Security

How secure is your face? The worrying world of biometrics

By Oliver Smith 2 March 2017
Summary

Fingerprints, faces, and voices have never been less secure.

The latest smartphones all boast biometric security – voice recognition, fingerprint scanning and facial recognition – promising to keep you safe.

Photos, emails, messages, Facebook, WhatsApp and, maybe most importantly, the banking apps through which we control our financial lives, are all behind a wall of biometric security.

But rather than making you safer, it turns out using these technologies actually leaves you more vulnerable than relying on good old-fashioned passwords. 

This week at Mobile World Congress in Barcelona security consultancy NCC Group showed The Memo just how easy it is to quickly crack the these security features on one of the latest Android smartphones.

Read more: Hackers seized control of my life in minutes & it was terrifying

By finger, face or voice

Since 2013 our fingerprints have become the No.1 form of biometric security, starting from when Apple introduced Touch ID on the iPhone 5S.

“We have so much of our personal life on these devices…and they’re with us everywhere we have to go, we have to protect them,” said Apple VP of marketing Phil Schiller at the time.

Sadly fingerprint scanners are easily fooled. With a scan of my fingerprint NCC Group research director Matt Lewis showed me how he could imprint this fingerprint in PVA glue (yes, just like the stuff you used at school) and use this mould to fool any scanner.

“It’s just a thin veneer, if you place this over a live finger the ‘liveness’ of the finger and its pulse will come through. We’ve looked at all the latest fingerprint scanners, and this technique works every time.”

Most smartphones, once you’ve entered your fingerprint, give you nearly universal access to all the apps and data they hold.

But how would a criminal get such a fingerprint scan?

Read more: App-only Atom Bank first to promise face & voice recognition

Broken security

Ironically the best place is by simply taking a photo of a smartphone’s glass home screen, where we leave dozens of visible fingerprints every day.

There are other examples of security researchers lifting fingerprints from high resolution photographs of people’s hands, including those of Germany’s defence minister.

Read more: Criminals are getting ready to steal your fingerprints from cash machines

Lewis also showed how a 3D-printed mask of someone’s face, made from an ordinary photo, could be created to fool facial recognition.

“What we’ve come up with is a relatively simple technique to take a regular 2D photograph from my Facebook profile, send to a company who 3D render the image, add depth mapping, and print it as a mask for $200,” he told The Memo.

Finally voice recognition remains the least secure of all biometric security, with recordings of people’s voices easily stitched together to repeat whatever ‘pass phrase’ has been set on their smartphone.

Lewis showed how, even in the hustle and bustle of Mobile World Congress, a recording of his voice was enough to bypass the voice recognition of one of the latest Android smartphones.

None of his demonstrations worked flawlessly first time, all required a few tries, but all three were successful, leaving the smartphone open and unlocked for anyone.

There’s another huge growing danger around biometric security. Even as we grow more reliant on it, biometrics are actually becoming less secure.

Read more: What the heck is Mobile World Congress?

The danger of biometrics

There are over 200,000 photos uploaded to Facebook every 60 seconds, along with millions of hours of video.

Because of this it’s likely that the fingerprint, face and voice profiles of millions of people are already compromised, to the point where they can easily be found and copied. For celebrities and politicians the problem is even worse, as they’ve never been more photographed and recorded by the media.

What does putting all of this biometric data on social networks, and in the media, mean for you and I?

“You have certainly put yourself at risk in a world where biometrics are becoming more and more pervasive,” says Lewis.

The saving grace for most people, he says, is that they are not targets, but this isn’t the case for many politicians, business leaders and celebrities. That’s why NCC Group recommends to some of the business leaders in the companies it advises to avoid biometric ‘protections’ entirely.

Instead, the experts recommend using security with as many biometrics and possible, along with a strong password.

“Sadly this isn’t available on most smartphones today, but it would make life incredibly hard for an attacker.”

Far from being the future of smartphone security that Apple’s Phil Schiller promised, today it’s never seemed more likely that for real digital security, biometrics just aren’t the answer.