Biometric phone security is not enough

Until recently, it seemed impossible to fool the fingerprint reader. This is probably why the creators of devices and mobile applications have used such readers as solutions securing access to a smartphone or a mobile banking application. It was thought that this was one of the best ways to secure access to data. This thesis, however, has been refuted, which is why security experts from ESET took a closer look at biometric security and checked whether these are the best security methods.

The effectiveness of biometric security depends strictly on the quality of the scanner and the software that is responsible for the verification process. Just as there are no hundred-percent secure computer systems, the same is not the ideal method of authentication. In the case of fingerprint scanners, it was possible to hear about various possible methods of cheating a given scanner, e.g. by using a finger made of artificial gelatin or silicone. In turn, the imprint itself can be obtained practically from any object that the person held in his hand, but it is not the only method. Jan Krissler presented at one of the CCC conferences the method of fingerprint reproduction based only on the images of the inner side of the person's palm available in the network - he used this technique to reproduce the fingerprints of Ursula von der Leyen, German defense minister.

Securing your fingerprint is not more effective than a password

In contrast to what it might seem, biometric security measures are not reliable, e.g. fingerprints can be stolen from previously taken photographs. An additional threat is the possibility of fingerprint leakage, for example collected by state authorities and services. In the United States, for example, the standard procedure is to collect fingerprints from citizens of other countries aged between 14 and 79 when entering the country. And the FBI stores an estimated 100 million fingerprints, of which over 30 million are fingerprints of ordinary non-criminal people.

In the event of a password being leaked, we can change it to another one. But what if the data representing your fingerprint are leaked? Some time ago, researchers found the vulnerability then occurring, among others on Samsung Galaxy S5 phones, by means of which they were able to capture the data representing the fingerprint and use it for authorization. However, so far, this is only an example of a theoretical attack that can only happen when there are many specific circumstances, so I would not be paranoid - comments Kamil Sadkowski, a threat analyst from ESET.

The fingerprint can be copied

In 2013, Apple initiated the process of incorporating biometric security into mobile devices. This feature was designed to provide protection when shopping in iTunes and the App Store, eliminating the need for a password. However, as presented a year later at the CCC conference, the fingerprint can be reproduced from the photo and this method of protection turned out to be no longer as effective as it initially seemed.

In addition, in 2016, the biometric company Vkansee showed another way to copy fingerprints . This time, Play-Doh was used for this purpose, thanks to which you can confuse the readers to identify the cake imprint as real. The company itself said, however, that this process is quite complicated and unlikely. Nevertheless, this is another proof of the thesis that the fingerprint can be copied.

Will the fingerprint replace the password in the future?

Given that fingerprints can be stolen, copied and used, it is still a long way to use only fingerprint readers and give up completely the use of passwords. Experts from ESET recommend connecting the password with additional security.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.