What Hollywood has taught us about biometric hacking
Tony Anscombe says biometric identification is becoming the security measure of choice for a growing number of companies.
Tony Anscombe, senior security evangelist, AVG Business
Hollywood has taught us all the art of biometric hacking.
Anyone who has watched a spy thriller, heist movie, or sci-fi film will have seen a hero foil hi-tech security with the help of either a make-up artist, wig and costume, latex fingerprints or a canny knack at impersonating voices.
But that's just the movies, right?
Biometric identification – verifying someone's identity by voice, facial recognition, retina scans or fingerprints– is becoming the security measure of choice for a growing number of companies.
There's a good reason.
Years of persuasion seem to have failed to convince consumers to adopt hard-to-crack passwords and PINs.
It's worth remembering that in the league table of the world's most common passwords, “123456” and “password” are stubbornly stuck in first and second place.
The thinking behind biometrics is simple enough: your biology is unique.
Your face, voice, eyes and fingerprints identify you and you alone.
But the practical technology does not quite match the theory… yet.
Which brings us back to Hollywood and the fictional depictions of biometric security hacks.
Hackers have tried out Hollywood's tricks with real tech – and found that some of those techniques really do work.
Increasingly a standard feature of smartphones, fingerprint recognition (more often thumbprints) has been hacked with child's modelling clay. Grab a clean print, create a mould and then use modelling clay to create an artificial thumb. Ah, but how do you get a fingerprint in the first place? Well, we leave them behind on pretty much everything we touch …
- Voice recognition
Unlike other forms of biometric identification, our voices change in different circumstances: a rise in pitch in moments of stress, a lowering in pitch when we have a cold. In other words, voice tech tends to work within margins of error to accommodate these natural changes. Even background noise has an impact on what the device “hears” and tries to authenticate. Hackers have shown that impersonation can crack this security measure. Voice recognition software can also be bypassed by grabbing a short recording of someone's voice, either by making a spam call or stealing a voicemail message.
- Facial recognition
In the early days of facial recognition tech, hackers showed that a high definition photograph of someone's face was enough to break in to a device. Since then, the technology has improved by adding a “blinking” test to rule out static images. But this led to a demonstration last year that a high definition video of someone's face, complete with a couple of blinks, was enough to break in to some devices.
- Retina scans
Researchers first demonstrated back in 2012 that eye scans were vulnerable after printing a “synthetic” version of a retina to hack an account. There were claims at Mobile World Congress last year that photographs could also be used to fool retina scans in the same way that images could be used to hack facial recognition systems.
So does this mean biometric identification has no future?
Taking fingerprint recognition on smartphones as just one example, biometric tech is becoming mainstream.
In that sense, science fiction and the general use of biometrics for identification is becoming everyday fact. But it's still relatively early days for some of this technology. It will become more reliable and sophisticated in the future. What's most likely is that biometrics will become one part of a longer authentication process rather than a single-step solution. We can expect to be asked to complete several identity verification steps – from passwords, PINs, personal questions to biometric checks – by banks and financial institutions in particular. Some financial institutions have already started to move in this direction.
The best advice right now is to get the basics right. So vary your passwords and PIN codes between accounts and think less about pass words and more about pass phrases: a memorable phrase with letters and numbers rather than a single word. Take for example MFM12INR! could be remembered as ‘my ford mustang 2012 is not red!
So next time you see a film where biometric security gets hacked, just remind yourself that sometimes movies are predicting what we should expect to see in real life. Maybe you'll also think twice about posting yet another selfie.
Contributed by Tony Anscombe, senior security evangelist, AVG Business