[jenamety]

i'm seeing two (obvious) bigger picture trends here that this story reinforces.

1. Digital authentication for purchasing is moving towards non-transferable biometrics ( i cant divulge my thumbprint like i can my pin )

2. Goods of all kinds are being delivered faster

The scary thing for me is that thieves love goods delivered quickly, so they can turn them quickly, and cut down on their ability to get intercepted.

So what does the 'mugging' or identity theft of tomorrow look like? Am I taken at my doorstep and forced to make purchases from my phone with my thumb, while a drone arrives 10 minutes later with 10 iPads OR do I have my phone stolen and thumb lopped off with tree clippers so the fraudster has more time? What happens as retinal scanning becomes more common? What if it is my blood that unlocks my finances & credit?

edit: i've heard thumbs are available for purchase

[Clubber]

The most fascinating part for me is that 6 year old managed to find a way to circumvent biometric security without hacking off someone's finger: authenticate while the user is asleep.

Necessity is truly the mother of innovation.

[toxican]

And I thought me using a keylogger as a teen to access my mom's AOL account was impressive. Clever 6 year old.

[goda90]

I wish my tech arms race with my parents had been simple...I had to socially engineer my dad into logging into the router on my desktop(no keylogger, just firefox password saving) so I could bypass whatever he was doing to cut me off at midnight.

[toxican]

In some ways mine wasn't as simple as it seems. My primary source of consistent access to the internet was a 1 hour time-limited, content-restricted AOL account. I had to learn and acquire anything I needed within those confines. Even Google was blocked...I had to use some weird, generic search engine. And I couldn't escape to do these things at school because their computers were even more locked down/monitored. After I got busted for using the keylogger (less than 24 hours later), I discovered the wonderful world of using fake info to get unlimited juno trial accounts (x hours for free!!)

[DKnoll]

My solution was much more elegant: spoof his MAC address.

[goda90]

Yeah, one thing he did was MAC filter me. But for awhile he was changing the hidden ssid by one letter. I was so happy to discover that.

[jcoffland]

I rewired our telephone lines so that I could switch off the downstairs phone from my bedroom while using my modem. It took my Dad about two days to figure out what was up and find the switch under my desk.

[wruza]

Many friends of mine disabled that feature right after the story about someone's wife unlocked it while he was asleep. That can be orders of magnitude more expensive than $250, in one touch.

[swift]

Anyone for whom this is a concern should probably consider divorce.

[wruza]

And... why? Which profit do you get from divorce that covers all economic and moral expenses (let's consider family with children)?

[coldtea]

You think the problem in that marriage would stop with iPhone purchases?

[codeddesign]

When your first thought in terms of your marriage is economic and moral expenses, you have a bigger issue within your marriage than whatever may be on your phone.

[taude]

Seriously, agree.

[m_eiman]

Seriously, how many people have things on their phone that they are desperatly trying to keep hidden from their SO (and still don't DELETE THE STUFF)?

[Shivetya]

if you are hiding stuff from your spouse you have larger issues that you should acknowledge and address. With regards to the article parents needs to disable in app purchases on any device a child can reasonably be expected to get access too

[rokhayakebe]

You could hide stuff from your spouse for many good and bad reasons. Maybe you are preparing a surprise gift and you took photos. Maybe your spouse has a bad spending habit and will ruin the both of you, so you hide the other bank account. Maybe your spouse is abusive and is threatening to leave you at any moment, so you hide money to get ready for that day. Maybe your spouse parents are calling you regularly to see how they are doing. Maybe, maybe, maybe.

[jrnichols]

maybe you're questioning sexuality and aren't sure how to discuss it with your super born again religious wife.

(I saw this come up in a Facebook group a few months ago)

[sortofanon]

[Posting sort of anonymously] My spouse and I will probably never see eye to eye on porn. I agree that it's a bigger issue, but do I need to address it?

[Infinitesimus]

Definitely a much bigger debate (and off-topic)

For me it was a matter of porn not being as important to me as she was so the porn had to go. Plus for some people, porn does affect their own interactions with their partner negatively (reduces sexual drive, reduced sexual interest in their partner since s/he isn't like what they see in porn, etc.). Some people also view their spouses' watching porn as a sign that the one who doesn't like porn is inadequate - which leads to all sorts of insecurities coming out.

As usual, different strokes for different folks. Whether you _need_ to address it is entirely up to you and what you want from your relationship.

(I do know couples who both were into porn and that didn't cause an issue)

[dragonwriter]

> Digital authentication for purchasing is moving towards non-transferable biometrics ( i cant divulge my thumbprint like i can my pin )

Yes you can. In fact, it's a lot easier for you to do so involuntarily.

EDIT: And, it should be noted, once it has been "divulged" or otherwise compromised, it's a lot more painful to change your thumbprint than a PIN or other non-biometric password.

[seanp2k2]

Yeah, plus you stamp it in oil on everything you touch. For the billionth time, fingerprints are usernames, not passwords. If you model it as such, you get a much more realistic idea of where it is and isn't appropriate to use.

[sandworm101]

Dont fall for the myth of biometrics. It wasn't a thumbprint protecting this phone. It was a digital representation of a print. That representation was then compared against data from the thumbprint reader. The match need not be exact as no two scans are ever identical. Know the general shape of the print, know the boundaries that are acceptable to the comparison machine, and you can substitute digital data for a physical thumb. It's just easier in most situations to manufacture a thumb. Germany's Angela Mirkle's (sp, on a mobile) thumbprint was receantly duplicated from photographs taken during a press event. While we cannot change or withdraw our biometrics, hackers can certainly steal and copy them. So they are a non-startee imho and i never recommend them to clients. (Also, lesser legal protections.)

[loarake]

There's a cool dystopian-ey youtube video briefly looking into that topic, among other things: https://www.youtube.com/watch?v=YJg02ivYzSs

[jenamety]

very cool, thanks

[jcadam]

I had to disable touch ID on my iPhone out of frustration. It works for me maybe 1 out of 10 times no matter which finger I try to use (my wife has no problem with hers).

But I've always had trouble with fingerprint readers. At the DMV, govt ID card office (back when I was in the Army), etc. "Place your finger on the scanner. Nope, try again.. press harder. No, harder."

I have no idea what's wrong with my fingers :|

[pm24601]

Certain professions have a big problem with fingerprints.

Most notable: brick masons. The fingerprints are damaged and smoothed out over the years by acids in the cement and the roughness of the bricks.

[toufka]

Rock climbers too. Finger prints just get worn down.

[lostlogin]

Have you tried registering the same finger 5x?

[mb0]

I've heard that people with hyperhydrosis have a lot of trouble with biometrics devices as well as smart phones. If your skin is too moist it just kinda gums up the works.

[Declanomous]

I have a lot of problems with touch screens. Some screens refuse to register my touch, and other screens register my touch before I even make contact with the screen. If you turn on developer tools in android and look at the "touches", you can see them registering all over if I have my fingers a cm or so above the screen.

I have really moist skin, so I wouldn't be surprised if this was the issue. I had a fingerprint reader on my gen 1 Motorola Atrix and that worked just fine though. I think the company that built that authentication system was purchased by Apple and used in the iPhones. I wonder if his wife would have the same issues with his phone, it might be that his fingerprint scanner is less sensitive.

[pimlottc]

Makes sense, my biggest annoyance with the fingerprint reader is that it doesn't work reliably if your finger is at all wet (like while cooking).

[pc86]

Sounds like low ridges that mess with the scanners.

[ehnto]

I have scarring across my fingerprints that changes fairly frequently (serious injuries when younger coupled with powerlifting regularly now, unnoticable but definitely not static) I am an edge case but surprisingly only had infrequent issues.

I don't use thumb scanners anymore though as inevitably my finger will change! It definitely isn't for everyone.

[mb0]

"i'm seeing two (obvious) bigger picture trends here that this story reinforces.

1. Digital authentication for purchasing is moving towards non-transferable biometrics ( i cant divulge my thumbprint like i can my pin )"

Unfortunately, your thumb print can be replicated and used. Check out this news story - police actually 3d printed a murder victim's finger to unlock their phone - http://www.theverge.com/2016/7/21/12247370/police-fingerprin...

[dvdhnt]

> 1. Digital authentication for purchasing is moving towards non-transferable biometrics ( i cant divulge my thumbprint like i can my pin )

It's an interesting topic as we've seen in recent news coverage that authorities can compel the accused to provide a thumbprint to give investigators access. While this may be in accordance to something like password authentication, I'm still concerned about the ramifications. For example, what if authorities compel accused individuals to store their thumbprint rather than use it directly? Is that possible? And how will it be protected?

[Spooky23]

That's a feature of something you have auth.

We had a business problem several years ago where a population of users who didn't need individual access control needed controlled access to a system based on where they were and if they were assigned a specific task.

The solution was an RSA token mapped to a device specific user account. The single auth factor was the rotating code.

The upside of this is that we got to control access to a system potentially available to the public in an environment with high turnover and other operational challenges. The downside is that whomever possessed the token (picture an old style bathroom key tied to a big stick) could access the system.

Your thumb is that token. If you need more identity assurance, you need more factors or a protected secret. iPhone offers the latter. If your opponent is someone with subpoena power, you need to think about what and why you're doing stuff on your phone.

[edgarvaldes]

In Mexico, you need to let the government to scan ALL your fingerprints (and iris) in order to obtain an Electronic Signature.

[jasonkostempski]

The scary part of that trend is that biometrics should not be replacing passwords. User ID, fine, but finger prints are something you have, not something you know.

[test6554]

Rather than calling it "something you know", it should be called "something you can forget if needed."

[kedean]

Even for id's, we need to be careful. They can't be the end-all solution, because they aren't permanent (I know people who have accidentally lost their thumbprints through burning, for instance). Phones today get around that by making you also set a pattern or pin to get in.

[braymundo]

Well, a common type of robbery in Brazil is what's called "lightning kidnapping" due to this reason. Assailants take people by force in order to make them withdraw money from ATMs using biometric security.

[ralmeida]

To be fair, 'sequestros relâmpagos' (lightining kidnappings) were around long before biometric security in ATMs, and are still used today even with non-biometric security (PINs).

[allThumbs]

They'd need your whole hand, since any finger can be used for a smartphone biometric scanner.

Truthfully, lots of different scannable areas will unlock a phone. I've successfully and reliably configured my toes, the knuckles on my hands, and the tip of my nose. All of them work pretty good.

Unless observed using biometric security in a specific manner, an adversary might have a hard time deducing what kind of print will provide access.

Even if they've determined that the phone contains biometric scans tied to security, how would they know it's yours, and not someone else's, or even a specially printed 3D key ring fob or something?

Then again, criminals don't always think deeply about such details during a crime. They might just chop off both hands, grab the phone, and figure out the rest on the run.

[gpderetta]

It will very satisfying to know they can't unlock your device after they hack off your fingers.

Tongue only slightly in cheek.

[baldeagle]

Well, only in cheek until it too is removed in search of the unlocking appendage.

[toxican]

If you're robbing an iPhone user, you'd probably be safe hacking off a thumb. Can't imagine many people give up the convenience of using their thumbs to unlock.

With me they'd have to take my index fingers because I've got a phone with the reader on the back of the device (which, imo, is the best place to put it, as far as convenience goes.)

[newscracker]

> If you're robbing an iPhone user, you'd probably be safe hacking off a thumb. Can't imagine many people give up the convenience of using their thumbs to unlock.

Anecdotal, but I know people who have configured only the index finger to unlock the phone because they prefer it to the thumb.

[Cozumel]

If you wanna know something and he won't tell you, cut off one of his fingers. The little one. Then tell him his thumb's next. After that he'll tell you if he wears ladies underwear.

[sdegutis]

Chopping off your thumb is only in movies, where logic barely exists. In real life, you can cancel your funds and reverse their fraudulent transactions.

[exlurker]

How're you gonna do that without thumbs?

[sdegutis]

Use your pinky to dial your bank on your landline ;)

[jrnichols]

always register another finger with Touch ID.

or a toe. i got bored and tried a toe. it worked. but i'm not putting my feet on my iPhone again.

[abiox]

"Ok Google, call the bank..."

[robomartin]

My gym offers a premium membership that, among other things, gives you access to a secondary locke room with private lockers, laundry services, etc. Members access this room through the regular locker room. There's a frosted glass door in back, past the "regular" lockers --in quotes because at $150 a month there's nothing regular about standard membership. To the left of the glass door one finds a retinal scanner.

Yup, these morons are giving a gym more money and their retinal scan to have private lockers and laundry services. I'm sure they feel James Bond-ish by unlocking a door by staring into the little device on the wall.

No thanks, I'll keep my "regular" membership.

[jcoffland]

> i cant divulge my thumbprint like i can my pin

You divulge your thumb print when you grab ahold of a glass at a restaurant or a door handle in a public space.

[Declanomous]

I suspect they meant divest. They can't get rid of the thumbprint like they can an insecure pin/etc.