LOL So much for Apple's touch ID "security"

[openwheel]

still puzzels me, why would finger print be more secure than simple passcode/password?

Convenience? Maybe, yet not really.
More security? Not really
Gimmicky? Yes

 

[dontl00katme]

Isn't the data stored on the iPhone some sort of mathematical representation of your fingerprint? If so, can you produce a workable fingerprint image out of this data?

 

[NoStateofMind]

2. So they can force you to unlock and delete the video, but they can't forcible just take your phone away or accidentally knock the phone out of your hands and step on it?

Sure they can but then there's that thing called evidence.

 

[PowerYoga]

This just in: fingerprint scanning technology that multimillion dollar firms have been trying to make secure but couldn't for decades has been broken by the gummy bear attack like all other fingerprint scanners.

It's a cheap marketing gimmick and sheeple fell for it hook, line and sinker.

 

[golem]

Sure they can but then there's that thing called evidence.

I'm not sure I understand your original scenario then.

Are you saying you tape police doing something, they see you and then force you to unlock your phone and delete the video?

If that is the original scenario, then my response was if they are willing to force you to unlock and delete the video if you have a fingerlocked phone, then wouldn't they just be as willing to forcible take your phone or "accidentally" destroy it if it was pin or pattern unlocked phone? Either way is just as illegal.

 

[golem]

This just in: fingerprint scanning technology that multimillion dollar firms have been trying to make secure but couldn't for decades has been broken by the gummy bear attack like all other fingerprint scanners.

It's a cheap marketing gimmick and sheeple fell for it hook, line and sinker.

Cool, please show me the article that says TouchID was cracked using a gummy bear.

The one I've read about was much more involved than using a gummy bear.

 

[thedosbox]

Sooo umm.. if you are somehow able break the encryption on the stored fingerprint, and then somehow unhash the data that one fingerprint from that one iphone.. how does this affect the other 8.99999 million iphones again?

Right, there's no scenario where someone would want to impersonate someone else. None whatsoever

I'll be curious to see whether you decide to join the inevitable class action lawsuit when apple's security is broken.

 

[golem]

Right, there's no scenario where someone would want to impersonate someone else. None whatsoever

I'll be curious to see whether you decide to join the inevitable class action lawsuit when apple's security is broken.

So having my fingerprint will allow you to impersonate me? Cool... Exactly how would you use this fingerprint to impersonate me again?

And of course, the easiest quickest way to steal a fingerprint would be to steal an iphone that is fingerprint locked, create a fake fingerprint to access the iphone. Throw away the fingerprint that allowed you to access the iphone in the first place. Crack the encryption on the stored fingerprint, unhash the data to recreate the fingerprint and then... how would you impersonate me again using the fingerprint?

Oh by the way, I'm just playing devil's advocate, I don't have an iphone 5s, don't plan on getting one.

 

[NoStateofMind]

I'm not sure I understand your original scenario then.

Are you saying you tape police doing something, they see you and then force you to unlock your phone and delete the video?

If that is the original scenario, then my response was if they are willing to force you to unlock and delete the video if you have a fingerlocked phone, then wouldn't they just be as willing to forcible take your phone or "accidentally" destroy it if it was pin or pattern unlocked phone? Either way is just as illegal.

Then let me clarify. The broken phone is evidence. Understand? Otherwise its your word against theirs. Not to mention you would have to thoroughly abuse the phone for the memory to be damaged to a point of no recovery.

 

[MrX8503]

There are 10,000 combinations for a 4 digit pin. Quite frankly that's easier than trying to acquire 9 million+ finger prints and that doesn't even count multiple fingers.

The butthurt over touch ID is comical. I suspect jealousy is in the air.

 

[golem]

The let me clarify. The broken phone is evidence. Understand? Otherwise its your word against theirs. Not to mention you would have to thoroughly abuse the phone for the memory to be damaged to a point of no recovery.

If you can recover video from a physically abused device. Wouldn't it be lots easier to recover video from a delete? That's assuming it ever came to this and you haven't already uploaded the video to the cloud.

And in regards to evidence. It's your word against theirs either way. Their argument would be the phone was accidentally knocked down and stepped on.

 

[WelshBloke]

There are 10,000 combinations for a 4 digit pin. Quite frankly that's easier than trying to acquire 9 million+ finger prints and that doesn't even count multiple fingers.

The butthurt over touch ID is comical. I suspect jealousy is in the air.

Doesn't it fall back to the pin if it fails to recognise a print?

 

[Imp]

Didn't they realize this a while ago with another fingerprint scanner technology...

 

[jpeyton]

The butthurt over touch ID is comical. I suspect jealousy is in the air.

Nobody is butthurt, because nobody serious about security uses biometrics.

Smartphone users should be more honest with themselves. If they truly have sensitive information on their device, a simple 6-digit case-sensitive alphanumeric password (57 billion combinations) would be a good starting point, along with device encryption. I use 15-digits.

4-digit PINs, pattern unlocks, Touch ID, etc. show that you aren't serious about security, at which point you might as well do yourself a favor from a usability standpoint and disable your lockscreen.

 

[WelshBloke]

Nobody is butthurt, because nobody serious about security uses biometrics.

Smartphone users should be more honest with themselves. If they truly have sensitive information on their device, a simple 6-digit case-sensitive alphanumeric password (57 billion combinations) would be a good starting point, along with device encryption. I use 15-digits.

4-digit PINs, pattern unlocks, Touch ID, etc. show that you aren't serious about security, at which point you might as well do yourself a favor from a usability standpoint and disable your lockscreen.

It's finding a balance. I use a pattern unlock and, yeah, it's not that secure but my life isn't over if someone nicks it. It's a quick, simple way of stopping someone dicking around with my phone.

If I had to use a 15 digit alpha numeric, case sensitive password I think I'd just leave my phone in a drawer.

 

[cheezy321]

Nobody is butthurt, because nobody serious about security uses biometrics.

Smartphone users should be more honest with themselves. If they truly have sensitive information on their device, a simple 6-digit case-sensitive alphanumeric password (57 billion combinations) would be a good starting point, along with device encryption. I use 15-digits.

4-digit PINs, pattern unlocks, Touch ID, etc. show that you aren't serious about security, at which point you might as well do yourself a favor from a usability standpoint and disable your lockscreen.

In light of the entire Snowden/NSA episode, I want to make it as difficult as possible for the government to trample on my rights to personal privacy.

That 15 digit code wont do anything to stop all of the free information you are feeding Google and your service provider (and in effect the govt). Since you are serious about security what are you doing to make it as difficult as possible for the government to trample on your rights? Because it sure as hell aint an android powered samsung phone that will help you do this.

 

[WelshBloke]

That 15 digit code wont do anything to stop all of the free information you are feeding Google and your service provider (and in effect the govt). Since you are serious about security what are you doing to make it as difficult as possible for the government to trample on your rights? Because it sure as hell aint an android powered samsung phone that will help you do this.

I hope that you're not suggesting that if you have a Microsoft or Apple phone then the government won't be able to get your data?

Edit: also if he encrypts his stuff and doesn't use any cloud storage he should be pretty safe.

 

[NoStateofMind]

If you can recover video from a physically abused device. Wouldn't it be lots easier to recover video from a delete? That's assuming it ever came to this and you haven't already uploaded the video to the cloud.

And in regards to evidence. It's your word against theirs either way. Their argument would be the phone was accidentally knocked down and stepped on.

Yes but one way is *only* he said she said and the other has physical evidence. Expecting to have anything resembling "fair" won't happen when dealing with thugs regardless but those who might have been skeptical of your statement might not be so when shown the proof of your $700 phone smashed to bits.

It may not only be a video you are protecting. Maybe its contacts. Emails or text messages. Maybe you just don't want unfettered access to that which you call private. Either way the fingerprint "touch ID" gives megalomaniacs an easy way into your personal information. If I bought an iPhone 5s it wouldn't be for the supposed "security" it offers.

 

[dawheat]

I think we can all say Touch ID > unlocked phone as far as stopping random theft. Trying to replace a decently strong password to protect sensitive personal or corporate information sounds unwise to me.

I'd also be concerned that once my print was somehow compromised, they'd be a constant vector for non-random theft (whether it be friendly or local theft).

I imagine that if enough value was tied to the print (e.g. being able to use your iTunes payment information to buy stuff at B&M stores or even online stores), compromise kits would proliferate. Seeing the ingenuity of ATM thieves and such make me believe that once there is enough value at play, you'll see some pretty clever stuff.

Doesn't matter as far as an unlock option, but likely puts a crimp into Apple's plan to use your print as a quick proxy for strong authentication for multiple uses.

 

[MrX8503]

Doesn't it fall back to the pin if it fails to recognise a print?

At that point you get a few tries.

Nobody is butthurt, because nobody serious about security uses biometrics.

Smartphone users should be more honest with themselves. If they truly have sensitive information on their device, a simple 6-digit case-sensitive alphanumeric password (57 billion combinations) would be a good starting point, along with device encryption. I use 15-digits.

4-digit PINs, pattern unlocks, Touch ID, etc. show that you aren't serious about security, at which point you might as well do yourself a favor from a usability standpoint and disable your lockscreen.

15 digits? Lol ok.

 

[WelshBloke]

At that point you get a few tries.

How many goes do you get and what happens if you keep getting it wrong?

15 digits? Lol ok.

15 digit alpha numeric case sensitive at that!

 

[MrX8503]

I don't remember, but it wipes your phone afterwards.

 

[golem]

Yes but one way is *only* he said she said and the other has physical evidence. Expecting to have anything resembling "fair" won't happen when dealing with thugs regardless but those who might have been skeptical of your statement might not be so when shown the proof of your $700 phone smashed to bits.

It may not only be a video you are protecting. Maybe its contacts. Emails or text messages. Maybe you just don't want unfettered access to that which you call private. Either way the fingerprint "touch ID" gives megalomaniacs an easy way into your personal information. If I bought an iPhone 5s it wouldn't be for the supposed "security" it offers.

A smashed 700 phone is evidence of, a smashed 700 phone. Unless you have evidence of the one your recording destroying your phone, it's just a broken phone. And if you do have evidence of someone destroying your phone, couldn't the way you got that evidence also be used to get evidence of that person forcing you to delete something from your phone?

 

[WelshBloke]

I don't remember, but it wipes your phone afterwards.

Probably best not to use a 15 digit alpha numeric case sensitive number then. I'd end up wiping it every time I tried to unlock it.

 

[NoStateofMind]

A smashed 700 phone is evidence of, a smashed 700 phone.

"Yeah I just bought this new iPhone, cost me $700 and won't be able to replace it for a month. You know I just thought maybe I'd smash it up for fun". - A smashed phone is more evidence than a non-existent video.

Unless you have evidence of the one your recording destroying your phone, it's just a broken phone.

Yes I said as much. Again you are more believable with evidence then no evidence at all.

And if you do have evidence of someone destroying your phone, couldn't the way you got that evidence also be used to get evidence of that person forcing you to delete something from your phone?

Uh I'm not sure what you're getting at here. Never mentioned anything about another video/phone.