10 MILLION FINGERPRINTS HACKED
Biometric passwords become epic disaster
‘Mary Master’s Minor Miracle’ was immensely popular for Virtue Studios, the New York-based software studio. Their puzzle game achieved 10.1 million paid downloads in its first week available in the Apple App Store.
This morning, those customers will be cursing Virtue Studios.
Last night, their servers were hacked and all of their customers’ personal data compromised. Ordinarily, this wouldn’t be so bad, but Virtue is using Apple’s new Fingerprint Password Service for permitting micro-payments during the game. In contravention of Apple’s terms of service policy, Virtue was storing those fingerprint hashes on their own servers.
Instead of – no matter how inconvenient – simply changing their passwords, users now have the concern that their fingerprints are out in the wild.
The exact impact of the disaster is difficult to quantify. Most mobile phones require biometric verification of one form or another, and Apple’s is the leading format. Apple has yet to respond.
As Bruce Schneier, a security expert, says, “Biometric identity is a useful login, but it should never be a password. How do you change your fingerprints, iris, or other personal characteristic once they are compromised? And, as the Virtue situation proves, no matter how careful, that security will be compromised.”
Biometric security systems were to have rid us of the tyranny of remembering passwords, but now it appears they are even worse.
ANALYSIS >> SYNTHESIS: How this scenario came to be
September 2013: iPhone 5S Biometric Sensor Hacked
Apple’s iPhone 5S has barely been on sale two days and its cutting-edge biometric fingerprint sensor has already been compromised.
“The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.”
Apple refuses to comment, simply repeating that biometrics are there to facilitate phone access and not to be used for any other purpose. Given that “password” and “12345” continue to be the world’s most popular passwords, many security analysts are tentatively supportive of the move.
“As long as there is no central database and the hash of the user’s fingerprint is stored only on their phone, then this should be acceptable,” says Shirley Evans, a tech analyst at SuperCrunch, a US-based security consultancy.
December 2013: Target and OKCupid lose 40 million
OKCupid, an online dating service, is hacked, losing the names, email addresses and passwords for 42 million of their users. The trove is immediately used to create so-called “rainbow tables” which speed up the process of brute-force hacks against other websites. This works because people often use the same password across multiple sites.
Worse, the volume of passwords stolen is so large, that it provides a key insight into the way human beings create passwords. Following on from the hack, which brings the tally of known password breaches to almost 200 million, hackers are able to crack even longer sentence-based passwords.
Things really get bad just before Christmas. Brian Krebs, a leading online security investigator, announces that Target – one of the US’ largest retailers – has had 40 million of its customers credit and debit card details stolen through key loggers installed at their point-of-sale systems.
By the end of 2013, consumers and online users are panicking about the extent to which their financial and personal information is at risk. Retailers, in particular, are looking for ways to ring-fence themselves from the risk of being hacked.
“There has to be an alternative to our current insecure systems,” says Alon Herbst, senior security advisor to Target.
March 2014: Apple, iBeacon and secure biometric payments
Apple’s patented Bluetooth, low energy proximity sensing technology was launched quietly in January 2014, but Target becomes their breakout success.
Desperate to recover the confidence of their customers, Target installs iBeacon sensors at checkouts and declare that users will be able to use the built-in security of their phone’s biometric sensors to pay. Customers react positively and Target sees a massive increase in sales.
“It’s like Christmas and it’s March,” says a clearly-relieved store manager who wishes to remain anonymous.
Other retailers are quick to jump on board. By the end of March, Starbucks, Walmart, and more than 30 other brands announce they will be installing iBeacon.
Google immediately rushes out APIs for biometric sensors for Android followed by Microsoft for the Windows Phone.
“If consumers no longer trust their local retailer to secure their credit card details, then we must support them,” says Granville Daniels, a security spokesman at Google. “Your phone is in your possession and, with local authentication, it is much safer for the consumer.”
Apple’s iPhone is sold out everywhere.
December 2015: Biometrics are mainstream
After hacks led to an unprecedented 150 million passwords being breached in 2014, only 35 million are released in 2015, as biometric authentication via phone becomes more mainstream.
Bluetooth biometric authentication means people are now able to login to their desktop computer, and related applications, via their phone. Trusteer’s BioAuth app is downloaded an astonishing 250 million times as it becomes the default app for using a phone to log in to Facebook, Google and hundreds of other sites.
Bruce Schneier, a leading cryptographer, causes controversy when he gate-crashes an Apple product announcement. “What happens when you’re hacked?” he shouts as he’s dragged away.
Later, at a press conference, he says: “We are storing up the most dangerous risk event. All it takes is one hack and this whole edifice crumbles. You can change a password or a credit card number, but how do you change your fingerprints?”
May 2016: Mary Master’s Minor Miracle Mayhem
President Barack Obama is informed of the Apple breach at 03h35 by NSA security advisors. Virtue Studios’ eight employees are woken up at home and their systems declared a national security issue.
The 10.1 million fingerprint hashes are now in the wild. Leading security experts, including Bruce Schneier and Brian Krebs, are brought to a secret location. Apple security experts are similarly brought in.
What was, before, a minor irritation to online consumers, has become an issue of national importance.
“The risk,” says Schneier, “is that the hacks will be used to breach these individual’s personal identities. “Biometric identity is a useful login, but it should never be a password. How do you change your fingerprints, iris, or other personal characteristic once they are compromised? And, as the Virtue situation proves, no matter how careful, that security will be compromised.”
Apple will need to change the hashing algorithm and roll that out as quickly as possible to render the stolen hashes useless. Shops will need to update their software. 225 million phones must be updated.
Apple, Google and Microsoft are instructed that their systems will be audited by the NSA to ensure that there is no way for anyone to get access to biometric data again.
Links to related stories
- Cards Stolen in Target Breach Flood Underground Markets - Krebs On Security, 20 December 2013
- iPhone 5S fingerprint sensor hacked by Germany's Chaos Computer Club - The Guardian, 23 September 2013
- Why passwords have never been weaker and crackers have never been stronger - Ars Technica, 21 August 2012
- The Difference Engine: Dubious security - The Economist, 1 October 2010
- Biometric Security Poses Huge Privacy Risks - Scientific American, 17 December 2013
Warning: Hazardous thinking at work
Despite appearances to the contrary, Futureworld cannot and does not predict the future. Our Mindbullets scenarios are fictitious and designed purely to explore possible futures, challenge and stimulate strategic thinking. Use these at your own risk. Any reference to actual people, entities or events is entirely allegorical. Copyright Futureworld International Limited. Reproduction or distribution permitted only with recognition of Copyright and the inclusion of this disclaimer.