How to steal a fingerprint

How to steal a fingerprint
Photo credit: Pink Sherbet Photography / Foter / CC BY

Apple announced that the new iPhone will include TouchID to allow users to make purchases by identifying themselves with a fingerprint. Sounds great, right? But while biometrics (such as fingerprints, palm prints, and retina scans) do have some advantages over passwords, they have their weaknesses too. And, yes, fingerprints can be stolen.

I’m not talking about someone pressing a gummy bear against something you touched like I saw on CSI once. I’m also not talking about gangs of thugs cutting off fingers so they can buy songs off of ┬áiTunes. I’m talking about a fundamental misconception about biometric data.

Many people like biometrics because the security is based on something you are. A password is something you know. It can be forgotten. A token is something you have. It can be lost. But you can’t lose or forget your fingerprint! And barring dramatic and gory hand chopping off scenarios from the movies, your fingerprint can’t be stolen. Supposedly.

The problem is that Apple iPhone TouchID and other biometric security systems aren’t actually authenticating you based on your fingerprint. They are authenticating you based on a digital interpretation of your fingerprint. Just a series of ones and zeros like your other computer data. If that digital version of your fingerprint is intercepted or otherwise stolen it can be sent to the system you use your fingerprint to access just as if you were putting your finger on the screen.

A good security system will of course have a lot of controls to prevent someone from being able to do that, but what if someone finds a way to break those controls as they do with so many other systems? How are you going to reset your fingerprint?

Subscribe to Listing Toward Forty. Type your email address in the box and click the “create subscription” button. My list is completely spam free, and you can opt out at any time.

You can also find me on Twitter, Google+, and Facebook.

Leave a comment