Did you know that criminals can access your banking apps, impersonating you, simply by using your phone’s biometrics, e.g. Face or fingerprint?
In this article we will discuss a real-world example experienced by one of our own, and whilst the example is iPhone and iCloud-specific, the potential security flaw exists in all brands and operating systems.
Introduced in the last few years by phone manufacturers, biometrics have been a convenience when it comes to quickly and “securely” accessing apps without having to provide credentials each time. With the probability for a random person scanning their face and gaining access to your phone being 1 in 1,000,000, it’s not hard to see why these features became very popular with users, in addition to being super quick.
Biometrics weren’t just popular with phone users – developers also quickly adopted the feature, handing over the responsibility of handling login information to the operating system – a gold standard in security – in the process.
That convenience however brought along a huge security flaw. Under certain conditions, criminals could access sensitive information on your phone and even fraudulently transact via your banking app, undetected.
To explain how you could be compromised, let’s take the example of a stolen iPhone & the use and the unintended consequence brought about by Apple’s “Find My” feature available through its iCloud service.
An iCloud account allows iPhone users to manage their phone data including putting a lost or stolen device under “lost mode” as shown below.
While the “Lost Mode” feature is useful in case of an actual loss, it unfortunately serves as an entry point for criminals to launch a phishing attack onto unsuspecting users, since the entered number will land into their hands instead rather than those of a good samaritan as we’d hope.
As defined by Wikipedia, phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.
In this case, criminals, masquerade as Apple, sending an SMS to the user as a bait via the number entered earlier in the “Lost Mode” prompt, claiming the device is online and they should click to find out more.
By clicking on the link, the user is taken to what’s actually the legit iCloud website by Apple but only after re-routing them through a number of proxies enabling them to intercept any username or password the user enters.
The stolen credentials will then be used to access the user’s real iCloud account to cancel any requests such as one about clearing phone’s data, delinking the user’s iCloud account from the device leaving existing data on it.
The user will then receive an email from Apple, similar to the one below, informing them that with the device no longer linked to iCloud, not much can be done remotely to prevent any types of action.
With iCloud completely wiped, a new FaceID can be captured. Once done, all the left to be done is access any application that requires biometric authentication and those not equipped to detect a change in biometric settings will let the criminal through as if they were the actual user. This is because, when an application relies on biometric authentication, it yields the process to the phone’s operating system which simply returns a true or false depending on whether there’s a match with the phone’s current captured face.
This process has nothing to do with the actual user to whom the app initial gave authorization.
There are a number of security measures that could be put in place to avoid such scenarios.
What should users do
As convenient as biometrics can be, it’s always best to avoid letting applications with sensitive information make use of biometric authentication to reduce the risk in case one’s device gets compromised.
What should banks do
As for the banks and really any application looking to use the feature, unless thoroughly tested, should hold back until it’s proven secure enough.
Should the feature become supported by the application, it needs to be able to detect a change in the biometric configuration and reset the authentication process with each new session.
Here’s a good article showing how to detect changes in both, TouchID and FaceID “https://swiftrocks.com/detecting-touchid-fingerprint-changes”.
Should Apple do something about this?
While Apple seemed to have put all its focus on ensuring that none of its biometric devices could be hacked, it left it up to the developers to add the additional security layer needed to prevent new users from gaining access to application they shouldn’t have access to.
By invalidating all existing applications that require biometric authentication, Apple could make its LocalAuthentication framework even more secure.
The Swift 5 code below shows how authenticate using biometric sensors:
context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localisedReason: reason, reply: (Bool, Error?) -> Void)
Currently, the “reply” closure returns true even if there’s been a change in biometrics, misleading applications that it was in fact the device owner that was successfully authenticated. The propose changes to the API are:
- Return false (the owner was not successfully authenticated, due to the fact that configurations to the biometrics have changed since…)
- Invalidate the signature for all applications on biometric change detection, forcing developers to reset their application configurations in the process.
- Something else that the brilliant minds at Apple could come up with.
The two suggested solutions are backward compatible.
As for iCloud’s “Lost mode” prompting users to enter their phone numbers, this clearly has had the unintended consequence for users that know their phones were stolen (and wouldn’t really want to hear from the thieves), it should probably state that a phone number is not needed in order to see a stolen device online, as this is the source of many confusions.
A big warning should also be shown to the user alluding to the fact criminals could be the recipient of the number in case of theft as opposed to loss.
When it comes to security, users will always be the weakest links, it’s up to the technical parties involved to move slowly while adopting new features, after testing all possible scenarios but also to guide and educate users about potential dangers with introduced features, as it’s been shown, criminals seem to find new ways to penetrate even the most secure of systems.