Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I work with biometrics, and I can safely say it doesn't take the Mythbusters to do it.

In fact, I would bet lots of money that it won't even take a week for someone to publish a YouTube video showing how TouchID can be beaten by fake fingers.

And before someone asks, yes, I have beaten capacitive (as well as optical) fingerprint readers before.

Crack it using access to the real finger? Or crack a random sensor without access? How about a video that shows the average street thief how to crack it with less than $5 in materials and before I can track their a$$ down using "Find My Phone" ? Remember, they only have 48 hours before the fingerprint expires, and in that time if they turn the device off the print also expires and reverts back to the pass code. What say you to that? I'm honestly curious.
 
Crack it using access to the real finger? Or crack a random sensor without access? How about a video that shows the average street thief how to crack it with less than $5 in materials and before I can track their a$$ down using "Find My Phone" ? Remember, they only have 48 hours before the fingerprint expires, and in that time if they turn the device off the print also expires and reverts back to the pass code. What say you to that? I'm honestly curious.

You would be right, of course, assuming the phone was stolen <<before>> the thief stole the password. And in that case, for purposes of protecting the phone, TouchID is quite adequate. In that sense, the 48 hours expiration time / immediate expiration upon turning off / Find my iPhone combination seem like a sensible set of countermeasures. I didn't know about these expiration conditions, by the way, so thanks for the info.

The problem is, I suspect, that thieves will be looking at this from the angle not of stealing the phone, but of using the phone as a means to purchase stuff and get the victim to foot the bill. Quite tricky to do this right now, but as Apple opens the possibility of other businesses to using this authentication system, this possibility has to be considered. In such case, the course of action would be to steal the fingerprint in advance (and YES, it does take less than US$5 in material to do it), and then to steal the phone. With the phone and a working fake finger, it would take only a couple of minutes to perpetrate the crime. If the thief then destroys the phone, it could be days before the victim realizes the real theft.

Thanks for being curious. That has always been the best way to solve problems, by Einstein's rationale. In my experience, that's totally applicable to security questions as well.
 
It's definitely better than having no password, but I would venture it's not much more difficult (if more difficult at all) than cracking a 4 digit password. Of course I say this without having actually seen the device, so yes, it could be much more difficult, provided Apple has developed additional security measures not available to current capacitive readers.

Soon enough we'll find out, of course.

Oh, and I totally agree with you about making it easier for people to lock/unlock their phones.

Yeah, I see it as convenience and nothing more. Especially since, as we saw in the demo, you can simply fall back to the original passcode anyway. That means the fingerprint adds ZERO extra security since it is, in essence, optional. But that's OK, if we only care about convenience.

I'm not sure I would enable the fingerprint for buying stuff from iTunes though. While it is probably more secure than a 4-digit passcode, I venture that it could be less secure than my Apple ID password. And since my Apple ID could conceivably be used to buy all kinds of things, including entire Apple computers, I'd probably opt to continue using a strong password before allowing any purchases.
 
Yeah, I see it as convenience and nothing more. Especially since, as we saw in the demo, you can simply fall back to the original passcode anyway. That means the fingerprint adds ZERO extra security since it is, in essence, optional. But that's OK, if we only care about convenience.

You are quite right. However, convenience should not be discounted when using security, as inconvenient security tends to either be worked around, or not used at all.

Two examples:
  1. Anyone who didn't have a password at all now using the scanner. The fallback is a password, yes, but they'd rarely if ever have to enter it.
  2. Anyone who has a weak password could move to having a strong password, as they would rarely have to enter it. Heck it could be a 128 password that is written on a piece of paper and stored at home.

The slightly less measurable form of security is one can safely unlock their phone in public without being concerned with someone observing their password. The other day I was on a bus and watched a guy use a 4 digit code to unlock his phone. I know what that passcode is now. If he had used his thumb that would be unhelpful, except that I'd know I needed his thumb.

And of course, if the finger print scanner is determined to be less secure moving forward than a password, one can simply turn the feature back off and revert to their old ways until such time as it becomes more secure.

But yes, adding a second door with a different lock to a system can only make a system less secure, not more :)
 
I'm not sure I would enable the fingerprint for buying stuff from iTunes though. While it is probably more secure than a 4-digit passcode, I venture that it could be less secure than my Apple ID password. And since my Apple ID could conceivably be used to buy all kinds of things, including entire Apple computers, I'd probably opt to continue using a strong password before allowing any purchases.

That sort of theft--buying stuff in the phone owner's name--is precisely what I believe to be the real threat, and also what I tried to convey in the post above yours.
 
You would be right, of course, assuming the phone was stolen <<before>> the thief stole the password. And in that case, for purposes of protecting the phone, TouchID is quite adequate. In that sense, the 48 hours expiration time / immediate expiration upon turning off / Find my iPhone combination seem like a sensible set of countermeasures. I didn't know about these expiration conditions, by the way, so thanks for the info.

The problem is, I suspect, that thieves will be looking at this from the angle not of stealing the phone, but of using the phone as a means to purchase stuff and get the victim to foot the bill. Quite tricky to do this right now, but as Apple opens the possibility of other businesses to using this authentication system, this possibility has to be considered. In such case, the course of action would be to steal the fingerprint in advance (and YES, it does take less than US$5 in material to do it), and then to steal the phone. With the phone and a working fake finger, it would take only a couple of minutes to perpetrate the crime. If the thief then destroys the phone, it could be days before the victim realizes the real theft.

Thanks for being curious. That has always been the best way to solve problems, by Einstein's rationale. In my experience, that's totally applicable to security questions as well.

I honestly can't see this being any more of a threat then someone stealing your credit card. In fact I think it's much more secure then carrying cards. In your example the thief has to aquire my fingerprint...A clean print...and then he has to make sure that the print is from the finger I use to authorize purchases. Then he has to take that print and create a fake finger. And even if it cost only $5 in materials, the theif still has to actually make it. Which I'm sure requires at least a little know-how. No?

I'm not worried about it at all. I think that the iPhone 5S will be the phone that really gets the (secure) biometerics ball rolling. And as with any security technology..As it gets better and better, the theives get better and better right along with it. Just the way it goes.
 
I honestly can't see this being any more of a threat then someone stealing your credit card. In fact I think it's much more secure then carrying cards. In your example the thief has to aquire my fingerprint...A clean print...and then he has to make sure that the print is from the finger I use to authorize purchases. Then he has to take that print and create a fake finger. And even if it cost only $5 in materials, the theif still has to actually make it. Which I'm sure requires at least a little know-how. No?

I'm not worried about it at all. I think that the iPhone 5S will be the phone that really gets the (secure) biometerics ball rolling. And as with any security technology..As it gets better and better, the theives get better and better right along with it. Just the way it goes.

One thing I've learned working in security: just as important the level of security offered by the provider/vendor is the perception of security derived by the user (yes, for different reasons, but still).

Is it a low threat? Yes, I believe so. But dismissing it off hand as negligible would be a mistake. Thinking about these threat, on the other hand, helps us to mitigate them, and--as you yourself pointed out--to make the technology more robust.

I also believe that Apple will set the standard and that biometrics will take a quantum leap from now on. Still, I believe this will be the case because fingerprints will become more of a high profile target from now on.

Just as "beating" Apple security will become a standard to be achieved by any hacker/cracker wannabee, from the iPhone 5s's first day on. Nit will be very rare for someone to actually perpetrate a purchase fraud, but that won't stop (and that was the point of my first post on the subject) dozens of kids to publish videos on how to make a fake finger that unlocks the phone.

Those videos will be useless per se, but they will be there. And we will be a step closer to overcoming the iPhone 5s security. Of course Apple will counter it. And so it goes.
 
I'm not sure I would enable the fingerprint for buying stuff from iTunes though. While it is probably more secure than a 4-digit passcode, I venture that it could be less secure than my Apple ID password. And since my Apple ID could conceivably be used to buy all kinds of things, including entire Apple computers, I'd probably opt to continue using a strong password before allowing any purchases.

I suppose we'll have to see, but I don't imagine Apple is going to give people access to change your account settings without the strong written password. In which case, the most a thief could do is have it delivered to your door. In the mean time, you hopefully know your phone is stolen and will be getting an email stating your computer purchase is on its way. How dumb can a thief be to show up for that?

I honestly can't see this being any more of a threat then someone stealing your credit card.

The instance I can think of is if phones are easier to steal than wallets. My phone, not so much. In fact you'd have a far easier time sneaking something out of my back pocket than my front ;)

But I would like to see an argument for how current plans for biometrics on the iPhone is any less secure financially than a CC. An iPhone unless used in a faraday cage or similar is going to be trackable the entire time the thief uses it to make purchases they have to show up to your house to claim. At least with a CC I can go buy myself some gas and a hot meal and just "sign" my name at the bottom.

Is it a low threat? Yes, I believe so. But dismissing it off hand as negligible would be a mistake. Thinking about these threat, on the other hand, helps us to mitigate them, and--as you yourself pointed out--to make the technology more robust.

Agreed. There is also a danger in getting caught up worrying about a minor threat, when there is a larger one to deal with. Right now the media would have people believe the fingerprint scanner is the end of all Apple security. I think it will personally make my phone more secure by removing the need to publicly enter my password every time I use my phone.
 
Then join Darren Hayes and sing "I will travel to the moon and back , if you'd be , if you'd be my babyyyy"

A subtle, yet hilarious way to poke fun at a little mistake. unplugme71 must have clued in by now.

At the end of the year, the NASA will say they have collected 900+ million fingerprints and photos globally thanks to the support of Apple and the touch ID and front facetime camera.
 
Last edited:
Yep. I'm just wondering how they'll convince people to stick around to see how it works.

The article shows how a retail employee should walk the customer through the use of the sensor, but in the many times that I've been in an Apple Store, I've rarely ever had an employee walk up to me to see if I needed anything.

I have the opposite. They keep bugging me! I don't need any help, much less 3 employees coming up to me, LOL. And they rarely know the minute details about the computers they sell.
 
You are quite right. However, convenience should not be discounted when using security, as inconvenient security tends to either be worked around, or not used at all.

Two examples:
  1. Anyone who didn't have a password at all now using the scanner. The fallback is a password, yes, but they'd rarely if ever have to enter it.
  2. Anyone who has a weak password could move to having a strong password, as they would rarely have to enter it. Heck it could be a 128 password that is written on a piece of paper and stored at home.

The slightly less measurable form of security is one can safely unlock their phone in public without being concerned with someone observing their password. The other day I was on a bus and watched a guy use a 4 digit code to unlock his phone. I know what that passcode is now. If he had used his thumb that would be unhelpful, except that I'd know I needed his thumb.

And of course, if the finger print scanner is determined to be less secure moving forward than a password, one can simply turn the feature back off and revert to their old ways until such time as it becomes more secure.

But yes, adding a second door with a different lock to a system can only make a system less secure, not more :)

I would say adding a second lock on the same door that unlocks both makes it less secure, not more.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.