Not hacked in the normal sense but there have been kids who needed their sleeping parents' phones unlocked, so they just put the phone to their parents' fingers...
Given the amount of media attention there was when the early proof of concept hacks emerged, I'd be amazed if they wouldn't be all over any story that had even the slightest suggestion that someone might have lost data as a result of a stolen phone having been hacked via TouchID.
It's much worse for pictures than fingerprints because most people have tons of pictures of themselves online now, and many are also public. It's probably just a matter of time before malicious hackers start spoofing their identities.
don't forget all the ongoing advances in the "here's a bunch of pictures, come up with a 3d model of the person" problem, making the spoofing even easier
Well we had this idea ten years ago, but the biometric scan was checked for freshness against a database of biometric scans. It was thought for protect the conversation between two leers however and not for blind validation.
The idea to protect against this kind of replay attack was that if the algorithm was unsure of the scan it could request a new one, validate it and present it to the user in case of low confidence biometric match or high confidence forgery: the point being that humans are good at detecting the kind of tampering that could fool an algorithm and vice versa.
This required to send the biometric scan to the peer and to validate it on the other side of the communication channel instead that on the device.
Well, we weren't technically using it as password in the end, I guess I'll have a closer look at what they're doing. And check if that old patent is still good. Eheh not that I have any rights to it left of course.
I'm starting to feel like a grey neckbeard. In my day, when I wanted to hang out with my friends, I called them, from a landline, known simply as "the phone". These days, I'm at or near a desktop/laptop computer almost 24/7 so don't see much need for a smartphone. I dread the day when a smartphone is required to be a part of society. It's shifting in that direction rapidly. If being on Facebook/LinkedIn also becomes a necessity, hopefully I'm already retired and have a beautiful lawn.
I always wonder if there were these old fogeys who complained when the first postal services were brought in in the 19th century. Like "Back in my day, I visited my friends and family because I cared, but now any idiot with a stamp can send me an annoying letter."
>"The Americans have need of the telephone, but we do not. We have plenty of messenger boys." -- Sir William Preece, chief engineer of the British Post Office, 1876.
Radio, planes and xrays:
>"Radio has no future. Heavier-than-air flying machines are impossible. X-rays will prove to be a hoax." -- William Thomson, Lord Kelvin, British scientist, 1899.
The grand canyon:
>"Ours has been the first, and doubtless to be the last, to visit this profitless locality." -- Lt. Joseph Ives, after visiting the Grand Canyon in 1861.
Oil drilling:
>"Drill for oil? You mean drill into the ground to try and find oil? You're crazy." -- Workers whom Edwin L. Drake tried to enlist to his project to drill for oil in 1859.
Nuclear energy:
>"There is not the slightest indication that nuclear energy will ever be obtainable. It would mean that the atom would have to be shattered at will." -- Albert Einstein, 1932.
The Germ theory:
>"Louis Pasteur's theory of germs is ridiculous fiction." -- Pierre Pachet, Professor of Physiology at Toulouse, 1872.
Brain surgery:
>The abdomen, the chest, and the brain will forever be shut from the intrusion of the wise and humane surgeon." -- Sir John Eric Ericksen, British surgeon, appointed Surgeon-Extraordinary to Queen Victoria 1873.
FWIW, I date it from the issuance of the first really convenient paper postage stamp, much like how OP probably is complaining about smartphones post 2007, as opposed to the first mobile phones in the 70's.
Sure its easier now, but it wasn't that much of a problem before. Just get an A-Z map of the town you are going. When I was travelling I always had a Lonely Planet guide. It had most of the information you would be likely to find with online searches, and organised in a helpful way.
People are missing the point, like "chip and pin" this is not about protecting the consumer but about protecting Mastercard and their duopoly
"What you mean you did not pay for a hooker and rum in Amsterdam, then who is this in a selfie you took" > shows a selfie some hacker stole from the poor eejits Lifeinvader page.
The software only sends a hash of the "map" of the face to Mastercard for comparison (or so an earlier Dutch article on security.nl put it). They can never show you the original image again.
The don't want to make money safe. making money safe makes money slow. Pay wave / pay pass and mastercard/visa chargebacks are all about getting money moving around more.
How is this supposed to work in low-light and dark environments, like a classy restaurant? What about people that don't have camera phones? This will end up being opt-in only, I'm sure. Can you imagine the checkout at the supermarket as vain people hold the line up while they make up their hair? I really don't see this as becoming commonplace.
I would just be happy if I could actually use my "chip and pin" credit card when performing a transaction. I have yet to find a retailer where I can actually use it.
I'm in the US, and I had never seen anybody actually use it up to a week or so ago, even though lots of retailers are putting in the chip-capable readers. But I've been traveling for the last week or so, and I just ran into a couple of retailers in other states where I had to scan the chip of my cards instead of the mag strip for the charge to go through - and one of them was Target.
So it looks like it is coming to the US, slowly but surely.
There's a better link here [1], which explains with more details.
Main thing seems that it's not just facial recognition, you can use a fingerprint scanner (assuming your phone has one) instead, and that it requires you to blink when you're being scanned by the app. So it doesn't seem to be just static image recognition, it's looking at the video stream to ensure that your face is there and that it can blink (getting around the 'just hold a photo in front of the camera' problem).
Since a video is just a string of images, all the attacker would need is a sufficient number of photoshopped images to show a series that (when stitched into a video) shows the user blinking. I'm pretty sure you could make a Photoshop plugin that would do this.
I'll do you one better: you could probably make a print-out paper 'mask' of a person's face and just blink yourself, or something similar. This kind of tech isn't always as smart as we think.
Seems to me that this is a cheap, relatively smart piece of marketing, rather than a serious proposition - note the heartbeat and voice recognition ideas that they're also "experimenting" with.
Ok, so everyone has pointed out how insecure this would obviously be, and all the simple ways in which you could fool it.
But, I'm left wondering, did the guys at mastercard never even think this through at all? This is people's money after all. It needs to be safe. Did they not even consider that, as soon as this is rolled out, people were going to see money disappear?
I can't believe they didn't think of that. Which makes me wonder, why am I even reading about this at all?
Credit card companies already have the perfect "security" measure: retroactive limited liability for stolen cards. Nobody loses money because someone steals their credit card.
As such, everything the card companies do in the name of "security" is not to prevent people from losing money—they don't need to solve that problem. They just need to solve the perception people have that credit cards are insecure. In other words, all credit card security (yes, even chip-and-pin) is security theatre. Whether it works or not, it's not there to work; it's there to feel good.
> Credit card companies already have the perfect "security" measure: retroactive limited liability for stolen cards. Nobody loses money because someone steals their credit card.
100% on that. Money is lost all the time, but thanks to that retroactive liability, the bank and/or merchant loses it instead of the consumer. Security for the consumer is already as good as it could possibly get, so they're really saving themselves and their merchants. This is a good thing, because they have a much more direct incentive to save themselves money than to save you money.
The cost of limited consumer liability for stolen cards is spread across all consumers in other card fees (perhaps hidden ultimately in network/merchant fees, and thus spread further in consumer prices.)
In a competitive credit card market (which we may not really have, but that's a different problem) an issuer reducing the incidence of lost would be able to compete better by either lowering charges or providing greater benefits while making the same profit, forcing other issuers to match those features or be driven out of the market.
I don't even have a cell phone. And there is zero chance I would ever get one just so that SlaveCard will process payments for me. That whole industry is like the grandfather that clearly can't drive anymore but everyone's afraid to confront about taking the keys away... why is nobody willing to 'disrupt' these people already?
Long story short, it's a bad idea, and it's really not secure.