Researcher claims that iPhone’s ‘Live Photos’ can be used to hack 2 banks apps
In a shocking discovery, a researcher found that 2 banks’ mobile phone apps were susceptible to hack, as the accounts could be easily accessed just by showing a picture of the account holders.
Director of Research at Fintech Consultancy 11:FS, Meaghan Johnson says she discovered that by using an iPhone “Live Photo” of her, people could access her account. “Live Photos” capture and show restricted movement and this fool the app into thinking the account holder is actually there.
Johnson told Business Insider: “What you have to do is log in using biometrics. Once you log in to the secure site on the app just blink a few times and it records you blinking. We got a picture of me blinking which then was a Live Photo. We pressed down on the Live Photo facing my phone with the facial recognition screen open. After 5 seconds it picked it up and it logged us straight into the app.”
Currently, this vulnerability is limited in number, as this only applies to banks that are using facial recognition as a way of logging in.
However, the number is on the rise. The issue comes to light days after Standard Chartered bank announced plans to roll out biometric security to all its 5 million customers and do away with the traditional method of passwords.
It is amongst one of the large banks and financial institutions following “biometric security” measures – identification methods such as facial recognition, fingerprint scanning, and voice recognition. For instance, MasterCard is looking to use payment authentication through selfies. Further, recently the World Economic Forum selected biometrics as one of the key know-hows that will change the face of finance in the next few decades.
On being asked to name the 2 banks where Johnson was able to use iPhone Live photos to get into the app, she just said that it was “a bank in the States and a new challenger bank in the UK” without disclosing the names of the banks.
According to BI, currently the only new challenger that offers facial recognition technology to let users log in to its app is Atom Bank.
While Atom acknowledged to BI that is possible to break into the app using a live photo, but it also stressed that this is just one of a number of security measures its app uses. However, to reach a stage where you could use the live photo would be highly improbable. For instance, Atom also validates its app on customer’s smartphones, so that you can only log into your account on your smartphone. In other words, this means that the person with the picture will have to steal your device.
“Not only does someone need your specific device, but we enforce the need for your device to have a device PIN. As such, you need to steal someone’s device. You then need to break their device PIN. We also check for jailbroken devices (i.e. If you jailbreak the device in order to break the PIN, then we will not allow jail-broken devices to access either).
“As with any security measure, people will try to find ways to bypass facial recognition. People may seek to use masks or moving images of a face to gain access via your device, and it if it looks very much like the real customer’s face the app will grant access.
“Does this mean your bank security has been compromised? No. We have built layers of security into our banking app to ensure that even someone with your phone and your face can have only limited access. For example, in order to set up a payment to a new payee (as the fraudster would need to do to steal your money) a further level of authentication would be required, such as voice recognition or passcode.”
While acknowledging that security vulnerability is a limited one, Johnson says that: “You have to have a lot of moving pieces together, it’s likely that it would come from family or a friend or a colleague. Someone would have to take your phone if it was unlocked, they would have to have a picture of you blinking, and then they would basically have to do this without you being there.”
Does this mean your bank security has been compromised? No replies Atom.
She further added: “If I were a bank that offered this I would just inform your customers that there are ways in which it is not secure. When you go to an ATM it says be careful of your PIN, maybe you need a warning like that.”
“Using your face offers a convenient and safe way to access your app, but customers can also take sensible precautions to protect themselves, such as using the standard security features that protect their devices – such as your phone PIN or fingerprint access to ensure that access to your device is inherently difficult,” a spokesperson for Atom said.