Saturday, February 3, 2018

Your Own Fingerprint could be your Enemy


Imagine you are sipping cold coffee and enjoying the view outside your room, when you receive a message on your smartphone that you have spent 5 million rupees at a shopping mall in Dubai. After the initial shock when you enquire about the transaction, you are shocked to know that you have swiped your fingerprint and approved the transaction.

Well, don’t look at me in this manner and neither dismiss this as a wild fantasy. This is neither a fantasy nor a scene from an upcoming movie.

If you would like to know how this will happen, read ahead.

Fingerprint – Just a bitmap Image!!!

With the introduction of the finger print scanner on iPhone, it became natural for other smartphone manufacturers to follow suit. The market was flooded with fingerprint scanners on smartphones.

To understand the weakness which can be exploited, you need to understand the basics of how a fingerprint is stored in a smartphone.

Most smartphones store fingerprint images in an unencrypted, readable-by-any-app .bmp file — just as a common bitmap picture. Any software, which has access to user’s pictures and Internet, could steal them. Android Authority published an extremely informative article on the types of finger print scanners and the way they scan them.

Many smartphones have poorly protected sensors, which let malware get the pictures right from the fingerprint scanners. 

Aadhaar based Authentication

An article in The Economic Times reported that the government is planning to replace all PIN and Passwords with Aadhaar based authentication using fingerprints. It was also reported sometime back that PIN may be supplemented with fingerprints or only fingerprints in case of debit card transactions.

We need to understand that fingerprint although in theory may sound fool proof, however it can be one of the easiest to hack and misuse.

Consider this case – Your fingerprint from your phone is stolen. Aadhaar number can be easily retrieved from the thousands of places where you submit it as a residence or photo id proof. With this combination a hacker can do multiple transactions in one go and you would not be able to stop it as you can change your passwords but not your fingerprint.

Critics may argue that the fingerprints stored in Aadhaar database is in a different format from that stored in your smartphone. The card based transaction which Niti Aayog has proposed is also considering the use of IRIS scanner. While I may not like to counter this without proper artifacts, I would like to point out at this point of time, that fingerprints and IRIS scanners deployed in smartphones would not offer the kind of security, which custom designed devices at military establishments do.

The Misuse

1. The bitmap image can be easily extracted and a print of that image can be misused in multiple ways.

2. There are multiple malicious apps which copy the bitmap file and may send the file to a remote server.

3. You can change your password, but not your fingerprints.

4. The government already has your set of fingerprints via Aadhaar and you’re being asked to use the same as your password. The consequences can be disastrous if the Big Brother decides to misuse it.

5. The fingerprints may be used in terrorist activities and you may held accountable simply because your fingerprints were found at that place.

The False Truth

When you hear that a fingerprint is not a password, and owners cannot share it with other people, forget or eventually show to others — don’t believe it. This year researchers demonstrated how easy it is to steal a fingerprint — remotely, even without a face-to-face contact. One can do it with a quality photo of victim’s fingers. An SLR camera with a good zooming lens or even a magazine photo printed in high resolution are enough. By the way, the same method can be used to fake an iris.

When your password leaks, you can change it in a few minutes, but you have to live with your fingerprints for the rest of your life. What if they are stolen? This is why you should not fully believe marketing promises of popular vendors.

Follow these Rules

1.  Despite vendors promises, don’t use your fingerprint scanner to authenticate to Paytm and other financial services. This is not safe. Now the phone is in your hands, tomorrow it’s stolen. A thief can easily copy your fingerprints right from the phone surface and use a case to buy something. Compromising passwords is harder — but only if you use them correctly.

2. Usually people choose the index finger or a thumb as their biometric login. It’s convenient, but not right, because these are the fingers we use the most when working with a phone. That’s why it’s quite possible to find an intact print of these fingers on any phone and make a fake case to break your protection — especially as there are a lot of manuals on the Internet. So it’s better to use the little and the ring fingers on the left hand for right-handers and vice versa.

3.  A fingerprint scanner is not enough to protect your personal data. If you care about privacy, consider using a special app. For example, Kaspersky Internet Security for Android has built-in Anti-Theft and Personal Contacts functions. They can help you track a stolen phone, remotely wipe all data from the device or hide your text message history and contact list from a beady eye.

Conclusion

A fingerprint scanner is a great innovation, which is more useful, than harmful. But don’t rely only on it too much — use the new technology wisely and don’t neglect passwords, two-factor authentication and other security measures.

No comments: