Chinese clay clones at MWC can't give biometrics the finger

From HSBC's new voice recognition access to the now ubiquitous finger print readers, biometrics promise greater levels of security - but are often more about delivering a satisfying user-experience reports Davey Winder.

Chinese clay clones at MWC can't give biometrics the finger
Chinese clay clones at MWC can't give biometrics the finger

At the Mobile World Congress in Barcelona, a Chinese manufacturer of high resolution fingerprint readers showed the BBC how smartphone fingerprint scanners could be fooled by a clay imprint of a fingertip. The ulterior motive being that higher resolution sensors wouldn't be caught out by such shenanigans.

However, across the years fingerprint scanners have been caught out by everything from latex lifts as beloved of the movies through to Gummi Bear sweets (we kid you not).

Mike Murray, VP of security research at Lookout, told SCMagazineUK.com that he thinks we will still be using passwords in years to come as biometrics are not living up to the hype. "Ten years ago, there was a real push toward including biometric fingerprint readers in laptops" Murray says "how many of the laptops you see today still have a fingerprint scanner?"

Which is true, although you do have to ask yourself whether the move towards biometrics on smartphones and tablets will have a knock-on effect in driving adoption for other devices. Especially given the number of tablet/notebook hybrids hitting the market, and not forgetting the inclusion of biometrics for Windows 10 in the shape of Windows Hello.

David Mount, director of security solutions consulting at Micro Focus, also looks to the banking sector and the announcement by HSBC that it will introduce voice recognition for telephone banking authorisation as proof of a move towards biometric acceptance. "Passwords quite simply aren't working for the banking industry as they are too easy for hackers to steal and too difficult for customers to remember" Mount insists.

Addressing the specific voice recognition technology HSBC is talking about, pun firmly intended, Mount says "the technology is now able to analyse such specific biometric detail like the shape of larynx and vocal tract, which is much more difficult to steal than a password." Of course, adding layers of complexity could potentially lead to vulnerabilities, only time will tell.

But as Mount concludes "as we move more of our lives online, we need a more effective way to securely prove who we are. That's why we can expect to see biometrics based on our voice, fingerprints or heartbeats becoming more prevalent in the not-too-distant future."

Coming back to smartphones, these have undoubtedly shown that biometrics, albeit almost exclusively fingerprint scanners, can work unobtrusively. This is not only driving acceptance of biometrics in general, but of the expectation that higher end devices should come with them built-in by default.

What could dent that drive is a security scare. But does the clay cloning demonstrated at MWC really count as a scare? That clay was used here is almost besides the point. So what is the point?

How about how much of a real world risk is posed by such an attacker, who somehow has access both to a copy of your fingerprint and your phone itself? Even for high-value targets, let alone the likes of us, there are much easier and more-likely-to-succeed attack methods out there.

"If an attacker is desperate to get their hands on your data, they're going to try a number of ways to circumvent your security" says François Amigorena, CEO at IS Decisions who continues "if the option of gaining access uses clever cloning technology, an attacker may well be motivated to do their best to make that technology work for them."

David Baker, chief security officer with Okta argues that it's not such a real world risk as you may at first imagine. "The fingerprint has to be taken from a clean surface, ideally something like a crystal wine glass that the victim has held once, very firmly, with all the right digits" he explains, continuing "you can't pull prints off of the victim's phone or laptop. Those are systems they touch hundreds of times a day. If you think about it, it's actually a lot harder than you think to find the potential for lifting finger prints."

While stealing a fingerprint may be trickier that stealing a password or PIN, it's not impossible warns Thomas Bostrøm Jørgensen, CEO of Encap Security. "Relying on just one factor for authentication is always risky" he says "authentication should use a number of factors using their customer's device, using a method most suited to the user, their device and the risk of the interaction taking place."

David Kennerley, senior manager for threat research at Webroot agrees that biometric authentication should always be used alongside another form of authentication, not as a standalone security feature. "We are seeing many manufactures – not just mobile device makers – move towards single factor biometric security" he warns "and as hackers and security experts have shown time and time again, it does not offer a suitable level of security in everyday life."

Although having a lock on your phone may not just be about stopping someone accessing your phone easily, as Mark James, security specialist at ESET points out perhaps with the Apple/FBI conflict in mind "by having some kind of security to access your device will often force your data to be encrypted thus protecting it even further."

James also points towards the standardisation of biometric sensors as an issue to consider. With biometric sensors becoming almost commoditised, and certainly there's a standardisation to lower costs in effect, security could be weakened. "Lower costs often (but not always) leads to the increased risk of compromise" Mark James warns "as cyber criminals learn and adapt then security has to do the same." Unfortunately, this comes at a cost and effective defence means time and money being invested to make it safer again.

Not everyone agrees with this risk hypothesis though. Take Robert Capps, VP of business development at biometric specialists NuData Security for example. "Lower cost, standardised sensors really don't present a direct risk to the security of devices and the data contained on them" he told SCMagazineUK.com "as long as we use them in ways that they are intended, and with full understanding of their limitations."

Capps explained that these sensors do a fantastic job of deciding if a physical biometric indicator presented to the device is authorised to have access. "With the long established attacks on such sensors being widely available" he says "physical security of the device must be maintained by the user, and the use of remote disable functions should be used if the device is ever lost or stolen to further protect the device's contents and the privacy of the owner."

So the real risk in using these sensors is related to using them in ways they were never intended to be used, such as physical biometric authentication across the Internet.

Steve Manzuik, director of security research at Duo Security also throws in the stinger that in some jurisdictions (such as Virginia State in the US for example) the courts have "ruled that law enforcement can compel someone to unlock their device if it is being protected with a fingerprint (biometric) but cannot if the device is protected with a PIN code."

Robert Capps, VP of business development at biometric specialists NuData Security told SCMagazineUK.com "consumers that are worried that a facsimile of their fingerprint may be used to surreptitiously access their Smartphone can opt to not activate and/or not utilise that feature, instead creating a strong passcode of six or more characters for access, and enabling additional security features of their device to prevent passcode guessing."

And for high value users? "There are a number of technologies being developed and researched for consumers and enterprises with high security purposes" David Baker explains "such as identifying users through behavioural characteristics in keystroke and mouse dynamics." Essentially, this is learning the patterns of users. For example, if a user typically holds down a key for 80 milliseconds, and a fraudster is trying to mimic a user who is slightly faster at typing and holds down a key for 70 milliseconds, the programme can recognise this may be an attack.

At the end of the day, any multi-layered authentication has to be a good thing. However, it would be a mistake to think that fingerprint scanners on smartphones are there primarily as a security device as they are not. They are there to improve the customer experience by giving the illusion of James Bond levels of security gadgetry.

"Organisations want a better user experience so they can drive more transactions, improve their brands by integrating innovative authenticators, or encourage more application usage which is a typically cheaper than someone walking into a bank branch" insists Phil Dunkelberger, CEO of Nok Nok Labs who continues "security is important, but the user experience is paramount..."