Why RBS and NatWest were wrong to trust Apple on biometric security (Information Age)
Here, Richard Walters, GM and VM at Intermedia, expands on Whaley’s criticism, claiming that the biometric technology offered by Apple is not secure enough to support sensitive activities like mobile banking.
Very much worth reading in its entirety.
Apple wants you to be able to unlock your iPhone with a selfie (Business Insider)
There’s no guarantee Apple will implement the technology – the Cupertino company obtains numerous patents that it never uses. These can be precautionary, or intended to trip up or block competitors. But as the industry increasingly looks to kill traditional passwords, selfie-secured iPhones sounds surprisingly plausible.
Google: Our new system for recognizing faces is the best one ever (Fortune)
At first we’ll see systems like Google’s FaceNet and Facebook’s aforementioned system (dubbed “DeepFace”) make their way onto those company’s web platforms. They will make it easier, or more automatic, for users to tag photos and search for people, because the algorithms will know who’s in a picture even when they’re not labeled. These types of systems will also make it easier for web companies to analyze their users’ social networks and to assess global trends and celebrity popularity based on who’s appearing in pictures.
Apple Pay secures key US govt contract (Planet Biometrics)
Apple’s biometric payment system is set to be used by the US Federal Government for payment cards and social security and veteran’s payments, following an announcement by US President Barack Obama.
It’s Apple’s fault that the Nexus 6 doesn’t have a fingerprint sensor (The Verge)
Former Motorola CEO Dennis Woodside has confessed that the dimple at the back of the Nexus 6 was originally intended to play host to a fingerprint sensor. Back in 2011, Motorola was a pioneer in bringing fingerprint recognition to its Atrix 4G smartphone, however the company it used then, Authentec, was purchased by Apple a year later for a price of $356 million. Authentec were, in Woodside’s judgment, the best supplier around and “the second best supplier was the only one available to everyone else in the industry and they weren’t there yet.”
Apple Reveals More Details of Touch ID for iPhone, iPad & beyond (Patently Apple)
Generally, capacitive fingerprint sensors may be used to determine an image of a fingerprint through measuring capacitance through each capacitive sensing element of a capacitive sensor. Thus, fingerprint ridges provide a higher capacitance in an underlying capacitive sensing element than do fingerprint valleys.
Capacitive fingerprint sensors come in at least two varieties, namely active and passive. Active capacitive sensors are often used in electronic devices to provide biometric security and identification of users.
A long discussion, based on Apple patent filings, of what Apple’s future fingerprint technology may look like follows.
Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. (Lookout)
Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.
Read the whole thing. It’s good.
Our post on the CCC hack are here.
UPDATE:
Touch ID was hacked, but no one cares (ITWeb)
Apple’s stated purpose for installing a fingerprint reader on its new iPhone is to give people who aren’t currently protecting their mobile hardware at all a more convenient way than passwords to do so.
Great, right? The number of mobile devices left unprotected will go down, sparing some non-trivial number of individuals the heartache of having their devices accessed in a way they didn’t authorize. Hooray Apple!
Not so fast!
The Chaos Computer Club thinks that’s a really “stupid” way to look at things. They think that because it was so “easy” for them to create a rubber finger (likely with the full participation of the user) in a matter of (at least) hours, that only a moron would use the technology.
Chaos Computer Club breaks Apple TouchID.
The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.
…
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown. [ed. bold emphasis added]
While both of the parts above in bold type are false, they are false in different ways. The first part, “using easy everyday means” is only a fib. The process described is “easy and everyday” kind of like manufacturing dentures is easy and everyday. Sure, it happens every day, but it isn’t like making brownies.
The second bolded part is indistinguishable from the ranting of a conspiracy theorist.
There’s something vaguely embarrassing about people who claim to know a lot about technology, but who display no understanding of its use or appreciation for its context. When they also presume to tell everyone else what to do, it begs a response.
It’s one thing to point out how new technologies are fallible. All technologies are and it is important that consumers understand how that is the case. It’s another thing to try to scare people away from adopting security techniques that will leave them safer than they are now and are convenient to use.
Apple’s implicit point is that when it comes to protecting access to the device, fingerprint access is better compared to doing nothing, which is the option many people currently choose. It’s not a question of perfect security, it’s a question of security that is convenient enough that it actually gets adopted.
Other posts where the question “…compared to what?” arises:
The old Gummi Bear trick
Visa to drop signatures on credit card purchases by 2013
Unisys Poll: 63% of credit card users would prefer fingerprint
German gov downplays biometric ID card hack
UPDATE:
Marco Tabini at Macworld seems to agree. Apple’s Touch ID may not be bulletproof, but it’s still useful.
Insight: Trigger Finger – Apple fires biometrics into the mainstream (Reuters)
By adding a fingerprint scanner to its newest mobile phone, Apple Inc is offering a tantalizing glimpse of a future where your favorite gadget might become a biometric pass to the workplace, mobile commerce or real-world shopping and events.
Read the whole thing. I think this piece gets things about right.
It’s easy to overestimate and underestimate the importance of what Apple has just done. The fingerprint functionality itself is pretty shallow. The fingerprint sensor allows users to unlock the phone and buy stuff from Apple. That is all. But that also reflects that, of course, Apple wants to get things right “in captivity” before releasing the fingerprint sensor “into the wild.” And further, I think that means that fingerprint sensors on mobile devices are here to stay. Samsung, Microsoft/Nokia, etc. will follow suit.
*The preceding paragraph was revised on 24 Sept. 2013 it originally read, “Even if they don’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there and Samsung certainly won’t be left behind as mobile ID surges forward. “
If the one word for the 60’s was plastics and in the 80’s it was all ball bearings, the technology touchstone for the 2010’s figures to be identity.
The “i” in the next iPhone will stand for “identity.” (Cult of Mac)
When people hear rumors and read about Apple’s patents for NFC, they think: “Oh, good, the iPhone will be a digital wallet.” When they hear rumors about fingerprint scanning and remember that Apple bought the leading maker of such scanners, they think: “Oh, good, the iPhone will be more secure.”
But nobody is thinking different about this combination. Everybody is thinking way too small. I believe Apple sees the NFC chip and fingerprint scanner as part of a Grand Strategy: To use the iPhone as the solution to the digital identity problem.
NFC plus biometric security plus bullet-proof encryption deployed at iPhone-scale adds up to the death of passwords, credit cards, security badges, identity theft and waiting in line.
Apple loves to solve huge, hitherto unsolved problems. And there is no problem bigger from a lost-opportunity perspective than digital identity.
The Boston Consulting Group estimates that the total value created through real digital identity is $1 trillion by 2020 in Europe alone.
Read the whole thing. Stripped of the Apple-worship, it’s an astute post.
The link inside the quote above is in the original and the pdf it links to is highly worth a look, as well. From the executive summary…
Increasingly, we are living double lives. There is our physical, everyday existence – and there is our digital identity. Most of us are likely more familiar with that first life than with the second, but as the bits of data about us grow and combine in the digital world – data on who we are, our history, our interests – a surprisingly complete picture of us emerges. What might also be surprising for most consumers is just how accurate and traceable that picture is.
…
Views on digital identity tend to take one of two extremes: Let organisations do what they need to in order to realise the economic potential of “Big Data,“ or create powerful safeguards to keep private information private. But digital identity can‘t be cast in such black-and-white terms. While consumers voice concern about the use of their data, their behaviours – and their responses to a survey conducted specifically for this report – demonstrate that they are willing, even eager, to share information when they get an appropriate benefit in return. Indeed, as European Commissioner for Justice Viviane Reding remarked, “Personal data is in today‘s world the currency of the digital market. And like any currency it has to be stable and it has to be trustworthy.“ 1 This is a crucial point. Consumers will “spend“ their personal data when the deals – and the conditions – are right. The biggest challenge for all stakeholders is how to establish a trusted flow of this data.
A new type of ID is needed to bind our physical and online selves, payments and hardware. If the tech giants are going to finish off the post office and assume the role of credit card companies, they’re going to have to solve the ID problem. If they solve the ID problem, there’s really no telling how many other business models they can disrupt.
INDIA: It’s good to have goals — ‘Aadhaar’ card for everyone in Punjab by March (Daily Bhaskar)
ZIMBABWE: Biometrics in Border Migrant Reception Centre (African Press Organization) There seems to be a lot of migration within Africa. Biometrics can help countries gather better data about what’s going in that regard.
APPLE: Patent applications suggests hidden sensors suitable for biometrics (UK Register) “‘Electronic devices are becoming more and more sophisticated, capable of performing a multitude of tasks from image capture to identity verification through biometric sensors,’ patent application 20120258773 notes. That’s the good news; the bad news is that each new sensor clutters up the seamless shiny-shiny of an iDevice.”
BUT WAIT, THERE’S MORE: Apple Wants To Use Your Fingerprints to Unlock Your iPhone (gizmodo)
AuthenTec to reportedly ditch non-Apple customers in 2013 (Apple Insider)
In an email to its customers, which includes Samsung, HP, Dell, Lenovo and Fujitsu, Apple acquisition AuthenTec reportedly said it will no longer be honoring orders come 2013, a source told Korean language website etnews.
The announcement may be an indication of what Apple plans to do with the company and its technology after purchasing the firm in July for $356 million. AuthenTec is well known for its work in fingerprint sensor tech and it was rumored that Apple might be looking to implement the biometric security asset into an upcoming iPhone.
It may be recalled that after Facebook bought Face.com, Face.com’s existing customers were left twisting.
This is always a tricky post merger call. Does Apple continue to sell a technology, at a hefty profit, to its competitors? How long would Apple’s competitors live with that deal?
Apple seems to have made the call.
Critics take bite out of Apple over missing features (The China Post – Taiwan)
Other widely expected features that were missing included wireless charging and biometric unlocking, which uses facial recognition or fingerprints as found on many phones running the latest version of Google’s Android operating system. Two other popular features included on the latest Android and Windows Phone 8 devices but absent on the iPhone are enhanced widgets and notification tiles that let the user see information such as emails, weather, stock prices, tweets and Facebook updates right on the phone’s home screen.
Apple may put fingerprint scanners in future products (V3.co.uk)
Among the technologies Apple now owns is a type of fingerprint scanner designed for mobile products with Near Field Communication (NFC) built in. AuthenTec’s AES2750 product is a fingerprint scanner that can interact with NFC applications to offer a secure way to log in to various systems.
AuthenTec says the technology can lock and unlock a phone, authorise mobile banking transactions and replace website user names and passwords, all with a fingerprint scan.
SEC filing fans rumors of mobile wallet for iPhone 5 (COMPUTERWORLD)
But how quickly these elements are introduced depends on Apple’s long-range plans for iPhone, and iPad, as well as the maturing of the mobile payments industry infrastructure, a big jump in consumer acceptance and — most of all — trust in the new technology, and how quickly Apple can phase these particular technologies into its supply chain and manufacturing processes.
…
The fingerprint sensor, many speculate, will be a key part of a full-fledged mobile “digital wallet” using a near-field communication (NFC) radio link to trigger purchases by simply waving the handset over an NFC reader. AuthenTec, an established vendor of a range of smart sensors, identity management (including PC/laptop fingerprint sensors), and embedded security products, announced the deal on July 27. At $365 million, it’s Apple’s biggest buy.
It’s worth pointing out that Josh Franklin at Seeking Alpha predicted the broad outlines of this whole thing a couple of months ago.
Apple wanted AuthenTec’s “new technology” ASAP for future products (Ars Technica)
There’s a hint that, whatever the tech involved, we won’t have long to wait. According to AuthenTec’s account, Apple wanted to hurry the buyout deal due to its own plans. “Representatives of Apple also noted Apple’s desire to proceed quickly due to its product plans and ongoing engineering efforts,” reads the SEC filing. “As a result of its focus on timing, Apple’s representatives also informed the Company that Apple would not participate in an auction process and would rescind its proposal if the board decided to solicit alternative acquisition proposals for the Company.”
The article isn’t even mostly about biometrics, but as we readily acknowledge here all the time, biometrics are only ever a means to an end. What the article does provide is a coherent view of where future profits will come from for Apple and Google well supported with charts, graphs and other visual aids, which I love.
The key biometrics bit is here but the rest is very interesting as well.
How Android gets Google to $2000 by 2020 (Marketwatch)
The most exciting thing I see on the horizon isn’t the ad sales that will almost certainly materialize, but the network effects of a billion Android users and the ways Google can leverage that scale. If one billion people are on the same mobile OS and you know where they are precisely and they have a biometric scanner on their phone, do you really need Mastercard and Visa to take their 3% to verify the funds and identity? That’s why Google is working on Google Wallet. If one billion people are constantly sharing their location by virtue of having their phone switched on, could you sell them stuff based on where they are? That’s why Google is working on Google Offers. And if one billion people care more about the device than the network and will pick the service based on who has the cool new Android phone, couldn’t you launch your own data service? That’s Google Fiber.
This also seems to be of a piece with growing recognition among financial types that biometrics are going to have a role in how authentication works and add significant value to the process.
Apple’s AuthenTec Buy Validates Biometrics, Valid Tech Says (IT Jungle)
Whatever Apple’s plans are, the $356 million it’s put on the table has already helped to “validate” biometric authentication as a whole, Faust says. “Biometric is absolutely the way to do authentication, because nothing else makes any sense,” he says.
Coming To An iPhone Near You: Apple’s New Fingerprint Key For Mobile Payments (Seeking Alpha)
With the purchase of biometric company AuthenTec (AUTH), Apple (AAPL) is opening the floodgates on biometrics. No more remembering alphanumeric password on a digital touchscreen. In the future, fingerprint, palmprint and voice-ID will allow you to log into your iTunes, Facebook (FB), or GMail account with the press of a finger.
Here comes the iWallet.