03 February 2014

MindBullet: 10 Million Fingerprints Hacked. (Dateline: 31 May 2016)

This caused a bit of a reading "double take". Having just moved fingerprint tech into the "mainstream" with the iPhone 5S, this is probably something we need to think through. Examine the trend.

a) how many credit cards have leaked over the last couple of years? Hundreds of millions?

b) how many passwords/user data leaks have we had? Lots! Whether they remained hashed or not is an important part of the argument, but persistence goes a long way in the security argument.

c) how many new startups are coming out of the US/UK that achieve immense scale extremely quickly and simply don't often have the time to ramp up security? Lots!

Knowing that. Imagine your fingerprint data leaked. Hmm...

Enjoy this MindBullet from my friends at the FutureWorld group!


10 MILLION FINGERPRINTS HACKED
Biometric passwords become epic disaster

'Mary Master's Minor Miracle' was immensely popular for Virtue Studios, the New York-based software studio. Their puzzle game achieved 10.1 million paid downloads in its first week available in the Apple App Store.

This morning, those customers will be cursing Virtue Studios.

Last night, their servers were hacked and all of their customers' personal data compromised. Ordinarily, this wouldn't be so bad, but Virtue is using Apple's new Fingerprint Password Service for permitting micro-payments during the game. In contravention of Apple's terms of service policy, Virtue was storing those fingerprint hashes on their own servers.

Instead of - no matter how inconvenient - simply changing their passwords, users now have the concern that their fingerprints are out in the wild.

The exact impact of the disaster is difficult to quantify. Most mobile phones require biometric verification of one form or another, and Apple's is the leading format. Apple has yet to respond.

As Bruce Schneier, a security expert, says, "Biometric identity is a useful login, but it should never be a password. How do you change your fingerprints, iris, or other personal characteristic once they are compromised? And, as the Virtue situation proves, no matter how careful, that security will be compromised."

Biometric security systems were to have rid us of the tyranny of remembering passwords, but now it appears they are even worse.

Published 30 January 2014