SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
Hackers Unlock Any Phone Using Photographed Fingerprints In Just 20 Minutes
According to the Chinese blog Abacus, Tencent's X-Lab team showed how this technique works at the recent GeekPwn 2019 hacking conference in Shanghai. X-Lab's leader Chen Yu asked an audience member to touch a glass and took a photo of the fingerprints.
Yu then ran the photo through an app they have developed in house, which extracts and process the necessary data to clone a physical fingerprint. The team didn't show the physical cloning process, but we can assume that they used a 3D printer like other people have done in the past. He then proceeded to use the cloned fingerprint to open three smartphones that had been registered with the audience member's fingerprint — plus two event registration machines that use fingerprint scanners.
[...] Each of those phones used one of the three existing fingerprint scanning technologies: capacitive, optical. and ultrasonic, like the one in the Samsung Galaxy S10. The latter one is especially worrying, since this technology is supposed to avoid this type of hack by scanning the three-dimensional structure of your fingerprint.
[...] In other words: fingerprint security sucks. And facial identification is not that much better, really. If you are really worried about security, the only thing you can do is probably use a longer password.
Still harder than shoulder-surfing or having no password, right?
(Score: 5, Insightful) by Runaway1956 on Saturday November 02 2019, @04:52AM (7 children)
I would say that if you are worried about security, use that longer password, AND biometrics. Let's back up a bit. "Something you know, something you have, and something you are".
http://www.pearsonitcertification.com/articles/article.aspx?p=1718488 [pearsonitcertification.com]
IMO, it has been sufficiently demonstrated that one factor authentication is almost trivially bypassed. Two factor is less trivial, but 2fA is being bypassed. When we are offered three factor, we need to adopt it, and quickly. Meanwhile, the factors all need to be improved upon. A fingerprint scanner, for instance, shouldn't be so easy to bypass. The scanner should be able to distinguish between a living human finger, and some crap stirred into paste or film to resemble a human fingerprint.
(Score: 2, Interesting) by Anonymous Coward on Saturday November 02 2019, @07:12AM (4 children)
One factor authentication, passwords, have not been shown to be able to be effectively bypassed, let alone trivially, in any way, shape, or form. They just require a modicum of intelligence: e.g. - don't make your password dragon1992. I will grant there is the issue of sites being idiots. And while I tend to be very much against regulation, this is one area I think it is entirely appropriate. Any site storing passwords unsalted, let alone in plain text? Screw fines, the punishment is branding "I am an idiot who should never be trusted to run a business" into the forehead of all chief executives, and seizing their company as well. Second violation is where we start to get draconian. That's just so incredibly reckless and negligent in today's digital age. And it takes basically 0 effort to engage in these security precautions which would make literally 100% of password hacks or "leaks" completely irrelevant.
Biometrics also have a much more insidious downside. They are like SMS messages (which result in giving companies your phone number) on steroids - they are the ultimate tracking mechanism that let companies verify a personal identity which can then be shared/traded/sold with their partners to build a tremendous profile on any given individual across all sites they visit all with 100% certainty that who is being profiled is who they think it is.
No qualms with things such as RSA generators beyond the fact that they're ultimately useless since basically all sites will allow you to reset your generator even if you lose your generator and your 1-time emergency key for it. If you're not willing to say 'Sorry, tough luck.' when a security device becomes 'unavailable' then that device is not providing security but a false sense of security, and that is perhaps even worse than no security at all.
(Score: 3, Interesting) by Runaway1956 on Saturday November 02 2019, @08:05AM (2 children)
There's not much point in arguing that passwords are trivial. Instead, just follow the instructions on this page.
https://smartechverse.blogspot.com/2015/06/crack-windows-admin-password-and-sam.html [blogspot.com]
I only hang around the outer fringes of the hacking world, but I have cracked dozens of Windows passwords. Hacking and cracking is all well and good, but simple social engineering has given me other passwords. Your recognition that idiots operate sites makes it clear that passwords can be "cracked" by means that don't require access to the computer, or the system on the computer, or even access to the victim. Ahhhh, the beauty of the cloud!!
We need to remember that passwords, and the security that they provide, is just an arms race. Someone dreams up an "unbreakable" password scheme, and someone else breaks the scheme, then the first person attempts to close up the vulnerability, and some third person comes along and opens up a new vulnerability.
In and of itself, a password can be "good enough" for most of our purposes. But, today, the NSA does indeed trivially break many if not most passwords. If the NSA has to devote significant resources to crack a password, then yeah, you have a pretty good password - but the NSA's resources grow and improve every year.
I insist that passwords alone aren't enough, if you're really serious about security. 2fA and 3fA are either necessary today, or they will soon become necessary. Those who are NOT serious about security may disregard all of the above.
(Score: 0) by Anonymous Coward on Saturday November 02 2019, @06:49PM (1 child)
This is wrong. Passwords are the best form of security overall, as long as they are implemented properly. There is no "arms race," not really. Passwords are as strong as the implementation they use, sometimes the implementation is weak. Good implementations are well understood and available freely. While many hashing functions eventually get broken, this comes with literally years of advance warning, making it easy to upgrade the hash.
The biggest problem with passwords is the reuse of weak passwords, which requires the user to break two of the three characteristics that make up a good authentication factor for the sake of their convenience. System builders insisting on passwords that are easy for computers to break but hard for humans to remember is part of the problem as this encourages users to do just that.
Even if you assume that password databases are always stolen, which isn't even a terrible assumption, they are still better than biometrics, which are equally easily stolen, except that a breach of your biometric data permanently breaks it forever no matter what you do. It's the same as if, after someone stole your password, instead of having to change it, you had to use that same password everywhere for the rest of your life.
(Score: 2) by Runaway1956 on Saturday November 02 2019, @07:02PM
Wait a second, please. Let me be clear that I have NOT claimed that biometrics are somehow better than passwords. My only claim here, is that using both biometrics and a good password will improve your security. If I were to compare the relative virtues of biometrics and passwords, I would have to say that passwords are almost certainly better. As you say, don't use a weak password.
The near ultimate security scheme? Biometrics unlocks the screen, which immediately asks you to enter your password. That is, no one should ever get to the log-in screen before the system screens them biometrically. Password taken care of - you're asked for your dongle thingie, whether it be a chip card, USB key, or whatever. Three factor authentication, and if you can't get one of the three, you don't get in.
For the really ultimate in security, 3 successive failed attempts to access the system results in the device melting down irrecoverably. That was a concern when the FBI was trying to get into the phone from the Inland shooting incident.
(Score: 2) by vux984 on Saturday November 02 2019, @11:34PM
This is pretty much it right here.
That said...
Well, except for all the truly shitty I forgot my password reset systems out there.
(Score: 0) by Anonymous Coward on Saturday November 02 2019, @06:28PM
"Something you are" is not an authentication factor. People like to pretend it is, but it isn't. Spreading this misconception is dangerous.
To be an authentication factor, something must be :
* difficult to copy
* changeable
* shared only with the entity you are authenticating with
The first one is why passwords are encrypted. Security tokens are strong, passwords are strong under the right circumstances, and biometrics are mediocre.
The second one is obviously strong for passwords, weak but possible for tokens, and a complete failure for biometrics.
The third is strong for tokens, good for passwords if you don't reuse them, and again a complete failure for biometrics.
Biometrics are weak on one count and a complete failure on the other two. The only advantage is that they "seem futuristic." That is not useful.
(Score: 1, Informative) by Anonymous Coward on Sunday November 03 2019, @04:05AM
If you are using an Android based phone, you are kinda out of luck on using a long passphrase. Older versions could be made to use a long secure boot passphrase with a short convenient unlock code (it required running commands in an ADB shell to do it, though).
Android 9 removed the ability to use those ADB shell commands to set a strong passphrase for on boot.
Android 10 removed the ability to use full disk encryption-- completely. Only per file encryption is supported now (unencrypted metadata). And, since it uses the (typically 4 digits) lock code, a trivial thing to break.
For these, and many other reasons, I hope the Librem 5 / Pinephone turn into something real.