SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
Hackers Unlock Any Phone Using Photographed Fingerprints In Just 20 Minutes
According to the Chinese blog Abacus, Tencent's X-Lab team showed how this technique works at the recent GeekPwn 2019 hacking conference in Shanghai. X-Lab's leader Chen Yu asked an audience member to touch a glass and took a photo of the fingerprints.
Yu then ran the photo through an app they have developed in house, which extracts and process the necessary data to clone a physical fingerprint. The team didn't show the physical cloning process, but we can assume that they used a 3D printer like other people have done in the past. He then proceeded to use the cloned fingerprint to open three smartphones that had been registered with the audience member's fingerprint — plus two event registration machines that use fingerprint scanners.
[...] Each of those phones used one of the three existing fingerprint scanning technologies: capacitive, optical. and ultrasonic, like the one in the Samsung Galaxy S10. The latter one is especially worrying, since this technology is supposed to avoid this type of hack by scanning the three-dimensional structure of your fingerprint.
[...] In other words: fingerprint security sucks. And facial identification is not that much better, really. If you are really worried about security, the only thing you can do is probably use a longer password.
Still harder than shoulder-surfing or having no password, right?
(Score: 2) by Runaway1956 on Saturday November 02 2019, @07:02PM
Wait a second, please. Let me be clear that I have NOT claimed that biometrics are somehow better than passwords. My only claim here, is that using both biometrics and a good password will improve your security. If I were to compare the relative virtues of biometrics and passwords, I would have to say that passwords are almost certainly better. As you say, don't use a weak password.
The near ultimate security scheme? Biometrics unlocks the screen, which immediately asks you to enter your password. That is, no one should ever get to the log-in screen before the system screens them biometrically. Password taken care of - you're asked for your dongle thingie, whether it be a chip card, USB key, or whatever. Three factor authentication, and if you can't get one of the three, you don't get in.
For the really ultimate in security, 3 successive failed attempts to access the system results in the device melting down irrecoverably. That was a concern when the FBI was trying to get into the phone from the Inland shooting incident.