Mobile devices pose privacy risks and biometrics can help

Forget silly privacy worries – help biometrics firms make MILLIONS (The Register)

Tech firms are set to experience a biometric bonanza – as long as they can persuade ordinary folk to give up worrying about their privacy.

That’s the claim in a briefing note from “growth consulting firm” Frost & Sullivan, which suggested the number of smartphones equipped with biometric gubbins will soar from 43 million to 471 million by 2017.

This, according to the beancounters, means the biometric revenue from smart phones will soar from increase from $53.6m in 2313 to $396.2m in 2019, amounting to an annual growth rate of 39.6 per cent.

“Due to existing hardware capabilities across devices, most of the growth is expected from facial and voice authentication technologies,” said Frost & Sullivan ICT Global Programme Director Jean-Noël Georges.

The goals of mobile device fingerprint technology are the epitome of privacy protection. Mobile fingerprint technology doesn’t spy on users and, by itself, it’s hard to see how it can create commercially valuable information for a third party to sell. It is put in place to make the “always on,” web-connected pocket computer a more secure platform from which to perform the functions financial institutions and users seem to want.

Dick Dastardly – not a banker or 
biometrics executive

The other two biometric technologies mentioned by the author, face and voice recognition, would perhaps be easier to abuse by a third party. The more acute risk to individual privacy associated with mobile biometrics, however comes not from a bunch of moustache-twirling banks and biometrics companies, but from flippy birds and fuzzy bunnies, or downloaded apps accessing onboard biometric technology for no other reason than to sell on to its customers the information gleaned. But that type of privacy risk is inherent in mobile technology. With its location services, cameras, microphones, wifi, NFC and bluetooth, modern mobile devices already contain an astonishing array of sensors and communications devices waiting to be abused or used in ways consumers don’t necessarily anticipate, and that’s happening right now.

Biometrics didn’t create this situation but they might be able to help.

No. Iris? Perhaps.

Does Samsung Have a Retina Scanning Smartphone Coming? (TechnoBuffalo)

The iris (left), which gives people “eye color,” controls how much light enters the eyeball. The retina (right) is the structure laying along the inside, back surface of the eyeball that translates light into nervous impulses for the optic nerve to send to the brain.

In a camera analogy, the iris would be, well, the iris, since cameras have them, too. The retina would be the film, or in an even better digital analogy, the charge-coupled device (CCD) that translates light into ones and zeros for computer chips.

Mobile iris technology is much more straightforward than mobile retina technology and is far more likely to be coming soon to a smartphone near you.

NFC + Mobile + Biometrics = The Future of Payments

British Banking Association reports on UK’s banking ‘revolution’ (NFC World)

“The revolution in the way we spend, move and manage our money is not over,” the report says. “Banks are looking at a range of new technologies to make banking even easier and more flexible. Biometric data could make accounts safer and security features more straight forward for legitimate transactions.

“Near field technology could end the need for taking your card out of your wallet or purse to make a purchase. Banks will strive to innovate because they know it’s a way to win new customers.”

The combination of mobile handheld device hardware (i.e. the perfect token), biometric ID verification, and NFC provides the tools for building extremely powerful ID management regimes.

Banks appear to be realizing that systems like these could make for happier customers and pose a real threat to the credit card/debit card/clearing house/merchant bank model of card-based payments provided by organizations such as Visa and Mastercard.

It’s possible that banks that successfully negotiate this opportunity could begin to take back some of the 3% of credit card transaction value (a massive amount of money) collected by credit card companies, but in order to do that banks will have to figure out how to make an extremely secure mobile app that that lives on a device that has a massive attack surface.

Elsewhere in the news, Norwegian start-up Zwipe is trying to solve this riddle with dedicated hardware. As compared to networked mobile devices such as smartphones, the Zwipe device has a tiny attack surface in that users can’t download viruses to it via cellular signals, wifi or SMS. But in the name of security, the Zwipe device lacks some of the connectivity attributes that make smart devices so attractive for true e-commerce transactions rather than “point-of-sale only” transactions.

No matter how all this shakes out, this is a trillion dollar riddle and biometrics are a near certainty to factor in the solution.

This kind of thing makes fingerprint spoofing even harder

Samsung patent suggests multi-fingerprint e-wallet authentication and gesture control (Android Authority)

Applications for fingerprint scanning are quite limited at the moment…

The future may hold a bigger promise, however. A patent application made by Samsung indicates that the company may be working on an even more innovative use of fingerprint scanning for authentication. In the patent application, Samsung describes several methods for authenticating a purchase, such as through PIN, password, pattern, and even fingerprint scans. An interesting addition is the inclusion of multiple fingers for stronger authentication.

Uncertainty over which fingerprint was used — or in the not too distant future, which combination of fingerprints are used — would go a long way towards making the already difficult task of fingerprint spoofing even harder.

Veins are great, but that doesn’t mean fingerprints are a “gimmick”

Vein-scanning technology may trump fingerprint scanning for payments (Sydney Morning Herald) But even if the headline is true, it doesn’t follow that

“Using our fingerprint is not a secure way to do [authentication],” Professor Susilo said. “It’s just like a gimmick.”

One of the main benefits of vein and iris scanning is that you don’t tend to leave behind iris or vein prints, he said.

As most vein scanner sensors coming out this year require no physical contact, it means there are no residual biometric patterns that could be copied, preventing fraudulent use.

Fingerprints are notoriously easy to lift from surfaces and are not secure, he said, which has been demonstrated by researchers for more than a decade.

In 2002, Japanese researchers showed that fingerprint scanners could be fooled with about $10 worth of household supplies. They also found many fingerprint systems did not detect if someone was “live and well”.

Vein scanners are, in fact “more secure” in the sense that there is no latency. You can’t leave vein prints behind. But that doesn’t mean that fingerprints are a gimmick.

To take the professor in his own terms, how much money worth of household supplies are required to access an unsecured mobile device? How much money worth of household supplies are required to access a device secured by a password? How easy is it to apply the $10 worth of household supplies to cracking the phone? The answers: None, None, Not very. It really isn’t that easy to spoof fingerprints without the participation of the person whose fingerprint is enrolled.

Vascular biometrics, on the other hand, have no latency. Nobody leaves behind vein prints. But hardware cost (too expensive) and form factor (too large) disqualify vein sensors’ use in mass market mobile devices*. Until about 6 months ago this was true even for fingerprint readers.

*In mobile devices, power consumption is also a big concern. I don’t really know if vein readers are power hogs or not. Perhaps the likely infrequency of vein sensor use compared to the screen or audio output means power requirements won’t end up being the determining factor for vein reader deployment anyway.

Samsung and biometrics extends PayPal’s point-of-sale reach

PayPal launches Galaxy S5 fingerprint-based payments in 25 countries (Android Authority)

Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique encrypted key that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers”

It’s official: GALAXY S5 has a fingerprint reader

Spain, February 24, 2014 – Samsung Electronics today announced the fifth generation of the Galaxy S series, the Galaxy S5, designed for what matters most to consumers. The new Galaxy S5 offers consumers a refined experience with innovation of essential features for day-to-day use.

Essential device protection
The Galaxy S5 is IP67 dust and water resistant. It also offers a Finger Scanner, providing a secure, biometric screen locking feature and a seamless and safe mobile payment experience to consumers. The Ultra Power Saving Mode turns the display to black and white, and shuts down all unnecessary features to minimize the battery consumption.

The device will be available globally through Samsung’s retail channels, e-commerce and carriers on April.

More information is available at the Samsung site here.

See also this video.

The fingerprint scanner comes in for a couple of mentions in the first half.

See also:

All is proceeding as we have foreseen

Windows Phone 8.1 with fingerprint support, UI customizations — A new WP 8.1 SDK leak points to fingerprint scanner support in the next OS update, which should put Windows Phone level with iOS and Android. (GSM Arena)

Samsung’s next flagship phone will feature a swipe fingerprint scanner embedded in the home button (uSwitch)

April 22, 2014: LG G3 specs leak points to integrated fingerprint scanner (Trusted Reviews)

The prediction to which this post’s title refers can be found here.

Passwords can be tricky on mobile devices

30% of organisations to use biometric security on mobile devices by 2016 (Telecoms.com)

Almost a third of businesses plan to use biometric authentication for mobile devices as part of their bring your own device (BYOD) programmes by 2016, according to research firm Gartner.

The analyst firm explained that BYOD programmes have caused potential security problems for IT directors within enterprises and data that is protected by complex passwords and security measures on employees’ PCs is not guarded as well on their mobile devices. As a result, Gartner expects that 30 per cent of organisations will implement biometric authentication on employees’ mobile devices, up from five per cent today.

I came across an interesting problem the other day. I had to change an important password to access certain critical work functions. Being a conscientious type, I use good password hygeine: mixed case, numbers and punctuation with the help of a random password generator. So far so good.

When I generate the password, I don’t really care what it is or notice the characters. I copy and paste it into the web page asking for it. So far, so good. But one of the things controlled by the password I recently had to change is my ability to check email on my phone. No problem, I find the password (let’s say it was 5=EtH!duWaz8) and I couldn’t find an equal sign in any of my phone’s keyboard layers to save my life.

My work-around involved emailing it to another email account I can get on my phone and doing a copy-paste job. Menial tasks should be easy, they shouldn’t require as much creativity to accomplish.

Mobile biometrics can help.

Mobile device manufacturers begin taking security more seriously

A little over two years ago, when Motorola yanked the fingerprint sensor from its Atrix line, we noted that there is a tension between the market signals from the “make ’em cheaper” vs the “make ’em more secure” crowd.

It appears that the rise of mobile commerce since then is forcing manufacturers to give more weight to security now than they did then.

Security continues to be a major issue for mobile commerce (Mobile Commerce Press)

Mobile identity is becoming more important to businesses, especially as more consumers around the world begin to rely on smartphones, tablets, and other devices in their daily lives. Market research firm ResearchMOZ has released a new report concerning the growing importance of mobile identity and how businesses are beginning to invest more heavily in biometrics and other such technologies. The report cites the growth of mobile interactions and mobile commerce as the influence behind higher investments in mobile identity.

…and there’s this.

ARM is developing a 128-bit mobile chip for use in Samsung hardware (tech2)

If 64-bits just aren’t enough for you, the ARM official has also revealed that it is aiming for 128-bit mobile chips that will be developed over the next couple of years. As ridiculous as it may sound, demand for the chip will supposedly be driven by the drastic performance upgrades needed for biometric sensors and face recognition.

128 seems a bit big. Facial recognition recognition systems in government applications with very large databases work well on 32- and 64-bit systems. Those who may disagree will likely base their disagreement on factors other than number of bits of data the chip can handle at one time.

Nevertheless, it’s good to see hardware manufacturers providing more options to security-conscious mobile device user.