Phone Data Security at Your Fingertips

Researchers from New York University and Michigan State University say the key to phone data vulnerability is at your fingertips. Biometrics, namely fingerprints, are a common means of user authentication. But, is it as secure as it appears to be? In a study published in IEEE Transactions on Information Forensics and Security, researchers considered the possibility of hackers creating a set of synthetic or real “Master Fingerprints” able to log into a high rate of devices.

Smartphones’ sensor for collecting fingerprint data is too tiny to accommodate the whole print. So, users are prompted to give multiple impressions of the same finger when setting it up. A user is prompted to give the device eight to 10 images of a finger to make a positive match easier.

 The authentication only matches partial prints, the area touching the sensor, to these multiple impressions. For further convenience, some phones allow for login using multiple fingerprints, so other fingers are also scanned and the partial prints stored. The researchers found the vulnerability lies in the partial print. Many people may have similar portions of their fingerprints without identical matches.

New and Improved

The iPhone 5S came out in 2013 with a chip twice as fast as the iPhone 5. The device’s camera got a big upgrade including a new flash and slow-motion video. The 5S also debuted new metallic colors. But perhaps the biggest splash was the new ability to log into the device with a stored fingerprint instead of the tedious task of entering in a PIN. The Touch ID fingerprint sensor also allows users to make purchases on iTunes or third-party apps without a password.

Biometrics and Privacy Concerns

Biometrics are viewed as a more secure way to log in, but they may compromise individuals’ privacy.  Some of the main privacy issues regarding biometrics are:

1. Data Linkage – There is the possibility that biometric databases can be linked algorithmically for data mining, profiling and investigation.

2. Function Creep – This refers to expanding the scope of a system. For instance, the biometric data may be used for purposes other than the originally described purposes.

3. Data Misuse – Biometric data cannot be replaced or reset, thus they present a high risk for threat or abuse.

4. Security Vulnerabilities – Such vulnerabilities include: interception, replay, substitution, masquerade, spoofing, Trojan horse attacks and tampering.

Partial Print – All Data at Risk

Since the technology only uses partial fingerprints to make a positive match, the researchers hypothesized many users have similar partial prints. The group created a set of master fingerprints, a digital collection of prints with the most common structures found in fingerprints. The master fingerprints matched real prints 65% of the time. It is important to note that the study was conducted using computer simulations and not real smartphones.

Faking It

Biometrics firm Vkansee demonstrated to trade show attendees the ease of using a casting of a print to bypass security features. By using dental mold to create an impression of a user’s fingerprint, the impression is filled with Play-Doh to make a cast. The firm used the fake Play-Doh finger to successfully log in to the user’s phone.  Researchers at CITeR, the Center for Identification Technology Research,  made a 3-D print of a finger to fool fingerprint technology. By filling it with rubber, the 3-D finger can be worn and used to log in anywhere fingerprint biometrics are required. In 2014, a hacker named Starbug claimed he used a photograph of the German defense minister to clone her fingerprint.


Researchers found smartphone fingerprint technology may not be as safe as users think. Smartphones use only partial prints to make positive fingerprint matches because the sensors are small. Users may enter up to ten images of their print to make the authentication easier. The researchers determined there are many commonalities among partial prints, and 65% of the time a set of master fingerprints made using commonalities may suffice to successfully log in to smartphones.

CIPT Exam Preparation

In preparation for the Certified Information Privacy Technologist (CIPT) Exam, a security professional should be comfortable with topics related to this post, including:

  • Authentication techniques and degrees of strength (V.A.)
  • Biometrics (V.A.c.)
  • Portable media supporting authentication (V.A.d.)
  • Identifiability (V.B.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>