Demo of iPad Passcode Theft via Google Glass Highlights Benefits of Touch ID

[Neodym]

Touch ID is the best choice.

The biometric approach (TouchID) is a better idea.

Touch ID is great

Now that's fascinating!

For years there has been an outcry _not_ to use biometric authentication, for a fear of attackers mutilating their victims (in every discussion sooner or later someone would refer to the prison escape in "Demolition Man"). And suddenly the biometric approach is seen as the best possible option (yet)

Next we'll see Retina scans (pun not intended) becoming an accepted option for unlocking a device - eyetracking technology is already mainstream.

And in the future TouchID gets developed further to verify user identy by real-time DNA analysis (finally the ever-sweating cliché nerd has a true advantage over normal users...

(...looking forward to my next iPhone having TouchID... )

 

[jlc1978]

Looking over a nearby person's shoulder is a common technique used to steal a PIN code for a device that is targeted for imminent theft.

A research team from the University of Massachusetts Lowell has taken this shoulder surfing trick to a whole new level by increasing the working distance and automating the process using Google Glass and other similar camera-equipped, mobile products.

Duh. I love how new technology somehow means something you can do with it is somehow a new and innovative thing, or danger in this case. In the old pre-smartphone days, shoulder surfing was often accomplished with a video camera. All this does is replace the video camera with a smaller one; something that smartphones, spy pens, etc. already allowed.

A bigger danger is someone shoulder surfing login details for banks, credit card accounts, etc; especially since most apps show your User ID in clear text, the password in clear one letter at a time, and the iPhone conveniently provides a large key symbol on screen for each key you enter.

Touch ID has the potential to eliminate such issues once you can store password and user ID data in on the iPhone and enter it securely with the Touch ID.

----------

Umm....Touch ID can still be bypassed: http://techcrunch.com/2013/09/22/hackers-bypass-apples-touch-id-with-lifted-fingerprint/

Granted this is a lot of work for someone to go through, but it proves it's possible, which means someone can probably find a way to do it faster and easier.

Surre, any security system can be bypassed with enough time, money, and expertise. The real point of them is to make stealing your device harder than stealing someone else's. Most crooks are going for the quick and easy money; at least at the average street crime level. They know one thing, steal iPhone and sell to my fence. If the phone can't be resold easily the street value falls and they move on to stealing something else.

 

[macduke]

Now that's fascinating!

For years there has been an outcry _not_ to use biometric authentication, for a fear of attackers mutilating their victims (in every discussion sooner or later someone would refer to the prison escape in "Demolition Man"). And suddenly the biometric approach is seen as the best possible option (yet)

Next we'll see Retina scans (pun not intended) becoming an accepted option for unlocking a device - eyetracking technology is already mainstream.

And in the future TouchID gets developed further to verify user identy by real-time DNA analysis (finally the ever-sweating cliché nerd has a true advantage over normal users...

(...looking forward to my next iPhone having TouchID... )

Unfortunately there's not much of a choice with all the hacking going on all the time. Either you use biometrics or you leave the system altogether. You can still choose to opt-out, but you'll either A.) Get your identity and monies stolen or B.) Not do anything online and be marginalized to the fringe of society. I saw some report by some branch of the US government last year that essentially said that people who don't use social media should be regarded as suspicious or potentially dangerous individuals. So yeah, that's fantastic (I only kind of use Twitter). What's funny is all this biometric stuff will get hacked too, but we'll still be required to use it. Just like we're supposed to create complex passwords with two-step authentication and all this stuff and hackers still get into servers and steal personal info.

 

[Berserker-UK]

Randomizing the layout of the keypad for PIN entry is a great idea.

Unless you're blind/partially sighted. Having to use VoiceOver to type your PIN would be far more of a giveaway than any shoulder surfing.

 

[John.B]

Id rather have chip and pin than rely on signatures, now that was an archaic system.

In theory, I don't disagree with you.

In reality, I have different rights w/r/t unauthorized charges with a US bank depending on whether I sign for a transaction vs. punching in a PIN. As I mentioned a few posts earlier, I have personal experience with this from the Target hack last winter.

 

[JAT]

As I mentioned a few posts earlier, I have personal experience with this from the Target hack last winter.

You keep saying this. Are you saying your bank didn't make reparations on the largest, most publicized identity theft case in US history?

From your posts so far, it sounds like your problem is a crappy bank, rather than the system as a whole. Maybe you should shop around. My bank follows that FTC ruling to the letter. Lost card = $50 liability. Not lost card = $0 liability. Etc.

 

[tbrinkma]

Great in theory, terrible in practice. Many people can type their passcode without even looking, or at the least very quickly because they know the sequence. If you increase the complexity, more people will opt to not use a passcode at all.

For a pure touch-based visual input method, using a gesture would probably be the hardest to for a machine to decipher from more extreme angles and distances. Otherwise Touch ID is the best choice.

I love it when Apple solves problems before they are even problems.

Reading a gesture-based 'passcode' would be no harder than reading a keyed-entry passcode. In both cases, the relative position of the finger on the screen can be recorded and analyzed.

 

[tbrinkma]

Umm....Touch ID can still be bypassed: http://techcrunch.com/2013/09/22/hackers-bypass-apples-touch-id-with-lifted-fingerprint/

Granted this is a lot of work for someone to go through, but it proves it's possible, which means someone can probably find a way to do it faster and easier.

The other problem is you still have to have a backup PIN code in case you aren't recognized and that pin code can be bypassed.

Personally, I am glad someone is testing it, because otherwise these vulnerabilities remain without being patched and thieves will exploit them.

Just for the record, the process described there *is* the 'fast, easy way' to do it.

----------

Now that's fascinating!

For years there has been an outcry _not_ to use biometric authentication, for a fear of attackers mutilating their victims (in every discussion sooner or later someone would refer to the prison escape in "Demolition Man"). And suddenly the biometric approach is seen as the best possible option (yet)

Next we'll see Retina scans (pun not intended) becoming an accepted option for unlocking a device - eyetracking technology is already mainstream.

And in the future TouchID gets developed further to verify user identy by real-time DNA analysis (finally the ever-sweating cliché nerd has a true advantage over normal users...

(...looking forward to my next iPhone having TouchID... )

Biometrics have their pros and cons. The cons relate to the inability to revoke a biometric 'password' if it is compromised, because it's part of who you are. Regardless, they are better than the typical 4-digit PIN setups used by most people who even bother to lock their phones at all. In addition, it is faster an easier than the 8+ character long pass codes recommended for security purposes. Those long pass codes can still be used where required. As such, it ends up being a pretty good compromise, creating a more secure low-end, without unduly impacting the high-end.

For a genuine, must-be-secure scenario, as opposed to a keep-out-the-curious scenario, biometrics are only useful as Identification, not Authentication.

 

[libertysat]

Am I the only blue collar guy who can not get touch id to work reliably?

My hands are kinda rough, especially my fingers.
If my fingers are not real clean or have rough places from my work, touch id doesn't work.

I have redone my thumbs repeatedly over time and only works for a short while.

I have given up on touch id and don't see it being deployed for other uses like for credit cards.
Only seems to be reliable for white collar people, retired & students.

Or am I 'holding it wrong'?

 

[baryon]

Randomizing the layout of the keypad for PIN entry is a great idea.

So each time you want to unlock your device, you'll spend three times as long looking for the keys? Touch ID is successful because it makes things faster, a security solution that makes things slower won't be adopted. You could always enable an alphanumeric passcode where the keys are much closer together, making it much harder to figure out like this. But that also takes more time and accuracy.

 

[John.B]

You keep saying this. Are you saying your bank didn't make reparations on the largest, most publicized identity theft case in US history?

I'm saying my bank made it extremely difficult to challenge an unauthorized transaction that was PIN based, yes. Someone had my card and knew my PIN, it had to be me, right?

They didn't figure out that the Target hack was the source until later. If you'll remember, there was quite the lag between getting them hacked and publicly admitting they were hacked.

When it happens to you, you'll sing a different tune, I'm sure.

And, yes, I have a crappy bank, like most banks.

 

[octothorpe8]

**** Google Glass and **** anybody who wears it.

 

[Michael Scrip]

Biometrics have their pros and cons. The cons relate to the inability to revoke a biometric 'password' if it is compromised, because it's part of who you are. Regardless, they are better than the typical 4-digit PIN setups used by most people who even bother to lock their phones at all.

And don't forget... biometrics like TouchID also require a 4-digit PIN or longer password.

So even if the bad guys get your fingerprint... they won't have your PIN.

But if they do get your PIN from shoulder surfing or whatever... they still won't have your iTunes password to turn off Activation Lock.

It's a multi-pronged approach... and apparently it's enough to discourage thieves from stealing iPhones anymore.

A stolen iPhone will most likely become a worthless brick anyway... so why bother? Let them steal Android phones instead

 

[macduke]

Reading a gesture-based 'passcode' would be no harder than reading a keyed-entry passcode. In both cases, the relative position of the finger on the screen can be recorded and analyzed.

I thought it would be more difficult because "the shadows from finger taps" are what is used to predict the code. I suppose you could write new code to detect that but I think, especially from more extreme angles/distance, movement in two axes would be more difficult for a computer to discern than movement in three axes because there is less overall movement?

 

[JAT]

I'm saying my bank made it extremely difficult to challenge an unauthorized transaction that was PIN based, yes. Someone had my card and knew my PIN, it had to be me, right?

They didn't figure out that the Target hack was the source until later. If you'll remember, there was quite the lag between getting them hacked and publicly admitting they were hacked.

When it happens to you, you'll sing a different tune, I'm sure.

And, yes, I have a crappy bank, like most banks.

Which bank? I doubt very much I would have the same experience with mine.

 

[lurepe]

Low tech solution for PIN snoops

If you were really concerned about this type of exploit, or if you wanted to trick the google glass for demonstration purposes, you could mix in (by pretending to tap) fake numbers with the real pin. Can I patent that idea?

 

[iOSaddict]

And this is why google glass should be banned in public.

 

[mw360]

Touch ID is great, but can't last.

Touch ID is great

Now that's fascinating!

For years there has been an outcry _not_ to use biometric authentication, for a fear of attackers mutilating their victims (in every discussion sooner or later someone would refer to the prison escape in "Demolition Man"). And suddenly the biometric approach is seen as the best possible option (yet)

I guess you were just desperate to make your point

 

[rohitp]

So what?

I get that this is potentially a problem... but so what with regards to phones? The villain would still need to have your phone and the unlock code. What good is one without the other?

The only real problem would be when you swipe a card physically and there is some sort of camera to record the PIN, such as at a gas station or retail establishment. And then they would have to clone your card. Even there you have to be smart and not enter your PIN without covering the keypad. Plus new cards (and all in Europe) have smart chips that cannot be cloned (at least to my knowledge).

But as far as the phone goes, I just do not see the big problem. So you see my PIN. Woohoo!!

 

[JAT]

I get that this is potentially a problem... but so what with regards to phones? The villain would still need to have your phone and the unlock code. What good is one without the other?

The only real problem would be when you swipe a card physically and there is some sort of camera to record the PIN, such as at a gas station or retail establishment. And then they would have to clone your card. Even there you have to be smart and not enter your PIN without covering the keypad. Plus new cards (and all in Europe) have smart chips that cannot be cloned (at least to my knowledge).

But as far as the phone goes, I just do not see the big problem. So you see my PIN. Woohoo!!

You seem good at identifying steps a criminal would take. Isn't "mugging you around the corner" a pretty obvious final step that answers your question? Perhaps pickpocket instead.

 

[tbrinkma]

I thought it would be more difficult because "the shadows from finger taps" are what is used to predict the code. I suppose you could write new code to detect that but I think, especially from more extreme angles/distance, movement in two axes would be more difficult for a computer to discern than movement in three axes because there is less overall movement?

It may be more difficult to map the movements quite so precisely, but they also wouldn't *need* to map the movements so precisely. Every 'path' based lock I've see resolves on a grid that is only 3x3 - 4x4. Not only are there fewer possible positions, the positions are significantly larger than the buttons on the on screen keyboard.

Of course, I've also had to explain to a number of people that if they don't wipe off their screen when they're done unlocking it, just about anyone who picked up their phone could unlock it on the first attempt, simply by following the grease pattern left by the process.