Home > Identity Theft > Does the iPhone 5S Fingerprint Tech Make You Safer?

Comments 0 Comments

Apple’s biggest contribution to the technology world has been its ability to bring order to chaos. The iTunes music service is the best example of this: before iTunes, the world of music downloads was the Wild West. There were outlaws, like Napster and its rivals, who ran clunky attempts to commercialize the rogue industry out of town. Apple changed all that by making the music download experience uniform and simple.

The most promising element of Apple’s new fingerprint scanner, announced as part of the new iPhone 5S on Wednesday, is the potential to bring order to the chaotic world of personal gadget security. The Touch ID system will let users wake up their phones with a simple finger touch. It’s a big step forward, but it shouldn’t be confused as a big step forward in security; it’s more of a big step forward in convenience and a small step forward in security.

Let’s get this out of the way first — Apple will have to provide some alternative mechanism to unlock phones, and that means hackers and criminals will be able to circumvent Touch ID.  Fingerprints suffer damage (kitchen cuts!) and fingerprint readers break. Apple will have to offer the equivalent of a password reset option to those folks, and just like all other “lost password” retrieval systems, that will almost certainly be the weakest link in the chain. By definition, it can’t be any stronger than current systems. Touch ID will be easier to use than PIN codes, resulting in happier (if not much more secure) users, and that’s why Apple is adopting it.

Security Is (Somewhat) in the Hands of the User

That said, we’ve already heard a tremendous amount of catcalls from geeks since the announcement of Apple’s Touch ID, describing all the various horrible things that can happen to users. Fingers can be cut off and used to unlock stolen phones, certainly. It’s possible that prints can be lifted off martini glasses in bars and molds made, also, though there’s hope that Apple’s capacitive sensor system will make that harder to do.

However, it’s this kind of hand-wringing that has crippled the security industry for years, prevented implementation of all sorts of creative security technologies, and left most users with a 50-year-old user/password system protecting most of their digital lives. While a strong password stored only in a user’s brain is the most secure system we have, in reality most users pick horrible passwords. Many iPhone users don’t even bother setting a four-digit PIN, those who do pick common codes like “1234,” and countless others wouldn’t bother if their e-mail server didn’t insist on it.

In the real world, making security more convenient also makes it more secure, because behavior is more important that technology. A strong password is no good when it ends up on a post-it note tacked to the monitor.

For years, researchers have been talking about the “death of the password.” In the past, I’ve predicted that passwords wouldn’t die until there was a truly horrendous security breach, such as a million people losing money via online banking. Last year, millions of passwords were compromised at brand-name sites liked LinkedIn, but people barely reacted.

Part of the reason: There are far too many alternatives in the security world, each one with theoretical (and real flaws). Voiceprint systems can be hacked via recordings, Hollywood has shown. As with fingerprints, retina scans are subject to, ahem, physical attacks. Facial recognition, used by some smartphones now, is so clunky that it hasn’t caught on. Token counter keyfobs, popular with high-security firms, are subject to theft of the counter creation formula.

All those flaws have been enough to make tech companies shy away from adding security tech to all but the most security-conscious employees, ending any possibility of agreement around a standard. Apple is one of the few firms to create such a standard, and it’s possible Touch ID will accomplish that. Users will get used to flashing their fingerprint to unlock a gadget, and it’s easy to see how the standard could spread to other devices.

Sure, fingerprint readers can be tricked, but the biggest security problem Apple faces at the moment is theft. Law enforcement officials say Apple gadgets have actually caused an increase in crime. Will street thugs who rip iPhones out of subway riders’ hands be able to create fake fingerprints on a mass scale?  Perhaps a supply chain might develop, but I think that’s far-fetched, and it will be expensive, making theft less lucrative.

Moving Beyond the Password

Should fingerprints become a standard? Let’s review the conceptual options at play for security firms who want to move beyond the password. Security techs fall into four categories:

  1. Something you know (passwords)
  2. Something you are (fingerprint, retina)
  3. Something you have (debit card, keyfob)
  4. Something you do (how you type, how you walk)

So-called two-factor authentication combines two of these concepts together. The classic two-factor model, used with great success for many years, is the debit card. Getting money from an ATM requires having something (a card) and knowing something (a PIN code). Apple can easily add two-factor to the new iPhone — you might need a fingerprint and a code to unlock — and it appears individual companies will be enabled to do so. That’s much more secure than a PIN code alone. Could arguments be made for other technologies? Yes.  Should that stop someone from trying something that might help?  No. Could TouchID be the iTunes of security? Maybe.

Apple’s adoption of fingerprint technology can’t be understood without the context of repeated calls from law enforcement for addition of a “kill switch” or some other technology that would mitigate the street crime problem. Fingerprints do not solve that problem — criminals will not stop stealing phones because some of them require a fingerprint, just as PIN codes on GPS devices haven’t yet dented GPS theft — but will eventually help.

The Deeper Issue

The real concern with Touch ID, made much more sensitive because of the recent litany of NSA surveillance revelations — is that Apple is now contributing to creation of a worldwide database of fingerprints. The firm has taken pains to explain that it’s not doing so, that the fingerprint will be stored on the phone only. Given recent proof that many tech firms work secretly with U.S. government agencies, there are legitimate questions about the credibility of this claim. Will Apple, or a cellphone company, be able to guarantee that this data will never find its way into a government database? How could they? Security expert Bruce Schneier likes to say that a surveillance society make people less safe, not more safe, and here is a good example.  A perfectly good security upgrade may fail because Americans can’t trust corporations or the government not to exploit it.

Of course, the FBI already has a vast database of fingerprints, called the Integrated Automated Fingerprint Identification System, or IAFIS. On its website, the FBI says it has 70 million subjects in its criminal master file, along with 34 million “civil prints,” presumably collected from teachers, coaches, and many other innocent people who’ve been required to submit their fingerprints for employment. So while Americans bristle at handing over their prints, because it often makes them feel like criminals, millions have already done so.

Rather than criticize Apple for trying to finally bring order to the chaotic enhanced security world, a better strategy would be to create privacy laws that forbid abuse of such information by governments and corporations alike. In the meantime, it can be helpful to find out what companies know about you, and know how to take some of your information off the grid.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.

Image: Wavebreak Media

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team