Unnecessary Risk: How ApplePay, online banks, and others endanger their users

March 15, 2015

Car Keys

High-profile hacks and data breaches have brought personal data security into the public mindset. Many companies have neglected to enforce security best practices because of general apathy, higher costs, and lower customer satisfaction caused by complex data security systems. Customers too have been apathetic towards security because of the inconvenience of strong passwords, password managers, and two factor authentication. New biometric security technologies such as TouchID, facial recognition, and others promise to provide a convenient authentication platform. However, the inability to revoke biometric credentials may make users more vulnerable. Other solutions are necessary.

Background

An online presence is compulsory for users in developed countries in today’s digital economy. However, most users must manage dozens, if not hundreds of online accounts. Despite knowing that they should use unique passwords for each service, many users use the same password for all their online accounts. Frequent attacks combined with lax security practices makes major hacks and password breaches a regular occurrence. If a user reuses passwords, each hack exposes every one of their online accounts, compromising their assets, privacy, and, often times, dignity. The obvious solution is to create different passwords for each account and consolidate them in a single document. Except “putting all your eggs in one basket” can cause a catastrophe if that document is compromised.

Many security-minded users create random passwords for each online service, keeping them in an encrypted password vault such as 1Password or LastPass. These vaults are encrypted with a zero-knowledge policy, only the user has the key, which means that the host service is technically unable to decrypt them, even if they were compelled to by a warrant. Thus, even if the password vaults were hacked and distributed on the internet, no passwords would be compromised. These programs require users to only remember one "master password" that decrypts the vault. However, because the vaults are encrypted with a zero-knowledge policy, a user who forgets their master password will be unable to ever retrieve the passwords stored in the vault (1Password and LastPass cannot reset a lost master password). Encrypted password vaults are a great way to protect users from inevitable password breaches, but do nothing to protect users if organizations grant access without requiring a password.

How Companies Put their Users at Risk

Many services require users to answer “security questions" that verify a user's identity should they ever forget their password. Familiar questions such as “What is your mother’s maiden name,” “What was your hometown,” or “What was your first pet's name” are among the most common prompts. In fact, many online services, especially banks and telecommunications companies, require users to answer three or more personal questions from a small list of generic prompts. Although designed to be a more secure way to prove a user’s identity, these prompts provide an easy way for malicious users to gain access to an account because the answers are so easy to find. Most “personal” questions can be answered with a simple Google search, and a clever hacker could easily create a program to scrape the web for personal info of millions of users at a time. Information about family names, hometowns, and hospital of birth are available on public databases. Information about high schools, hometowns,  and first jobs can be found on LinkedIn. Friends, girlfriends, favorite foods, restaurants, and bars, and other personal information are often publicly shared on Facebook. Even if a user does not explicitly share some information, photos and post history can often reveal the answer. Using information from a few minutes of Googling, hackers can gain access to an account, lockout the account’s rightful owner, hold the account hostage, and leak private information. Such hacks occur regularly, but received little attention until recently when a hack of high-profile individuals made national headlines.

On August 31st, 2014, hackers gained access to celebrity iCloud accounts and publicly released compromising photos in a leak known as “Celebgate” or “The Fappening”. Hackers gained access to the accounts through personal information gathered via Google searches and brute-force password attacks. Apple ignored best-practices and did not lock accounts after a certain number of incorrect password attempts, allowing hackers to try millions of password combinations until they guessed the correct one. Politicians, are common targets of similar attacks (eg Sarah Palin), although most are unsuccessful because politicians, knowing they are targets, usually enable advanced security features such as two-factor authentication.

Why Fingerprints are not the Answer

Many pundits claim that biometric authentication, such as voiceprint, retina scanning, facial recognition, fingerprint scanning, or other biological markers unique to an individual is the future of security. Let’s hope they are wrong. A good security system requires keys that are unique, difficult to either duplicate, and easy to revoke. Although biometric factors such as fingerprints are unique, they are easy to duplicate and impossible to revoke, making them a potential security nightmare.

Facial recognition systems are notoriously inaccurate and easy to fool. Before enabling blink detection, Google’s facial unlock on Android could be fooled with any photo of the owner's face, and even after updating, the system is still easily hacked. Fortunately, Google does not require customers to use this technology to access their phones or user accounts (in fact, it warns users the system is insecure). Apple, however, encourages customers to use its TouchID fingerprint reader to unlock iPhones, and requires them to use TouchID to authenticate purchases made with ApplePay.

Within months of Apple’s announcement of TouchID, the Computer Chaos Club, a group of European security specialists, demonstrated a method to fool the sensor using an etched plastic finger cover. More recently, the same group announced that it could create detailed fingerprints from photos of people’s hands. The group demonstrated their technique by lifting German Defense Minister Ursula von der Leyen's fingerprints from a photo at a press event. Combining the two approaches could allow unauthorized access to a user’s ApplePay account, and therefore bank and credit cards, using only reasonably detailed photos where the user’s hands are visible. Any individual who creates a ApplePay account exposes themselves to potential fraud. Note: the recent surge in fraud using ApplePay is unrelated to TouchID’s security, but rather to a lack of authentication between banks and Apple when adding credit and debit cards.

Herein lies the biggest problem with biometric security: When, not if, a user’s biometric information is leaked, any system that uses that biometric factor to authenticate them is permanently compromised. Unlike passwords or access cards, which can be changed or replaced if they are leaked, users cannot change their fingerprints, voiceprints, retinas, or other unique aspects of themselves. Once a fingerprint is stolen, it is stolen forever, and a user can never safely use a fingerprint for authentication again. By lifting a fingerprint from a keyboard, glass of wine, or even a photo, a hacker may gain permanent access to any number of “secure” services without even guessing a password.

 

Solutions

One solution which has not yet been cracked (with one notable exception) is two-factor authentication. Two-factor authentication requires users to verify their identity through a unique temporary code (that usually expires within 60 seconds) as well as their password when signing in. Users can receive their temporary codes through a dedicated device (such as an RSA token or code generating card), via SMS to a known phone number, or through a smartphone using a dedicated (such as BattleNet Authenticator) or generic app (such as Authy). Most services only require a code when signing in from a new location, granting users with a huge security benefit with limited additional work. Some services allow authentication via a physical key (inserted into a USB drive, placed on a reader, or detected via Bluetooth) as a second factor (the key generates codes similar to those available through an app). Such systems are convenient because they can be placed on key chains and allow users to log on without typing an additional set of numbers, and log off by either removing the key or walking away from the computer. Combined with an encrypted password vault, two-factor authentication can provide users with a high level of security. Most popular web services offer users two-factor authentication, but many more do not, putting their users at risk.

For users who insist on not carrying additional devices or copying codes, more exotic authentication systems can be used. Implantable encrypted RFID tags no larger than a grain of sand can authenticate users (traditional passwords can be used as a second factor in new locations). RFID readers in cellphones, keyboards, and mice may automatically log users in and out when they approach or leave a computer (or if a user's cell phone is further than a few feet away from a terminal). If, for some unforeseen reason, the tag is compromised or duplicated, the user could easily replace it, granting the user the convenience of biometric authentication with the security of traditional two factor systems. Removing and replacing a subdermal RFID tag should hurt no more than the average vaccine shot. Some users may even choose to replace their chips annually as part of a regular medical checkup (much akin to some companies mandating users change passwords monthly). Some people already use implanted RFID chips as a primary method of authentication because of its security and ease of use.

Motorola's (now Google's) Advanced Technologies and Projects team has suggested some other unique authentication methods. NFC temporary tattoos are inexpensive to manufacture and allow users to log into phones and other devices by tapping their wrist (or other location where the tattoo is applied) to a reader. Motorola has also postulated that an electronic pill ingested every morning can serve as a secure token. The pill may authenticate users by emitting low power radio waves (perhaps Bluetooth) through the body that are picked up by a compatible receiver or phone.

Despite a plethora of available technologies, both exotic and conventional, a series of high-profile attacks on prominent Americans or a landmark legal decision in support of customer data protection may be necessary for companies to change their practices towards better user security.