important personal and even financial information. Right now, you are using virtual wallets to recharge your mobile phone balance, but soon, it could replace your credit or debit card when shopping. But how do you keep this sensitive information safe?
So far, we've had to rely on passwords, PIN codes, patterns or knock-codes. These are all still persistent but they're a single layer of security that can be beaten with a little guesswork, or some social engineering. That's where fingerprint sensors come into the picture - Apple took the lead but plenty ofAndroid phones including ones from HTC and Samsung also feature this technology now. The use of fingerprint sensing technology has taken off in mobiles because it allows convenient yet reliable safety of our data.
oppo_back_fingerprint_ndtv.jpg
That's the idea but the reality is a little different. When a phone that supports fingerprint sensor is turned on, it initially asks the user to input the fingerprint data so that his phone becomes secured. The sensors trace the fingerprint and store it in the local storage of the phone. While Apple's phones did a better job of securing fingerprints, neither is completely secure.
In fact, in Android phones, the fingerprints are stored as unencrypted files in the local storage and are thus easily readable through sequenced codes of alphabets. With that in mind, your phone might actually be a lot less secure than you imagine. For example, mobile manufacturers created a secured platform to encrypt the fingerprint data known as TrustZone but that too got breached in the high-end smartphones of HTC and Samsung.
samsung_fingerprint.jpg
Researchers at a Blackhat hacking conference stated the security problems that phones faced:
Confusions in the scanner authorisation processes that could let hackers install malware and bypass payment services fingerprint security features
Trust zone design flaws in the fingerprint sensor that allow spying attacks to remotely harvest users' fingerprints
Pre-embedded fingerprint backdoors that can be used to hijack mobile payments protected by fingerprints and collect data on the smartphone's user.
In other words, we can assume that our fingerprints aren't really secure. But if that's the case, then aren't they actually worse than passwords? After all, we're repeatedly advised to regularly change our passwords and PIN codes, and never to use the same password for multiple devices or accounts. In the case of a fingerprint sensor, there's a lot less you can do to ensure variability. Once your fingerprint data is out there, your security is compromised across all devices at all times.
Apple and Google might bring in more features to add security but the possibility of breaching this security still remains. Unless you can achieve "perfect security" for the fingerprints, they're not really a good solution. Fingerprints can't be changed by the user to protect his data. The same fingerprints will unlock your phone, and your office computer, and any other point where biometrics are used.
touchid_apple_screenshot.jpg
And this means that it's all as secure as the least secure thing you are using - if one device gets hacked, all your devices have your locks unlocked. That old cellphone you used to have is going to be a storehouse of your private data, including a passcode to every single device you own or work with. You can't choose your fingerprint, so what are you supposed to do about it?
When you consider that governments around the world are also starting to use biometric records of citizens for purposes like visa verification, this becomes even more serious. For one thing, there's little data on how the government will secure this information. At the same time, if an old phone could unlock your fingerprint, it could be misused for identity theft - when your finger is your key through passport control, do you really want your phone to have the same "password"?

No comments: