Fingerprint breach found - change yours now

18cc

Yes I agree I think once a fingerprint leaks (the fingerprint itself not the hashed value) then that is it for the rest of your life - it's out there and can forevermore be used to "prove it's you", including logging onto banking apps.

AnotherJoe

oldagetraveller wrote: »

I was under the impression that the fingerprint recognition is carried out using the phone's sensor?
When fingerprint log in etc. is set up and selected that fingerprint doesn't get transmitted to some database somewhere, surely? If so, how?
I personally don't use that method for logging into financial accounts anyway.
Oh, hang on, it's The Guardian!

There's a difference between how phones do it and this system. Phones do it in the phone. This article doesn't apply to them.

If you think about fingerprint access to say an office then obviously the fingerprint needs to be stored centrally so any door with a sensor can access that you can stare it in the door sensor.

However, "obviously" (except to complete ****wits) the fingerprints should be stored as a hash / encrypted not in ****ing plain and accessible over the internet without credentials.
This is mind-blowingly inept bad design on top of astoundingly abysmal practice. People need to lose their jobs over this.

EssexExile

"Fingerprint breach found - change yours now"

It's OK the first couple of times but eventually you run out of new fingers.

quirkydeptless

18cc wrote: »

Yes I agree I think once a fingerprint leaks (the fingerprint itself not the hashed value) then that is it for the rest of your life - it's out there and can forevermore be used to "prove it's you", including logging onto banking apps.

Or leaving dabs at crime scenes

Takmon

jonnygee2 wrote: »

Hmmm, I think you've actually misunderstood. Fingerprints were leaked alongside names and personal details of their owners. People generally only have one set of fingers, so will be using the same ones to access the buildings that they use to access their banking apps.

Right now, I'm not sure the technology exists to recreate them and open up people's iPhones etc. But the technology might well exist soon (If it doesn't already) and whenever it does, the fingerprints will still be the same.

The leak therefore affects any system secured by fingerprint. Which is a big problem with biometrics.

In this case there hasn't been any leak that they know of. The Israeli security researchers were simply trying to find vulnerabilities in the system and then reported the vulnerability once they found they were able to access this data. If they actually took any data and leaked it they would be liable for prosecution. So the people on the database don't have much to worry about now the vulnerability has been fixed.

Also an easy way to protect yourself is to use a different finger to access your phone/banking app than you would to access a building. So even if the data was leaked and usable they wouldn't have the correct fingerprints to access anything personal.