Thumbs up to Apple’s fingerprint sign-on

APPLE has been copping some heavy flak over the Touch ID fingerprint scanner built into the home button on its new and very expensive iPhone 5s.

Instead of typing in a passcode to unlock the phone, a user need only give the button a quick dab with a thumb or finger. The fingerprint sensor can also be used to identify the owner when making purchases from iTunes or Apple’s AppStore.

However, a group of German hackers called the Chaos Computer Club claimed to have created a fake fingerprint that could be used to unlock a Touch ID-secured iPhone.

“Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” said hacker Starbug, who claims to have invented the print-copying system.

Having studied Starbug’s method, DoubleClick reckons most iPhone 5s owners have little to worry about. It’s quite expensive and time-consuming for your average data thief.

The Chaos team is said to have recorded a picture of the fingerprint of a Touch ID-enrolled user at 2400 dots per inch resolution and cleaned up the image digitally. The image was then inverted and laser-printed at 1200dpi resolution on to a transparent sheet with a thick toner setting. Pink latex milk was then smeared into the toner pattern on the transparent sheet and allowed to cure. (Latex milk is natural rubber, kept liquid with ammonia; white woodglue is a possible substitute).

The Chaos hackers claim to have lifted the thin latex sheet off the transparency once it had cured, cut it to finger size, breathed on it to make it moist, glued it to a real finger with theatrical glue, applied it to the iPhone 5s home button and unlocked the phone.

Hmm. Doesn’t sound too quick or easy to DoubleClick, even if you happen to have a ready supply of pink latex milk and theatrical glue and access to a victim’s fingerprint.

Marc Rogers, a security researcher for an outfit called Lookout, had doubts, too. He tried a similar system to fake a print, though he used gelatin rather than latex to simulate skin. The technique was highly complicated and out of the range of most data thieves, Rogers has said.

“It is a lengthy process that takes several hours and uses more than $1000 worth of equipment, including a high-resolution camera and laser printer,” he said in a blog.

Rogers reckons Apple’s Touch ID system is really aimed at convenience rather than security, and the average consumer shouldn’t be too concerned at the antics of the Chaos Computer Club. DoubleClick agrees. Popping a pinky on the button beats typing in a passcode if you do it 20 or 30 times a day, as many smartphone users do.

We had wondered what would happen if you don’t have fingerprints and want to operate an iPhone 5s. Don’t scoff – there are such people.

Matthew, a computer journo we know, is one. He was born that way and says he knows of quite a few similar cases.

Not that Matthew need forgo the new iPhone: the fingerprint recognition system is not compulsory. You can revert to a passcode or, like a surprising number of people, ignore security altogether and just log on with a swipe across the screen.

If you do use Touch ID you can record up to five fingerprints: it is hoped you would have 10 to pick from. You can also register the dabs of family members so they can use your phone.

Apple is not the first computer maker to embrace fingerprint recognition technology. Dell, Acer, Asus, Samsung and Lenovo have used it, usually on laptops, and Motorola has used it on some phones. But their systems have been fairly rudimentary, with high fail rates.

Apple’s Touch ID is more complex, involving a sensor below the home button that takes a high-resolution image of the finger from the skin’s subdermal layers with remarkable precision.

Its arrival on the iPhone has certainly stirred quite bizarre happenings. Some paranoid folk in the US have wondered whether a thief or attacker could be tempted to hack off their finger and use it to unlock the phone.

It seems not. You need a live, warm, flexible and slightly sweaty finger, DoubleClick has been told.

Actually you don’t need a finger at all to use Touch ID. Some bloggers have reported using a toe, a nipple or their cat’s paw to register a recognisable print. One chap on the TechCrunch website reported using another body part that we won’t mention here. It worked fine, he says, (thankfully he didn’t provide a video) but using it to unlock your phone in a restaurant or boardroom might create a stir.

– See more at: