Fingerprint security is back in the news with bloggers and tech writers pontificating on the security vulnerabilities of mobile devices. The latest and greatest in security paranoia is fingerprint duplication. A notable article published on the Verge, “Your phone’s biggest vulnerability is your fingerprint,” addresses the danger in the government’s legal and technical ability to duplicate your fingerprint and it boasts that “as long as federal agencies are collecting fingerprints in bulk, they’ll never be private, which means they’ll never truly be secure.”
The article’s title greatly overstates that fingerprints, “over 100 million” of which have been collected by the federal government, create the biggest security vulnerability. While we want to believe that a mobile phone’s biggest security vulnerability is as sophisticated as getting our fingerprints from a government database, most of the real widespread security vulnerabilities came from receiving a simple text message through Stagefright. This particular Android phone vulnerability affected over 95% of Android devices.
So, why is fingerprint duplication the hot topic in technology paranoia today?
Because it’s innovative, and it’s a hacking possibility we can visualize. The Verge article starts off by describing the process of how hackers are able to break into your phone by saying “all it took was some dental mold to take a cast, some play-dough to fill it, and then a little trial and error to line up the play-dough on the fingerprint reader.” This scenario really fits into the topic of government surveillance, not into the daily lives of business professionals. The security vulnerabilities that the vast majority of us will experience will be completely remote.
Because the act of remote hacking can’t be easily visualized, most have no idea how hackers do what they do remotely, so it is easier to not think about the possibility or magnitude of the threat. However, remote hacking is a much larger threat than a fingerprint scanner security vulnerability. Using the example from the Verge article, a lot of things have to happen for them to breach your phone via the fingerprint reader. First, they need to know you enough to get your phone and correlate your fingerprint to that mobile device. What can hackers get out of your phone by duplicating your fingerprint that they can’t already get without ever touching your phone? If they knew you enough, they may know your mother’s maiden name or what place you worked at for your first job. That kind of information, which some choose to publically display on Facebook, are all common password reset options. Hackers don’t need to duplicate your fingerprint; they just need to know you and know where to look to find out more about you.
Is this as scary as the fact that the FBI can turn your laptop’s webcam on without your permission or knowledge?
What about your smart phone’s Facebook application turning your microphone on while the app is running in the background?
Like the possibility of the government duplicating your fingerprint to hack your iPhone, once the overall feelings of violation subside, we realize that these cyber espionage “threats” are nearly insignificant to simple password vulnerabilities that can easily happen to anyone.
As for the “lifetime vulnerability” security threat of someone stealing your fingerprint, how many people actually use their fingerprint on their phone? According to the Verge article, “analysts estimate less than 15 percent of iPhone logins happen through the Touch ID sensor.” The article goes on to state that “the government’s stockpile of fingerprints is effectively useless” to break in.
While it is entertaining to think that Mission Impossible type hacks are now possible, your phone’s greatest vulnerabilities may be as simple not setting a password at all! As of January 2016, 34% of Android users did not have a password on their phone. The point is this, security is not about building an impenetrable wall, our best bet is to minimize the amount of information out there and to have a plan of action for when a hack does happen.