Demo of iPad Passcode Theft via Google Glass Highlights Benefits of Touch ID

[Richdmoore]

Don't worry about your iOS passcodes, worry about your credit card PINs. The new chip-and-PIN standard coming to the US puts all responsibility for unauthorized purchases on the cardholder, and this underscores how easy it is for a thief to learn your PIN.

Federal law protects credit card users from unauthorized purchases, and provides lesser protections to debit card users. I can't see how using chip and pin would change anything.

https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards

 

[John.B]

I made a statement about this earlier. It doesn’t seem to have been an issue at all over here in the Uk.

Under UK law, are you financially responsible for unauthorized charges to your chip-and-PIN card?

Also, how long has Google Glass been available in the UK?

Federal law protects credit card users from unauthorized purchases, and provides lesser protections to debit card users. I can't see how using chip and pin would change anything.

https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards

Get back to me after you've tried to dispute a PIN-based transaction with your bank. My real-world experience with the Target hack trumps your link to a feckless FTC webpage.

 

[dBeats]

There is indeed an exact Jailbreak tweak which does this.

It doesn't matter if you actually record the video. You just play it back and you can read the numbers. Android's "swipe" password is even worse. I catch a glimpse of people using it and 9 times out of 10 they draw a letter. Only it's huge and the bright green lines connect them so you can see it practically across the room. I watched a good friend of mine (his name is Joe) unlock his Android phone with a big J and no matter how short of I time I caught a glimpse, I can't unlearn or forget it.

Face it, character based passwords are finally on their last legs. TouchID is a model for how authentication should move forward. Let those sociopathic German hackers whine all they want, 99.999% of the people have no idea how to lift and print a fingerprint to fool it. And even if they did, you still need physical access to the device for about 30 minutes, assuming you dropped it in front of their lab. For me, if I can't find my phone in a public place for more than 5 minutes, I'm going to notice. If I can't find it in 15 minutes, I'm gonna wipe it with my iPad.

 

[mr.steevo]

“If someone can take a video of you typing on the screen, you lose everything.”

Everything!?!

 

[ShellBell]

Don't worry about your iOS passcodes, worry about your credit card PINs. The new chip-and-PIN standard coming to the US puts all responsibility for unauthorized purchases on the cardholder, and this underscores how easy it is for a thief to learn your PIN.

It hasn't been a problem in Canada (or any other country I've visited with chip-and-pin enabled) as far as I am aware, and it's significantly harder to duplicate than it is to copy a credit card with magnetic strips. The onus is still on the banks to reject/refund unauthorized purchases (within reasonable limits), or at least that has been the case up here. That being said, I was under the impression that the US was actually getting a system that would be better described as "chip-and-sign"?

 

[nwcs]

Better headline:

"Google demonstrates nefarious device that enables hackers and criminals to steal your personal data."

Android?

Sorry, couldn't resist!

 

[charlituna]

Such a situation can become impossible to avoid in a crowded place.

Not really. It's called being aware. Of who is around you, who is pointing cameras at you, where your device is.

I go to Disneyland 1-2 times a month. Have at least my iPhone with me. In my front pocket if I'm not using it. And I am constantly aware of who is close enough to me to try to get a hand in my pocket. If I'm forced to walk through a pack of folks my hands go in my pockets to protect my phone and wallet.

 

[mw360]

If you are concerned about password hacking, your best line of defense is to cover your display as you type...

There is a vast amount of work to be done bridging the gap between what security researchers say we should do, and what is actually possible in the real world. Human factors need to be taken into consideration far more than they are.

For example, when was the last time you saw someone covering their hand when typing in a PIN? Nobody does it and the reason is to do with social behaviour. If you cover your hand you are insulting the people around you. People don't like to insult other people without good reason.

PIN codes, passwords, have had their day. Something better is required.

----------

Face it, character based passwords are finally on their last legs. TouchID is a model for how authentication should move forward. Let those sociopathic German hackers whine all they want, 99.999% of the people have no idea how to lift and print a fingerprint to fool it. And even if they did, you still need physical access to the device for about 30 minutes, assuming you dropped it in front of their lab. For me, if I can't find my phone in a public place for more than 5 minutes, I'm going to notice. If I can't find it in 15 minutes, I'm gonna wipe it with my iPad.

I half agree, but disagree. Touch ID is great, but can't last. Once everything is protected by fingerprints there'll be a booming market in fingerprint replication. It'll be far too easy to fool. And the ever present problem - you can't change your fingerprint once its out there.

We're going to need digital ID's that are disposable. Like a 1Password vault, but at the sniff of trouble, we can ditch it and change our access keys to every service in one go.

The heartbeat thing was a real wake-up. how many people have actually changed ALL of their passwords? I managed 10 before giving up. It's tedious and all the service providers make you jump through a different set of hoops to do it.

 

[StyxMaker]

I understand Google Glass users are generally referred to as 'glass holes'.

 

[preyan]

Actually this is the first time I see benefits of the TouchID

 

[unplugme71]

Don't worry about your iOS passcodes, worry about your credit card PINs. The new chip-and-PIN standard coming to the US puts all responsibility for unauthorized purchases on the cardholder, and this underscores how easy it is for a thief to learn your PIN.

If I'm not protected from unauthorized theft, I will not use credit cards.

I've done this with banks before when they try and charge me monthly fees for using their credit or debit cards. I gave it back to them, closed my account, and went elsewhere.

I have NO problem paying cash if it comes down to it.

----------

Under UK law, are you financially responsible for unauthorized charges to your chip-and-PIN card?

Also, how long has Google Glass been available in the UK?



Get back to me after you've tried to dispute a PIN-based transaction with your bank. My real-world experience with the Target hack trumps your link to a feckless FTC webpage.

PIN based transactions can still be disputed, although it may be slightly more difficult. Luckily, I had a receipt that I was at another location and "checked in" using FourSquare. The bank approved my unauthorized transaction.

Having multiple transactions per day on the same card at different locations can help too, especially if they are near the same time and the distance from one place to another is far enough to not have been at both.

 

[mw360]

Under UK law, are you financially responsible for unauthorized charges to your chip-and-PIN card?

No you are not. In fact, under UK law, even if you buy something on a CC which later turns out to be faulty or fraudulent you can sue the credit company if other avenues fail.

In addition, probably as a consequence, the UK banks are very proactive in spotting and stopping fraudulent transactions on credit cards and debit cards. Automatic blocks are common, especially if you suddenly shop out of character and banks will contact customers if they later spot a suspicious set of transactions.

 

[SockRolid]

Google Glass user: "Hey! Why did you just punch me?"

Bar patron: "That wasn't a punch. That was just a beta."

 

[497902]

I'm sorry to go a little bit off topic but: What? These desks still exist? They're not only terrible for left handers, but are also a complete mess because of their angle and lack of space.

If only Apple released Touch ID with the iPad Air and iPad mini Retina...

 

[tdmac]

I have too many cards between personal, multiple companies, etc. The there are debit/ATM, FSA, etc. I want them all in my iphone and locked under tough ID and my pockets can be virtually empty.

The idea system is a locked card number, in the phone, but are presented with random numbers to use for each transaction or barcodes (ala passbook). Each number or code is good for one time use and it is of no value if it was swiped, stolen etc. No need for pin codes etc.

 

[Kenn Marks]

Random confusion

Great in theory, terrible in practice. Many people can type their passcode without even looking, or at the least very quickly because they know the sequence. If you increase the complexity, more people will opt to not use a passcode at all.

For a pure touch-based visual input method, using a gesture would probably be the hardest to for a machine to decipher from more extreme angles and distances. Otherwise Touch ID is the best choice.

I love it when Apple solves problems before they are even problems.

Would be great if you could preselect a random keyboard because my wife just hits the four corners, I don't think she knows what her passcode even is. With a preselected random keyboard she could still hit the four corners and get it correct every time until the keyboard would randomize again.

 

[cmwade77]

Couldn't these researchers be doing something more worthwhile with their time? I can't see any value in them proving that they can do this kind of thing other than highlighting the possibility of this to would be thieves.

At least Apple is a step ahead of these people with Touch ID.

Umm....Touch ID can still be bypassed: http://techcrunch.com/2013/09/22/hackers-bypass-apples-touch-id-with-lifted-fingerprint/

Granted this is a lot of work for someone to go through, but it proves it's possible, which means someone can probably find a way to do it faster and easier.

The other problem is you still have to have a backup PIN code in case you aren't recognized and that pin code can be bypassed.

Personally, I am glad someone is testing it, because otherwise these vulnerabilities remain without being patched and thieves will exploit them.

 

[Blackmane316]

I think Apple should implement something like Blackberrys Picture Password. It is a super simple implementation that is almost impossible for onlookers to figure out. One clever feature on BB10.

http://helpblog.blackberry.com/2014...-password-in-blackberry-10-os-version-10-2-1/

 

[perry1023]

yuck

another reason to hate GL*******S. google glass is LAME.

 

[Michael Scrip]

Umm....Touch ID can still be bypassed: http://techcrunch.com/2013/09/22/hackers-bypass-apples-touch-id-with-lifted-fingerprint/

Granted this is a lot of work for someone to go through, but it proves it's possible, which means someone can probably find a way to do it faster and easier.

The other problem is you still have to have a backup PIN code in case you aren't recognized and that pin code can be bypassed.

Personally, I am glad someone is testing it, because otherwise these vulnerabilities remain without being patched and thieves will exploit them.

Exactly... it's A LOT of work to go through. And they did it a controlled environment with a purposely placed fingerprint left on a clean glass bottle.

I remember when that story broke last year... but I haven't heard of anyone else attempting it. Or of anyone actually achieving this in the wild.

And after they spend all that time with the superglue, the high-resolution scan, the transparent sheet, the wood glue, the latex, etc... the phone is still locked with a passcode after 5 failed fingerprint attempts.

Yes... the passcode can be bypassed too... but there's not much you can do other than view contacts and photos.

And they can't turn off the passcode without the passcode... nor can they turn off Find My iPhone without the iTunes password.

The phone is still basically unusable... and it might even be remotely wiped once the owner notices it's missing.

That's a huge deterrent to thieves. Why steal an iPhone if they might end up with a bricked iPhone?

 

[Marvin1379]

And it reminds me to use my touchID at all times!

Except that a thief/prying person can power down the phone, while locked, and then use your passcode upon restart (Touch ID is not accepted on the first entry after restart). Some authentication is needed to turn off the phone.

----------

There's also one that makes your pin the current time. I think that's even better. A password that changes every minute!

Wait...a password that is the time?! Doesn't everyone know the current time?! It's at the top of the device!!!

 

[furi0usbee]

Wow! Was scared for a minute. I thought this guy was up to his old tricks, now cracking the passcode feature. I can now sleep at night.

http://www.youtube.com/watch?v=mFSu7y9OMkk

 

[Krevnik]

Except that a thief/prying person can power down the phone, while locked, and then use your passcode upon restart (Touch ID is not accepted on the first entry after restart). Some authentication is needed to turn off the phone.

Except, the goal here is that if you can use Touch ID in public spaces where this particular trick is most likely to work... then they won't have your passcode to unlock the device with.

Plus you can enter the PIN at any time, they don't need to power down the phone to bypass Touch ID. But if you never expose your PIN in public places, then you greatly reduce the chance of them being able to get in before it wipes itself.

 

[Swift]

Wait until Google Glass gets a little fancier.. they'll be stealing a lot more than Passwords.

Inventing something like Touch ID is mandatory unfortunately (or fortunately). Once they develop algorithms they'll be able track people. If you walk to work everyday, G Glass can pick out what people do. For example, if G Glass picks out a man who always stops at Starbucks at 850am. You know he's not home at that time. You know he's about to make a transaction. He may be on social media at that time. Lots of data, becomes a target for theft.

When normal people have access to AI algorithms, how we operate in the world will have to change. Touch ID is only the beginning.

Um, thieves do that now. They know how many people are in the house, and when they leave. Then they wait for you to disappear. Voila! Free junk to steal, and no pesky people to take a shot at you.

 

[dazed]

Don't worry about your iOS passcodes, worry about your credit card PINs. The new chip-and-PIN standard coming to the US puts all responsibility for unauthorized purchases on the cardholder, and this underscores how easy it is for a thief to learn your PIN.

Id rather have chip and pin than rely on signatures, now that was an archaic system.