iPhone 6 Touch ID has already been hacked


That was quick. Marc Rogers, Principal Security Researcher at Lookout, has managed to break the iPhone 6 Touch ID feature, and posted how he did it. Marc is the guy who did the same thing on the iPhone 5s when it came out about a year ago. What isn't so good is, despite a few noted improvements in the new version (a higher-resolution sensor, for example), Marc used the exact same procedure to hack the iPhone 6 Touch ID as he did with the iPhone 5s version - basically with a bit of  fingerprint powder and super glue.

While I don't see this as a show stopper for Apple Pay, it doesn't look good, and comes at a time when Apple is already on the defensive about security because of the recent iCloud hacking incident involving nude celebrity photos. Marc does note that the hack is hard to do, but I can see someone developing the necessary skill set when the stakes are high (for example, to break into some VIP's iPhone).

I've thought for a long time that fingerprint biometrics work better as a usability feature than as a security feature. For something like mobile payments, both usability and security are paramount. The technology offers a measure of security (just like the lock on your front door offers a measure of security ... if someone really wants to break it, and has the skills, time, and patience, they will do it). The security flaws of fingerprint biometrics - vulnerability to spoofing, etc. - have been widely discussed for years and are well known. Apple even acknowledged that they're aware of these flaws in their patent filing for the Touch ID technology.

A vulnerability in a given security control doesn't mean that it shouldn't be used: it just means that when it is used, it should be part of a well-conceived, defense-in-depth strategy, with additional security layers in place for when the control fails. Apple has provided additional layers - for example, the kill switch feature available for all IOS 8 devices, and the use of card number tokenization in Apple Pay. But I still think there's room for improvement with Touch ID.

(Via The Official Lookout Blog)

Alipay gives some serious market cred to Nok Nok Labs and the FIDO standard


Nok Nok Labs has announced that Alipay will use Nok Nok's NNL S3 Authentication Suite to authenticate payment users on future versions of the Samsung Galaxy S5. The NNL S3 technology will provide access to the Alipay Wallet application via the Galaxy S5's fingerprint sensor (which I hope that Samsung has fixed by now). That's a major win for both Nok Nok Labs, a Silicon Valley startup in business since November, 2011 - and for the FIDO Alliance, of which Nok Nok Labs is a founding member. FIDO is an industry consortium, launched in 2013, that provides a standard implementation framework for "post-password" authentication. Its stated mission is to get rid of passwords as the world's default authentication method, and replace them with something more secure, standardized, and suited to the emerging, multichannel IoT world. NNL S3 is a FIDO-compliant authentication management platform for operation by service providers (including enterprises), that's technically agnostic to the endpoint form of authentication. So it supports not only fingerprint biometrics, as with the Galaxy S5, but also voice biometrics, face biometrics, secure elements, trusted platform modules, removable tokens, and others (of which there are many).

I think the announcement wasn't timed real well, as it was completely overshadowed by the Apple Pay launch a couple of days earlier. However, this is also a very significant step in the global evolution of mobile payments. Alipay, often referred to as "China's PayPal" (although it's more appropriate now to say that PayPal is America's Alipay), has an existing mobile user base of 100 million, and 80 percent of China's mobile payments market share. And with Samsung commanding 12 percent of the smartphone market in China, we're talking millions and millions of users out of the gate for the new Galaxy S5. As sexy as Apple Pay is, Apple and its posse of partners have some way to go before they get anywhere close to Alipay's market weight.

Via The Paypers (sic)

New Host Card Emulation white paper from Smart Card Alliance


The Smart Card Alliance has published a new white paper on HCE titled HCE 101, which does a good job of analyzing the security pros and cons of HCE vs. "traditional" NFC, and of generally explaining how HCE works. Well worth a read if you're following the progress of this disruptive technology, which I'm doing with a view to how it's changing the payments space.

via Smart Card Alliance

ATMs that spray acid and ooze hot foam

Every once in a while, a true security innovation comes along. Here's one: a security system that's being proposed by some Swiss researchers to protect ATMs from vandalism. The system is inspired by ... a beetle. The bombardier beetle, to be exact. The beetle's inspiring behavior is as follows:

"When threatened, the bombardier beetle releases a caustic spray, accompanied by a popping sound. This spray can kill ants or scare off frogs. The beetle produces the explosive agent itself when needed. Two separately stored chemicals are mixed in a reaction chamber in the beetle's abdomen. An explosion is triggered with the help of catalytic enzymes."

Sounds like a sheer living hell if you're an ant or a frog. What if you're an ATM vandalizer, though? Well, the Swiss Researchers have an artificial version of the bombardier beetle's caustic spray mechanism that's especially for you. It's:

" ... a self-defending surface composed of several sandwich-like layers of plastic. If the surface is damaged, hot foam is sprayed in the face of the attacker."

That's right. A plastic sandwich filled with hot foam that executes an acid attack.  I hereby resolve to avoid Swiss ATMs from now on. (I mean what if the thing went off on a false negative?)

What disappointed me was, the ATM version dispenses with the popping sound, which I thought would have been a nice feature.

Gotta love those Swiss Researchers. I had to check whether the article was written on April 1, but nope, it was published on ETH Zurich's website on April 11, 2014.

(Via The Atlantic)


Biometric ATMs are coming to Europe

Fujitsu has launched an ATM that uses a proprietary palm vein recognition system, PalmSecure, to authenticate customers. Fujitsu hopes to deploy these units to replace some of the 245,000 ATMs across Europe that are due to be retired in the next five years - and as part of the 40,000 new ones that are expected to be added. (Via Finextra)