Samsung's fingerprint flop latest biometric cautionary tale

Samsung's fingerprint flop latest biometric cautionary tale

Summary: Samsung's Galaxy S5 latest to signal that biometrics still not a solid answer on authentication

TOPICS: Security, Networking

Last year it was the Apple iPhone 5s, this week it was the Samsung Galaxy S5. Both fooled by similar fingerprint reader hacks and leaving the biometric debate with another failure to chew on.

It doesn't come as a surprise the method of the hack is as similar as the 5s/S5 names printed on the devices. Another year of research by Samsung couldn't come up with anything better against a well-understood hack that dates back to the infamous "Gummy Bear" days.  (Japanese cryptographer Tsutomu Matsumoto used gelatin, the ingredient in Gummy Bears, to forge a replica finger that fooled 11 fingerprint scanners during tests in 2002.

Biometrics have potential and promise, but what they don't have today is universal confidence among those in the security community. A truth that also should be part of the end-user community.

But it's not all on biometrics, every other authentication technology has it's own flaws (looking long and hard at you passwords). Like most, they are designed for convenience, not the type of security that the B2C and B2B Web is finding it can't live without in the face of relentless hacks.

These biometric flaws, however, take a new perspective when biometric authentication methods are coupled with say financial transactions.

In the Samsung case, its fingerprint scanner has a higher risk ratio than the iPhone in that it is paired with PayPal transactions. Apple doesn't let its fingerprint technology wander off its own platform, which may be as much a statement on the technology as it is on Apple's platform superiority complex.

In its defense, PayPal appears only to have guilt by association (and perhaps a questionable quick-draw partnership) as the company has said it does not store or have access to fingerprints on the device and that its security extends beyond mere authentication into fraud and risk management tools and purchase protection policies.

What the fingerprint failures do confirm is that biometrics still need work. In addition, the hacks hint that two-factor authentication (2FA), while gaining favor as an improvement over passwords, may need to include more authentication factors. This is known as multi-factor authentication (MFA).

Those factors may include biometrics - iris, voice, facial recognition, heartbeats and brainwaves, but could extend to sensors and wearables, such as the Fitbit Flex.

While 2FA does improve security, today's device happy users - who might be accessing an application from the same Smartphone that is their "second-factor" - may be negating any tangible gains.

Security experts say two-factor is most secure when the second factor is "out-of-band."

Last year, Gunnar Peterson, managing principal at Arctec Group, told ZDNet, "The smartphone has the ability to simultaneously weaken two-factor because you are going to be using Facebook, Google, Twitter from that device, and is that really another factor if you are pushing your credential back through it. Just because that happens on another channel, is that really as secure as something like a smart card."

Discussions have turned to MFA, especially with the rise of wearable computing, another factor like the phone that end-users want and are dedicated to carrying.

Those devices can provide geo-location information, activity and status. A Fitbit Flex might be used to record a series of pre-subscribed arm motions. And geo-location may determine that you are using your laptop (and waving your arms) in your house or office.

These are technologies in progress in terms of authentication methods, but the result is that a combination of contextual information may ultimately be the best way to determine that you are who you say you are. Of course, hackers will set in motion the test of time against all of these authentication ideas just as they have done in the past.

Topics: Security, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I believe the security threat is way overblown.

    First, you would have to get a good print of the finger that the person used. Second is that you would have to have access to the equipment and time necessary to make the print. Third you would need to have the time with the device to do that. Also you would have to get it to be acceptable in one of it's 5 attempts.

    I still believe that the finger print is still good for access to the phone. Now if your going beyond that as a payment method. Then I believe we need to get into something two factor. Like a finger print and a four digit code before I feel comfortable. But even as it stands the finger print to me is still way better then a signature at a store or the 3 or 4 digit code on the back of the card.

    So while I think it probably was a fun exercise to get around the fingerprint security how truly successful would it be. What would be fun would be for you all in your office with your bosses blessing. Do it to some of phones in your office.

    I would see there would be two types of tests. One is where you know the person and you would be able to have access to other prints on a glass and such and be able to watch which finger someone is using.

    The other is more blind where you get a window of time to observe there behavior. Such as at a lunch, or no window of time such as in a theft.

    I'll bet your success rate is lower then you think, and the level of effort more often then not is not worth what you gain.
  • I know some folks claimed to have hacked the iPhone 5s

    fingerprint reader, but never saw verification of it. Wasn't there a prize available to someone who could demonstrate a workable hack? I don't think anyone ever claimed the prize.

    So, if someone has a link that ISN'T just a repeat of the claim, please post.
    • It was hacked.

      I don't know if the prize was claimed, but the hack is well known, and actually fairly predictable.

      And, the point still remains that its not just some simple hack, as these days its often not simple, but in this case the hack isn't likely to absolutely destroy biometric security. As many have said, its not a particularly deadly or easy hack.
  • Fingerprint scanner on smartphone: dumbest idea ever.

    Putting a fingerprint scanner on a smartphone is about as dumb an idea as they get. Why? Well, think about it: the phone's screen is, quite literally *covered* with the user's fingerprints. So if you get hold of the phone, all you need to do is lift a fingerprint impression off the screen and feed it back to the scanner. Whatever characteristics the scanner uses to distinguish a "real" finger from an image of a fingerprint are likely not difficult at all to fool... after all, the scanner itself probably costs Apple and Samsung 15 cents per unit.

    It's like hiding a spare key to your front door by taping it to the front door itself with a strip of clear, scotch-tape.
    • Is your implication Apple has sold 2 billion iPhone 5s (s)?

      For your estimate of $0.15 per unit is correct.
    • Maybe not so dumb...

      @dsf3g... With all the swiping, pinching, and tapping, it maybe very difficult to find a usable fingerprint, and more so if the device has a screen protector that is resistant to skin oil. One can add another safety measure... iOS allows five finger prints to be scanned, one could simply skip a finger or two that are used most often when touching the screen.

      To use your analogy, it would be like having a bunch of wax keys that you leave on your floor mat, and the mat is in the sun...
    • Enough good for most uses

      I think fingerprint scanning is good enough for most uses... I mean, for unblocking the phone it is good enough, unless you are a very important person... For payments, I would give the option to additionally ask for a password, just to be more sure.
    • Not dumb, maybe you for not getting it.

      If one has a finger print scanner on the phone, one can have a stronger password. If your password is 8 characters alphanumeric - having to put that in every few minutes is crazy. BUT if you had a secondary, UNIQUE way of opening the phone then it works.

      The stupid pins and patterns are USELESS. I know almost everyone's pin at work and home. Because as soon as they put it in it's visible to you. Most people are not worried about strangers finding the phone. Because they are not the ones that will install a game and charge in-app buys to your CC - your own kids do that. Or they are not the ones that are going to go thru your past texts or read emails...etc - maybe your wife/gf may.

      If you truly lose the phone, most phones can be remotely wiped. You'd be dumb not to have that ability now days - IT'S FREE. Also, thieves are not interested in your data on the phone, they want the phone. The thieves that are interested in your data do not NEED to steal your phone, just write a little program.

      Secondary security that works fast, reproducible AND unique ONLY to you is a great tool; it's sad tools do not understand these things.
  • phones with cameras can't manage retinal scans?

    Just asking.
    • Nope.

      You have to put the camera within a 1/4 inch of the eye... and then something has to provide light as the camera/phone will block it.

      Second, even managing to take a picture doesn't mean it can't be faked.

      Any biometric measure can be faked - it just depends on how much trouble it is. And to make it reasonably difficult immediately voids the use of the cheap scanners currently used.
      • Core problem for all digital based security...

        If your not relying on a mechanical lock and key, and instead relying on any security that eventually relies on digitized information to unlock something, the end result will always be that if someone can get to that information, its game on.

        Of course you can always beat a mechanical lock and key as well, but in that case because your dealing with physical 3D security devices it requires an entirely different approach that might well require a lot of locksmithing and special equipment expertise that the vast majority, and certainly not hackers, would have.
    • Not at the moment.

      The retina scanners that I have worked with require a fixed position to work accurately, typically a chin rest of some sort. It would be easy enough to use the front facing camera for facial recognition.
      • Facial recognition

        Identical twins...
        What happens if you set up the system, then someone breaks your nose, and blacks your eye? Do you have to wait for your fact to heal before you can use your phone? More to the point, Facebook facial recognition recognizes my sister as her daughter, or vice versa. Not too reliable, but very good at identifying families.
  • Alternative to PIN

    I seem to remember Apple selling the feature as being something easier/faster than using a PIN or for people that find PINs too annoying and otherwise wouldn't have any locking function. I think of it as a bit like a car alarm. Is it really going to prevent somebody from breaking into your car or even stealing it? No, but it's better than nothing.
    • Biometrics Are The Real Deal

      Ever since Honda employed a kill switch into their car alarm systems, their auto thefts are way down so I disagree with your comment that car alarms don't prevent someone from stealing it. Unless we have proof that these biometric systems can be hacked, these systems are a legitimate alternative to a PIN. And no, I'm not talking about hacking the fingerprint scanner in a lab. That's complete B.S. A criminal isn't going to have the leisure of having a perfectly good fingerprint and a perfectly good medium from which to lift that fingerprint at their disposal.
    • The real point

      is that biometrics are the equivalent of a username, they are not a password.
  • Is it really as bad as the claim?

    watching the video, the guy made an impression of his own finger - not a photograph and mold, and whatever.

    I'm guessing that if a phone is stolen, it won't be stolen with the owners finger, and if the video is any indication, without the owners finger to copy, it's a worthless hack.
    • prints on the phone itself would be sufficient

      As long as the thief doesn't mess them up during the stealing.
  • Biometric hacks.

    Both IOS and windows biometric security has been hacked rather easily in the past. Why should Android be any different?
    • "Rather easily" is a misnomer.

      Just saying.