With just one touch of your finger, you could unlock your phone and access all your most sensitive files. Or, you can verify a purchase for groceries, video games or concert tickets. Banking apps even let you verify bill payments or money transfers with just one tap.
But what if that fingerprint was not yours but rather a convincing fake? Research from New York University and Michigan State University suggests that vulnerabilities in fingerprint verification allow for partial fingerprint matches to unlock security features. The use of so-called MasterPrints, which share a wide range of universal qualities with other fingerprints, can allow hackers to attack phone systems and try to come up with a match.
With the simulated MasterPrints, researchers were able to successfully receive a match 65 percent of the time. In real conditions and with real phones, the success rate could be much smaller, but the research indicates the danger of individuals and companies giving up sensitive data and giving hackers free reign over their devices.
Big companies in Stamford, CT and areas beyond will have to increasingly look to cyber security services to proactively respond to possible threats and implement best practices to reduce their risk.
The odds of correctly guessing the exact pattern of someone’s full fingerprint on their index finger are next to impossible. But that’s not what researchers in the aforementioned study attempted to do. Instead, they recognized that security features introduce a lot of wiggle room. The system only needs a partial fingerprint match, such as the upper left region of your pointer. It also can accept multiple fingers, such as both pointers and both thumbs.
This flexibility combined with the generous nature of match checks means that rather than needing to fool a system into thinking you have person X’s exact full pointer fingerprint, you have a generic MasterPrint that kinda-sorta looks like one of the partials on one of the possible fingers.
“It’s as if you have 30 passwords and the attacker only has to match one,” one of the study’s authors told the New York Times.
Fortunately, the conditions of the study were idealized. The fingerprint-matching software they used was off-the-shelf, likely paling in comparison to the actual technology used by manufacturers like Apple and Google’s Android systems. However, since Google allows other device manufacturers to create their own iteration of Android, the fingerprint technology they decided to use could be just as insecure.
Ultimately, the research points out a growing issue as increasing use of safeguards like fingerprint technology introduces unanticipated risks for personal systems and sensitive data.
Security needs are evolving every day as new technology and risks are introduced. Organizations must anticipate these threats and respond to them proactively, before they are affected.
Using cyber security services like professionally installed firewalls, Virtual Private Networks (VPN), mobile device action plans and more to anticipate risks and prevent security breaches. Learn about the cyber security services you can use to strengthen your organization’s defenses by visiting our services page.