The Trouble with Biometrics
The world of biometrics is fast becoming a norm for modern tech users. Fingerprintscanners are used at access gates, clock-in devices, and on cellphones. However, not since the iphone 5S has there been as significant a game changer as the recently launched iphone X’s Face ID. Built into the software and device, Face ID uses facial recognition to unlock your phone, grant access to sensitive apps such as banking and passwords, and authorise purchases on app stores and online retailers. There are numerous concerns regarding this technology, most pertaining to the security of using biometrics and the safety of such unique data once it is stored.
Facial recognition is not a new technology. Neither is it infallible. As far back as 2009, security researchers proved that the software could easily be fooled by a good quality photograph, while more recently in 2015, Dan Moren, a writer for Popular Science, tricked an Alibaba facial recognition system simply by using a video that included himself blinking (the blinking is necessary because registering for facial recognition technology typically requires users to hold their smartphone camera up to their face and blink or smile to validate life). Apple argues that its Face ID software will not be as easily fooled – or hacked, for that matter. This is because the new iphone X uses an infrared system, Truedepth, to project a grid of 30,000 invisible light dots onto the user’s face, after which an infrared camera captures the distortion of that grid as the user rotates his or her head, creating a 3D map of the user’s face. The technology is like that used by special effects artists to capture actors’ faces and morph them into animated characters.
While this sounds secure, Marc Rogers, a security researcher at Cloudflare, believes that in time, hackers will find a way to crack this. His suggestion as to how: a 3D print of a target’s head. “The moment someone can reproduce your face in a way that can be played back to the computer, you’ve got a problem. I’d love to start by 3D printing my own head and seeing if I can use that to unlock it.”
One of the fundamental problems with facial recognition is that, unlike a passcode, faces do not change. So, if someone successfully captures your likeness in a way that can fool facial recognition software once, they can fool it 100 times. Moreover, if you are mugged or arrested or otherwise detained, it will not be possible to hide your face to stop someone from gaining access to your device. While Touch ID suffers from this same dilemma, the difference is that a person’s face is public and today, very likely to be widely – not to mention easily – found on social media platforms, or the Internet in general.
Using your face, one of the most obvious things about you, to access something that holds sensitive data is, well, a little daft, really. Returning to the whole 3D facial photostat idea, researchers at the University of North Carolina recently proved that it is, in fact, possible to successfully reconstruct a 3D virtual model of someone’s face using nothing other than photos found on Facebook. Their model was good enough to fool not one, not two, but five different facialrecognition applications they tested it against, and they had up to an 80% success rate doing it.
Of course, what should not be overlooked is that criminals are unlikely to go to the extreme of 3D printing the average person’s face to gain access to their phone. Also noteworthy is that one could always deactivate that particular security feature on their phone, or perhaps only enable it for certain applications, and revert to using a traditional numeric passcode. So, there are ways around this.
What is giving security experts – along with conspiracy theorists – more cause for concern is that, as the capturing of people’s fingerprints becomes increasingly common, so does the likelihood that supposedly secure systems can be hacked and the fingerprints leaked or stolen, as happens with passwords and credit card information. Some experts argue that a fingerprint is even easier to steal than a password. And, once someone has an image of your fingerprint, creating a mould and model of it is no more difficult. Once your fingerprint has been captured, there is no changing it like your 0123 access code.
Unique, permanent biological identifiers are very valuable to hackers – they have it, they have you. Security experts are thus pretty firm in their insistence that the use of biometrics to access things should be carefully considered.