"a glove with five different fingerprints that could get into around half of iPhones"


#1

Researchers were able to bypass fingerprint readers, which are used to unlock phones, log in to apps and make payments, using fake fingerprints created by using patterns found across many real prints.

The findings from New York University and Michigan State University call into question the security of the widely-used technology. The researchers were able to create a set of “master prints that could fool a scanner up to 65 per cent of the time.


MasterCard Adds Fingerprint Sensors to Payment Cards
(Alex Sherwood) #2

In case anyone’s in the mood for guessing how insecure fingerprint protection on the Monzo app is / isn’t (spoiler - it’s being used as a privacy, not a security feature), this has been discussed here -


(Rika Raybould) #3

Although the researchers said they had only tested their findings in computer simulations, rather than on real smartphones

:disappointed:


(James Billingham) #4

Touch ID is used for serious authentication - it represents your PIN etc


(Alex Sherwood) #5

I’m aware of that :slight_smile:


(Dan) #6

This is super clickbaity. The quote is “one could create a glove” the title implies a glove is already created.

And like @RichardR mentions, it was all simulation anyway.


#7

Everyone is well aware that fingerprint authentication is insecure when compared to passwords. For example, you don’t leave your password on every surface you touch, do you?

Most security experts recommend using fingerprints as usernames instead of passwords, but this advice isn’t normally followed.

As far as I can tell, in the Monzo app, the fingerprint authentication isn’t used to protect anything critical. The pin is there for that.


(James Billingham) #8

The fingerprint allows you to view the PIN :stuck_out_tongue:


#9

Wait what? Really? Damn that needs to be changed. Wow. @alexs could you forward this?


(Alex Sherwood) #10

Unfortunately I don’t have any special forwarding ability but I’ll flag the post to make sure that someone from the team sees it.

Obviously the team are aware of that functionality already & users who have concerns about it have the option to disable it.

So this isn’t a concern for me personally, although I’m learning from the discussion in this community that I seem to have a relatively high tolerance for risk :slight_smile:


#11

Aha, maybe.

Well it seems to me that if the fingerprint allows you to view the pin, and the pin lets you do all kinds of crazy stuff, then there’s no point for the pin.

Another way to get the pin is to send a support request with the user ID (available in top-up page) and the DOB (not really highly secure information).

And giving users the option to decide which security features they want doesn’t sound like a good idea lol :stuck_out_tongue_closed_eyes:. Makes them lean towards convenience instead of security.


(Alex Sherwood) #12

Just to clarify, I’m 99% sure that @billinghamj was talking about the PIN for your Monzo card, not your phone’s passcode.

That’s why you don’t give them options for anything that’s there to protect something that’s actually high risk :wink: & as I mentioned, from the posts I’ve seen it looks like users tend to lean towards security not convenience, no matter how low the risk is…


#13

Yep, obviously. :stuck_out_tongue_closed_eyes: There’s no way for the Monzo app to grab the phone’s pin other than maybe phish it off them. :joy:

And aha, well I’d say the pin is quite sensitive. It pretty much lets you do anything.

EDIT: And well, the kinda people that are here aren’t really a reliable representation of normal users. :stuck_out_tongue_closed_eyes:


(Cal Dempsey) #14

Wow, I just came on the forum to share this link as a down-the-road idea, maybe not so good an idea haha http://engt.co/2pEOJtV


MasterCard Adds Fingerprint Sensors to Payment Cards
#15

@caldem Ahahahahha is someone maybe forgetting that the cards themselves are almost definitely covered all over with the user’s fingerprints? :joy:


MasterCard Adds Fingerprint Sensors to Payment Cards