Eye and Voice Logins Compromised
Two biometric security measures have come into question after reporters and researchers claimed to have overcome them. A phone's iris recognition and a bank's voice log-in both appear to be less than perfectly secure.
The Samsung Galaxy S8 - arguably the most high-profile and hyped phone currently running the Android system - includes an option to unlock the phone by simply looking at the camera. In a similar way to fingerprint recognition, it works on the idea that the patterns in the eye's iris are unique. Samsung described these patterns as "virtually impossible to replicate."
Contact Lens and Color Printer Aid Attack
However, an organization of "ethical hackers" known as the Chaos Computer Club say it was able to defeat the security measure in a remarkably simple way: using a photograph of the phone owner's eye with a contact lens placed above it to make it appear three-dimensional.
While it was possible in theory to use a photo the person had uploaded to a social media page, the group says the easiest way is to take a photo of the person with a digital camera which either had a night-shot mode switched on or the infrared filter switched off. The photo worked when taken from five meters away, so could viably be taken without the phone owner's knowledge. Ironically the group found they got the best results by printing the image out on a Samsung color laser printer. (Source: ccc.de)
Twin Brother Pulls Off Voice Trick
Meanwhile a report at the BBC tested security at the HSBC bank which offers customers the option of authenticating themselves for telephone banking using only their voice, rather than needing a PIN code or password. The customer records the phrase "my voice is my password" and repeats it on future calls, with HSBC saying a voice has 100 different measurable characteristics.
The reporter's non-identical twin brother was able to access the account by imitating the reporter's voice. It took him eight attempts to do so, which in turn raises questions about whether users are allowed too many failed attempts before being locked out. (Source: bbc.co.uk))
The good news is that the system doesn't allow users to withdraw money with the voice command. However, they can access balance and transaction information and move money between accounts belonging to the same person. That could prove extremely useful for would-be fraudsters or people looking to cause disruption.
What's Your Opinion?
Are you surprised the identification measures had these flaws? Are these realistic attack methods or is it more of a theoretical concern? Do you use any biometric logins and do you believe they are more secure than traditional passwords and PINs?
Free Guide
Most popular articles
- Which Processor is Better: Intel or AMD? - Explained
- How to Prevent Ransomware in 2018 - 10 Steps
- 5 Best Anti Ransomware Software Free
- How to Fix: Computer / Network Infected with Ransomware (10 Steps)
- How to Fix: Your Computer is Infected, Call This Number (Scam)
- Scammed by Informatico Experts? Here's What to Do
- How to Fix: Windows Update Won't Update
- Explained: Do I need a VPN? Are VPNs Safe for Online Banking?
- Forgot Password? How to: Reset Any Password: Windows Vista, 7, 8, 10
- How to: Use a Firewall to Block Full Screen Ads on Android
- Explained: Absolute Best way to Limit Data on Android
I can help! Send me a message on the bottom left of the screen (using the Zopim Chat button), or click my picture to read more about how I can fix your computer over the Internet. Optionally you can read all about my credentials, here.
Comments
Fingerprint logins
I have been using fingerprint logins for my Windows machines for many years and it is extremely convenient as well as being very secure. Not only can I unlock a Windows PC with my fingerprint, I can also use my fingerprint scanner to login to websites using my password manager, Roboform. I suspect a fingerprint would be a lot harder to pull off in terms of long distance hacking compared to a photo of an iris or a voice recording.
Some one is watching to many movies..
Did the Bank security guy who wanted everyone to use the phrase "My voice is my password" Just got done watching the movie Sneakers?
Problem with bio metrics
The main problem with these things as passwords is that once they're compromised they can't be changed. And everything can be hacked.