iPhone 6 fingerprint scanner found accurate enough for Apple Pay

"I don't think you'll find street criminals that are able to duplicate fingerprints"

Apple's iPhone 6 fingerprint scanner has a level of accuracy that makes it a solid authentication tool for people planning to use the smartphone in place of a credit card for in-store purchases, research shows.

The scanner called Touch ID was more difficult to fool with a fake fingerprint than the previous version in the iPhone 5s, according to mobile security vendor Lookout. The new scanner's level of accuracy is sufficient for use with Apple Pay, the payment system available in the iPhone 6.

"As it stands, right now, it's a great security measure," Marc Rogers, the Lookout researcher who tested the new iPhone, said Tuesday. "I don't think you'll find street criminals that are able to duplicate fingerprints."

Creating a fake fingerprint capable of tricking the new scanner requires a high-level of skill, patience and over a thousand dollars worth of equipment. A description of the lengthy process is on the Lookout blog.

Rogers found that the latest Touch ID scanned a much wider area of the fingerprint to improve reliability and used a higher resolution in identifying a print more accurately.

A fake fingerprint would most likely be used in a targeted attack against an individual, provided the criminal could get a well-defined fingerprint of the digit the person uses with Touch ID. Such a print would unlikely be available on the phone's touchscreen.

Experts who read Rogers' blog said the research added credence to the argument that the use of Apple Pay is safer than handing a stranger at a restaurant or store a debit or credit card.

"The consumer is currently accepting a horribly insecure system with general credit cards," Tyler Shields, analyst for Forrester Research, said. "I believe that Touch ID is a great addition to mobile payments regardless of the recent research."

Indeed, the insecurity of credit cards has been highlighted in the theft of 10s of millions of payment card numbers from retailer Target last year and Home Depot this year.

Apple Pay uses a near-field communication (NFC) transmitter to send payment data to a store reader. The actual credit card number is never sent. Instead, the phone transmits a payment token that is a representation of the actual number.

Touch ID is used for authentication before the payment is sent.

Along with the improvements in the scanner, Rogers would like to see Apple bolster security in other areas.

Currently, a person gets six tries with Touch ID to unlock a phone. On the seventh, the user will have to enter his passcode.

Rogers would like Apple to let the iPhone owner decide how many tries to unlock the phone. Choosing a smaller number would strengthen security.

Also, Rogers wants Apple to incorporate in Touch ID technology that would no longer make it possible to fool the scanner with a fake fingerprint, no matter how high the quality.

Rogers said Apple obtained such technology in the 2012 acquisition of AuthenTec, a maker of fingerprint sensors for mobile phones and other portable electronics.

"My guess is it (the technology) was either too expensive or too cumbersome to put into the iPhone, so Apple didn't use it," Rogers said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleiphone 6applicationssecuritymobile securitysoftwaredata protectionApple Pay

More about AppleAuthenTecForrester ResearchHome DepotNFC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place