Fingerprint sensors have made life easier for smartphone users. With today’s technology, it’s easy to shop for groceries, pay bills, transfer money to a bank, or book a flight to a destination — all with the press of a finger.
But this convenience comes with a price. Researchers from New York University (NYU) and Michigan State University warned that the same technology that has made our lives easier is now threatening our security. The reason? The fingerprint scanner won’t always protect users from cybercriminals.
That revelation comes from the fact that fake fingerprints can fool smartphones, and computer simulations have exposed this flaw. Researchers said this is true in 65% of cases when they used artificial prints that matched real fingerprints.
Fingerprints can be stolen
Fingerprints are formed in the womb and are unique for every individual. Unlike passwords or personal identification numbers (PINs), however, fingerprints can’t be changed when stolen. This paves the way for a lifetime of risks, especially if you rely on them to lock your smartphone.
To better understand what makes fingerprint scanners vulnerable to hacks, you have to know how the former works. Tom Harris of How Stuff Works said the scanning process begins as soon as you place your finger on a glass plate and a camera snaps a picture.
Using its own light source composed of light-emitting diodes, the scanner illuminates the finger for the camera to create an inverted image. If the image is too bright or too dark, the scanner produces a better image by adjusting exposure time.
Other scanners work differently. Instead of light, capacitive fingerprint scanners use electrical current to create an image of the fingerprint. On the other hand, ultrasonic scanners transmit an ultrasonic pulse to capture details of the fingerprint, creating a 3D image that is difficult to forge. This makes them more secure.
Partial fingerprints can be copied
While full human fingerprints are difficult to copy, researchers said that smartphone scanners are small and read only partial fingerprints. To enable fingerprint security on your phone, the scanner needs 8 to 10 images of a finger to make a match. But many smartphone users record more than one finger, such as the thumb and forefinger of each hand.
Since a finger swipe has to match only one image to unlock the phone, recording more images makes the system vulnerable to false matches. Nasir Memon, one of the researchers whose study was published in IEEE Transactions on Information Forensics and Security, said this is like having 30 passwords on a phone and a cybercriminal only has to guess one to break into the device.
Memon added that it’s also possible to fool the fingerprint scanner by creating artificial fingerprints. This could help the criminal get into 40 to 50% of iPhones within the five tries allowed before a PIN is required.
Scanners are not dependable
Apple spokesman Ryan James said the chance of a false match in the iPhone’s fingerprint system was 1 in 50,000 with one fingerprint enrolled. However, the actual risk is difficult to quantify since many people rely on more than one finger to keep their phones safe. Even phone makers themselves admit that fingerprint sensors aren’t dependable.
To remedy the problem, companies that rely on fingerprint security are turning to anti-spoofing techniques to detect a real finger versus the false fingertips that can be created by hackers.
Dr. Chris Boehnen, manager of the federal government’s Odin program, said another solution is to use a larger fingerprint sensor. While those preventive measures are still being studied, he urged users to turn off fingerprint authentication, especially when making mobile payments.