With smartphones companies allowing people a convenience to perform multiple tasks and purchase transaction over their phone, also opens the door for hackers, intruders and other costly exploits that you might have not been known to.

And, especially when the news broke out by researchers that I have covered in the section below, found out easy ways to create fake fingerprints to fool a smartphone fingerprint reader.

On the flip side, a market research firm IHS claims approximately the number of fingerprint sensors embedded in smartphone devices is expected to grow from 316 million in 2014 to 1.6 billion in 2020.

Popular brands like Apple, Android, and Samsung are making it easy for people to perform crucial transactions- fingerprints authentication is no longer limited to unlocking phones. It can also be used to make mobile payments and even authenticate bigger settlements that include large bank transfers too.

So the question you need to ask yourself: is it really safe to use fingerprint scanner technology to unlock your phones, especially when you store your personal and sensitive data on it?

Fingerprint scanner technology being one of the most convenient ways to unlock phones, has been around since the year 2000 for login-authentications and identification to computer access.

Today, this biometric technology allows you to secure your smartphones access too!

If you are already using fingerprint recognition to get into your phone data, might not be secure as you may think.

The biometric sensors embedded in smartphones are generally small and therefore the resulting images are limited in size.

To compensate, such devices often acquire multiple partial impression of a single finger during enrolment to make sure at least one of stored templates matches successfully for authentication.

This was claimed by researchers from New York University and Michigan State University in anabstract that was carried out to explore the possibility of generating a “MasterPrint” that can match on or even more stored templates for a significant number of users.

Evolution of fingerprint recognition for smartphone users

Back in 2011, Motorola Atrix 4G users were the first among the other smartphone owners to adopt the fingerprint security function over their phones.

Later in 2013, Apple iPhone 5S offered its users with an ability to use their fingerprints for multiple phone security purposes. Immediately a month later, HTC launched the One Max with also included fingerprint recognition.

Following the above brands, Samsung released the Galaxy S5 which offered fingerprint sensors on the home button.

With the popularity of the biometric sensors among smartphone users- many cheaper brands offered the technology as of December 2015, including $100 UMi Fair.

Samsung later added this security authentication services for its mid-range A-series smartphones.

Two years after the launch of Apple iPhone 5S, the brand introduced an even faster Touch ID fingerprint sensor with iPhone 6s.

Later in 2016, OPPO Electronics claimed to introduce to the fastest fingerprint recognition to unlock the F1s model in 0.22 seconds.

Kinds of fingerprint patterns to understand one of yours

Fingerprint has three ridges that are known as:

– Arch: similar to its name, the ridges of this pattern enter from the side of the finger, a rise in the center forming an arc, and exit from the other side of the finger.

– Loop: the ridges of this pattern enter from one side of the finger, create a curve, and then exit on the same side.

– Whorl: the ridges of this pattern from circularly around a central point of the finger.

Scientist claim there is an increasing number of chances that family members share the same general fingerprint, however, as per Apple’s Touch ID security site– every fingerprint will have a unique template, therefore, it’s rare that for a small section of two separate fingerprints are alike to match.

The probability of this happenings is 1 in 50,000 with a single enrolled finger. With five unsuccessful fingerprint match attempts a password will be asked, and the possibility of guessing the 4-digit pin code is 1 in 10,000.

For Google’s latest Android compatibility, the fingerprint sensor must have a false acceptance rate not higher than 0.002%.

The usage of fingerprints via smartphones

For those who typically use the fingerprint scanner to unlock their phones, it is being configured for other functions like:

Managing app access

This means you can hide certain apps with fingerprint authentication to secure your Whatsapp messages, personal images, email, calendar and more.

Faster Google Play purchases

This means you can ease and secure your paid app-purchase transactions over Google Play Store.

From the settings tab, select for “fingerprint authentication” to avoid the password prompt for confirming your favorite app purchases.

Samsung pay

This is a mobile payment system that allows payment authentication via fingerprint on Samsung Galaxy smartphones.

Camera clicks

This offers an ability to simply tap on the fingerprint sensor, instead of tapping on the screen for clicking images from your phone.

Fingerprint spoof attack examples

Spoofs are being produced over time by experts that showcase how fingerprint authentication is being attacked with the use of ink and paper.

https://www.youtube.com/watch?v=fZJI_BrMZXU

This video shows presented by Kai Cao and Anil Jain showcases the hacking of fingerprint authentication on mobile phones using self-created printed fingerprints.

https://www.youtube.com/watch?v=h1n_tS9zxMc

This video highlights how other flaws in iPhone 5S are exposed that – when combined with Touch ID’s vulnerability to fingerprint spoofing- allow access to the phone.

https://www.youtube.com/watch?v=sfhLZZWBn5Q

This video demonstrates the flaws of fingerprint authentication in the Samsung Galaxy S5 that exposes the user’s device, data, and even payment transactions.

Should you really be worried?

There are many hurdles for the attacker to access your fingerprint authentication- they’ll have to create multiple templates of “Master Prints” to match and mimic a real human finger.

Considering the security measures to eliminate the risk of fingerprint authentication exploitation – iPhone 6S incorporates a second-generation Touch ID sensor that is up to twice as fast as the first- generation sensor found in iPhone 5S, e and SE phones.

The iPhone 5s has also moved slightly beyond the capabilities of earlier touch sensors: It provides a higher resolution image and – as far as initial experiments can tell – this makes it difficult for the fingerprint authentication attack.

Fingerprint authentication sensor can surely eliminate the risk of forgetting complex passwords or passcodes to enter your mobile phone, as it is something to do with a human body which cannot be lost.

However, at the same time, you should enable all security measures available to keep your data and personal information away from hackers.

Additionally, you can always switch over to other authentication mobile solutions that include:

PIN code/Passcode

Mostly available for every smartphone- users can set a 4- digit passcode to unlock their phones.

This can be the most secure biometric method, because even if your phone gets lost and unable to crack your code- your data is safe and cannot be manipulated.

Downside: There may chances when you forget the PIN code and on performing several attempts your phone will get locked which will require a factory-reset. However, if you choose a reset option, you probably give up your data stored on your device.

Pattern lock

This can eliminate the need of having to remember difficult codes or alphanumeric passwords- as you create your own pattern through a grid of nine dots. And, the best part is you can create new patterns with time to ensure security.

Downside: There may be chances when you forget the pattern and your phone will ask you for a hard reset. In this case, your existing data will not be recovered.

IRIS

Offered by most of the popular mobile companies, IRIS Scanner is one of the trending and secure biometric method for unlocking phones.

Downside: The only hassle is to ensure proper light on your eyes, especially in direct sunlight. The most recommended way is to hold your phone close to your eyes.

Face lock

Available with a number of Apple and Android smartphones, Face unlock is an interesting biometric method alternative to leaving your phone in Swipe to unlock mode.

Downside: There may angles and distance that are calculated while performing a face recognition and can be slow. Also, the amount of light will determine the chances of your phone being unlocked.

Fingerprint Biometric method is rapidly being introduced by popular smartphone brands. Whether in this generation or an upcoming one, whether it’s Apple, Samsung, HTC or even Motorola- someone will surely figure out on how to implement fingerprint authentication without being hacked.

Will Fingerprint biometric method be a good way to secure a phone? Sure, it will when mobile brands merely stops attacker/hackers to get into your data simply by building physical phones with extra security measures.

Wrapping up

I myself use a fingerprint pattern to unlock my Samsung Galaxy J7 Prime- however never encountered an attack. Maybe, because I’m not a recognized firm, educational organization or even government entity that deal with important data and files via smartphones.

Either way, the safety of your phone authentication will depend on the makers to boost device security!

Source: Anil Parmar

 

What is strong authentication?Strong authentication – sometimes called 2-step verification, multi- or two-factor authentication, or login approval – provides an extra layer of security beyond your username and password to protect against account hijacking. Many online services, including email and social networks, offer this free extra security protection to help ensure it’s actually you trying to access your account – not just someone who stole or guessed your password.

How does it work? Strong authentication requires you to have more than just your password to sign into your account. Strong authentication tools are widely available on major email and social networking sites. Here are the most common methods you can choose from:

 

Here’s how to turn on strong authentication:

Instagram Two-factor authentication is a security feature. When two-factor authentication is on, every time you log into Instagram from an unknown device you'll be asked to enter an SMS security code or backup code in addition to your username and password. Find out more from Instagram here.

Facebook As more individuals and businesses turn to Facebook to share and connect with others, people are looking to take more control over protecting their account from unauthorized access. Login approvals is a Two Factor Authentication system that requires you to verify your identity via a code sent to your mobile device or by using a physical security key (yubikey) whenever you log into Facebook from a new or unrecognized computer. Once you have verified your identity, you’ll have the option to save the device to your account so that you don’t see this challenge on future logins. Find out more from Facebook here. Yubikeys were first introduced in 2017. The function allows you to register the physical security key to your account so that the next time you login after enabling login approvals, you'll simply tap a small hardware device that goes in the USB drive of your computer. Security keys can be purchased through companies like Yubico, and the keys support the open Universal 2nd Factor (U2F) standard hosted by the FIDO Alliance.

Twitter Login verification is an extra layer of security for your Twitter account. Instead of only entering a password to log in, you’ll also enter a code which is sent via text message to your mobile phone. This verification helps make sure that you, and only you, can access your account. After you enable this feature, you will need both your password and your mobile phone to log in to your account. When you login to twitter.com, Twitter for iOS, Twitter for Android, or mobile.twitter.com, you will receive a text message with a six-digit login code to enter (see our list of supported carriers here). Find out more from Twitter here.

 

 

Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients' claims.

"I think we have those facts now," he said. "It's really mind-numbing when you think about it."

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said "recently obtained new intelligence" showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

"This is a bombshell," said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo's former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo's users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo's core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers' tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to."

Passwords can be inconvenient, but they’re important if you want to keep your information safe. Protecting your personal information starts with STOP. THINK. CONNECT.: take security precautions, think about the consequences of your actions online and enjoy the Internet with peace of mind. Here are some simple ways to secure your accounts through better password practices. MAKE YOUR PASSWORD A SENTENCE

A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!

UNIQUE ACCOUNT, UNIQUE PASSWORD

Having separate passwords for every account helps to thwart cyber criminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.

WRITE IT DOWN AND KEEP IT SAFE

Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternately use a service like a password manager to keep track of your passwords.

LOCK DOWN YOUR LOGIN

Fortify your online accounts by enabling the strongest authentication tools available, such as bio-metrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.

Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 06 Sep 2017 - VU#112992 - Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data.

In Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses XStreamHandler with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application.

A remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code on vulnerable servers in the context of the Struts application.

Solution: Apply an update. The vendor has released version 2.5.13 to address this vulnerability. No workaround is possible according to the vendor, so patching is strongly recommended.

08 Sep 2017 - VU#166743 - Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities.

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.

Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

An attacker with physical access to the device may be able to decrypt the device's contents.

Solution: The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.

12 Sep 2017 - VU#240311 - Multiple Bluetooth implementation vulnerabilities affect many devices.

A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device. For more details, please read Armis's BlueBorne disclosure website and Technical White Paper.

An unauthenticated, remote attacker may be able to obtain private information about the device or user, or execute arbitrary code on the device.

Solution: Apply an update. Patches are available in the latest releases of Windows (see Microsoft bulletin), iOS, the Linux kernel, and Android (see September 2017 security bulletin).

13 Sep 2017 - VU#101048 - Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability.

The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution.

This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible.

By causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document.

Solution: Apply an update. This issue is addressed in CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability