Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
And why does Apple develop specialized hardware like the "Secure Enclave", if 100% foolproof is not a target for Apple?
Because they don't care about the strawman argument that Touch ID has to be 100% fool proof. That's just a double standard created to dismiss it.
 
Great! Not only does my iPhone 6+ bend, but it can also be hacked into by all the forensic scientists out there. Thanks a lot Apple.
FYI, I'm pretty sure your 6+ will blend, too. So better stay away from those Blendtec brand Blenders.
 
Or they could just force your finger onto the the Touch ID sensor...

yes I agree with you, though its maybe provable and illegal and they don't like that, but most of all its crass and low level espionage because it lets you know they were in your iPhone.
 
Well, in a way it has been fixed by that pulled 8.0.1 update: Touch ID stopped working on iPhone 6. :D
 
In other words, few people if any might ever be affected by this. You have a better chance of being struck by lightning while being eaten by a shark than have this happen.

Exactly, a lot can happen, but if you bring in probability then, i feel the tech is quite decent. I mean, its not design to secure an alien space craft in Nevada bunker.

People lock their doors with metal locks while the door is still wood!

I hate using a passcode, i need to type in atleast 4-5 times day to get in (set with 1 hour limit to lock). With the TouchID it will be awesome.
 
So why are they talking as if any old person can do the hack? There is no need to improve something that is as perfect as it can be. It doesn't change the fact it's better than any consumer system on the market!

You need a passcode to change anything on the phone to make it yours. I can't foresee any reason other than information on the device that would make this hack even worthwhile? You can remove wipe data if stolen and keep sensitive data locked in apps.

This article seems like scare mongering and goading a response to a non-issue.
 
Wouldn't it be easier to steal someone's credit card than it would be to get someone's phone and fingerprint? I'm not a criminal, but the credit card seems like an easier target to me.
 
So why are they talking as if any old person can do the hack? There is no need to improve something that is as perfect as it can be. It doesn't change the fact it's better than any consumer system on the market!

Probability of it happening aside, "any old person" CAN do the hack. It's not rocket science. It's basically doing stuff that thousands of teens have done in years past with homebrew circuit boards and model making.

I saw it first reported around the turn of the century when our company checked into using fingerprints for ID, and decided against it. (Fingerprint readers are good for convenience, but are not an ideal security system.)

Around 2002, a Japanese security researcher used the techniques to fool a commercial sensor with a fake finger. The next year, the Chaos Computer Club (the same one that hacked the iPhone 5s) announced that they had made a wearable fake print that could be used in public.

So it's an old technique. Heck, it might even be easier to find a section of a print to use on the iPhone than other sensors, as TouchID apparently only scans an 88x88 pixel 500 PPI area, which is about 1/5" square.

You need a passcode to change anything on the phone to make it yours. I can't foresee any reason other than information on the device that would make this hack even worthwhile?

That was true before Apple Pay. Now your evil kids or roommate can take their time to make a decent finger from your prints around the house, and use it to buy things with your phone. Just pray that it's not child porn or something. Figure the odds of you proving that it was not your finger that was used to authenticate.

This article seems like scare mongering and goading a response to a non-issue.

It's not a total non-issue, but yes, it should be a very rare event. Unless someone comes out with a "Just send a print and $19.95 to us and we'll send you back a finger" service ;)

Wouldn't it be easier to steal someone's credit card than it would be to get someone's phone and fingerprint?

Absolutely. Unless you were trying to incriminate someone, by making it seem they either bought something or were somewhere. Then TouchID is ideal. Again, this scenario is more likely to show up on a TV show than in real life.
 
Meanwhile in other pressing news, what are banks going to do about the fact that you can still have a gun pointed at your head and be robbed in broad day light of all your money in your wallet, or forced to go to an ATM and withdraw cash? I mean its been a problem for 200 years before even the industrial age and modernization... When is this terror finally going to be brought to an end?

And as a side note, by stealing a finger print and accessing your personal devices with it takes the act above normal theft, you then just became an identity thief which you are pretending to be another person through trickery. There are already laws against theft, and identity theft so be prepared for some great legal action and jail time should you try this and be caught.
 
As the saying goes..

We have a saying in the UK that covers this type of thing.

"Load of Bollocks" Thats what this story is, a load of old bollocks.
 
That was true before Apple Pay. Now your evil kids or roommate can take their time to make a decent finger from your prints around the house, and use it to buy things with your phone. Just pray that it's not child porn or something. Figure the odds of you proving that it was not your finger that was used to authenticate.

Um, just which Apple Pay-supporting vendors are selling child porn??
 
Why can't they add a heart rate sensor to the Touch ID so it actively looks for a pulse when you place your finger on the Touch ID sensor. That would render it almost impossible to hack.
 
Um, just which Apple Pay-supporting vendors are selling child porn??

Any that take Mastercard, Visa or Amex. Apple Pay is not something a merchant has to sign up for.

Related story: a while back a coworker lost his job, equipment and almost his family, after the FBI raided his home. It turned out that someone had stolen his credit card info and used it to buy a web domain used for child porn. It took him years to clear his name, and then he actually won a lawsuit against the government, but huge damage to his rep and work had been done. (The Feds destroyed all his hard drives, which had his life's work.)

At least he managed to clear his name because it became obvious that his info had been stolen. If the purchase had been authenticated by TouchID, as online payments are headed toward, I think seriously he'd be in jail instead.

The more security with credit cards, the less secure you actually are in case something goes wrong. We've already seen this in countries with chip & PIN, where people's PINs were skimmed and the CC companies refused to believe it for a long time.

Currently I feel safe because whenever my card has been stolen, I was not responsible. Add more half-security features like PINs and TouchID, and that fraud protection starts to disappear.

More "security" in the form of stealable credentials is a two edged sword.
 
Any that take Mastercard, Visa or Amex. Apple Pay is not something a merchant has to sign up for.

Related story: a while back a coworker lost his job, equipment and almost his family, after the FBI raided his home. It turned out that someone had stolen his credit card info and used it to buy a web domain used for child porn. It took him years to clear his name, and then he actually won a lawsuit against the government, but huge damage to his rep and work had been done. (The Feds destroyed all his hard drives, which had his life's work.)

I think this sounds like more of a horror story on how our government works than anything else. Did this receive any media coverage? Buying a domain name is hardly an illegal, jailable offense, regardless of what the domain is called, so I feel and really want there to be more to this story than this?

Also, with "darknet" purchases these days, I find it hard to believe much of it is going through any kind of legitimate credit card processor when there are things like Bitcoin now.

At least he managed to clear his name because it became obvious that his info had been stolen. If the purchase had been authenticated by TouchID, as online payments are headed toward, I think seriously he'd be in jail instead.

Because he bought a domain? That doesn't even make any sense. Please tell me there was more to his prosecution than the purchase of a domain.

Currently I feel safe because whenever my card has been stolen, I was not responsible. Add more half-security features like PINs and TouchID, and that fraud protection starts to disappear.

More "security" in the form of stealable credentials is a two edged sword.

I'd settle for any actual card security at this point, because the US credit card industry is now just barely progressing beyond the 1970's.
 
Why can't they add a heart rate sensor to the Touch ID so it actively looks for a pulse when you place your finger on the Touch ID sensor. That would render it almost impossible to hack.

Doesn't always help in the case of a thin fingerprint gelatin placed on top of your own real finger.

The sensors read your real finger heat, and pulse, through the false print layer.

The dirty little secret of fingerprint sensors, is that so far, no one has invented one (or at least sold one publicly) that can't be fooled. That's why they fell out of favor with other device manufacturers as a security method.

(Something similar happened with the original touchscreen pattern unlock methods that were popular about the same time period. People could often see the grease path left by the repeatedly used pattern. So "swipe path to unlock" disappeared. Years later, swipe to unlock was resurrected, but no longer used as an actual security unlock method. It simply became a convenient way to get past the default sleep screen.)
 
I think this sounds like more of a horror story on how our government works than anything else. Did this receive any media coverage? Buying a domain name is hardly an illegal, jailable offense, regardless of what the domain is called, so I feel and really want there to be more to this story than this?

It wasn't about the website name. It was about the fact that it was used as a child porn site. I think it was based in China, even. It was so obvious that it was a case of stolen card info, it wasn't even funny. But the Feds don't take a chance. They raid first, ask questions later.

He not only worked with me, he was my roommate for a while. Nice older gentleman, who not only invented and sold some of the first DVD conversion software, but even one of the first Apple II 68000 coprocessor boards.

And yeah, quite the government horror story. They raided his upstate NY farm home, rifled even through his young daughter's drawers, terrifying his family while telling them what they suspected him of. They then trashed his onsite office building, and took all the equipment as evidence. Effectively his software business was destroyed.

As I said, later on he was totally cleared, after they found no evidence of porn on all his hard drives or home, and finally admitted that they kind of jumped the gun. He won quite a sum of money for wrongful arrest and destruction of property, but nothing compared to what his regular business had done.

Also, with "darknet" purchases these days, I find it hard to believe much of it is going through any kind of legitimate credit card processor when there are things like Bitcoin now.

The overwhelming majority of card fraud in most of the world these days, is from internet purchases using stolen card info.

I'd settle for any actual card security at this point, because the US credit card industry is now just barely progressing beyond the 1970's.

Extra security benefits the card companies, not the consumer. Unless you actually believe that they'll lower interest rates (which supposedly are based on fraud coverage). I don't.
 
Extra security benefits the card companies, not the consumer. Unless you actually believe that they'll lower interest rates (which supposedly are based on fraud coverage). I don't.

I think not having to dispute spurious charges and get new cards every other year will benefit me as well. Having credit card info stolen is a total hassle at best.

I've never carried a balance anyway, so the interest rate issue is academic to me.
 
I think not having to dispute spurious charges and get new cards every other year will benefit me as well. Having credit card info stolen is a total hassle at best.

Agreed, after having had card numbers stolen multiple times, it is a minor hassle to update my numbers online.

But I very much like the fact that the assumption of innocence is on my side. With PIN, and worse, TouchID, that protection is slimmer. Read these about chip&PIN in the UK:

2012 - Victim of chip-and-pin fraud? It's all YOUR fault, insist the banks as they refuse payouts

Which finally might be cleared up:

2014 - Card fraud victims wrongly denied refund could finally see their money back after a new review by financial watchdog

I've never carried a balance anyway, so the interest rate issue is academic to me.

I'm the same way about paying off each month, but there are plenty of others who do not.

--

What doesn't seem right, is that instead of iPhone owners being rewarded with lower rates or even a kickback, for using a device with supposedly more security, Apple sucks up all the CC company reward for themselves.

That's kind of like a car manufacturer selling a model with better gas mileage, and keeping the different in gas cost for themselves.
 
Last edited:
How foolish this article is.

Is the touch id as secure as a full-length strong password that you memorize and never reuse or write down?

Nope.

Never was... and doesn't need to be.

But it's awfully secure because this fake finger attack (NOT "fake fingerprint" as others have noted) is quite difficult to pull off.

In reality mobile security usually involves a trade-off between security and convenience. Touch ID is great because it's an option to have both security and high convenience.

Let's compare it to some other common options:

Touch ID: high security, high convenience
Strong, unique, memorized password: very high security, very low convenience
Passcode: medium security, medium convenience if set to not required too often (which lowers the security a bit)
No passcode or password: low security, very high convenience

It's a very good option... the best option unless you require the very best security or the absolute most convenience.
 
Good luck

seven-1995-se7en-kevin-spacey.jpg
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.