There's a reason you should be terrified of iris scanners and iPhone facial recognition – but it's not the reason you think

Earlier this year, a German hacking collective called the Chaos Computer Club, which incidentally also has a history of conquering the iPhone’s fingerprint sensor, fooled Samsung’s iris scanner. And it wasn't with cryptic programming or unparalleled brain power

Josie Cox
Sunday 23 July 2017 13:05 BST
Iris scanners are becoming more popular – but they can never be as secure as a password for one simple reason
Iris scanners are becoming more popular – but they can never be as secure as a password for one simple reason

I hate passwords. I forget them, I lose them, I agonise over someone stealing them. At work, I don’t change them when the system prompts me to. I get locked out of my computer and spend hours trying to regain access. The helpdesk hates me.

I’m a queen of the caps lock blunder too: not knowing I’ve struck the pesky key, I type in my password agonisingly – two, three, four times – only to be told to “please contact a system administrator”. And that usually happens last thing on a Friday. When my patience resembles a tissue that’s been through the washing machine. Twice.

So, as someone who likes to consider themselves relatively tech-savvy and reasonably receptive to new gadgets, you may therefore think that I would take to the idea of biometric identification like a duck to water. You’d be wrong. I’m terrified. And I’m going to tell you why you too should be afraid.

Last week, high street lender TSB announced that it was becoming the first bank in Europe to introduce iris recognition on its mobile banking app, allowing you to transfer money, check your balance and make payments, quite literally, in the blink of an eye.

To use the service, customers register by holding their phone camera up to their face for a few seconds. Experts have said that iris scanning is a far more secure form of biometric authentication than, say, voice recognition, fingerprints or toe prints (yes, that’s a thing) and that it’s fast, efficient and easy. For both you and that friendly criminal next door.

Earlier this year, a German hacking collective called the Chaos Computer Club – which incidentally also has a history of conquering the iPhone’s fingerprint sensor – fooled Samsung’s iris scanner, not with the assistance of cryptic programming language and unparalleled brain power, but with a simple photograph – the kind you can print off Facebook – and a humble contact lens.

It was the second security blow dealt to the South Korean conglomerate in the space of a few months, after its facial recognition technology – also designed to allow users to unlock their phones password-free – was tricked almost immediately after launching.

Slightly creepy incidents like this, coupled with a deluge of warnings about cyber security, devastating attacks like WannaCry and Petya, and even dystopian TV series like Black Mirror, should all serve as a critical warning to us. They should remind us that technology and hackers are engaged in a global game of cat and mouse, during which the fat and resourceful feline is regularly clawing chunks out of the ignorant rodent’s tail. But, inexplicably, we don’t care.

We’re so obsessed with the idea of using breakneck technology to innovate and reach maximum convenience that we’re losing sight of the fact that a good old alphanumeric code, changed every few weeks and committed to memory, is a far better way of protecting what’s essentially our whole identity than anything else. Just don’t use your birthday and pet’s name. That’s rookie.

Hackers could cause road traffic collisions by taking over electric scooters

The simplest way to grasp the risks associated with biometrics is by understanding that passwords are secrets and body parts are not.

“A password is inherently private,” Alvaro Bedoya, professor of law at Georgetown University, told Wired last year. “I do know what your ear looks like, if I meet you, and I can take a high resolution photo of it from afar.”

Ears? Really? Yes. Apparently, everyone’s ear cavity is unique and so Japanese tech firm NEC has developed headphones that measure how sound waves bounce off the insides of your ears. Now they’re using that information to determine who you are.

Granted, that may solve the problem of your partner always stealing your headphones, but to me the merits beyond that are grossly outweighed by the distressing prospect of someone making a model of your ear and then using it as a gateway to everything that’s in your life.

Even fingerprint authentication doesn’t pass my test.

Bedoya reminds us that, if you have a drink with him and leave your print on the pint glass, he will have it. Researchers at a mobile security firm called Vkansee last year reportedly used Play-Doh to collect fingerprints and unlock an iPhone. The stuff your three-year-old plays with.

In 2016, a study revealed that the FBI has a database filled with the photographs of more than 117 million adults, and that well over a dozen US states already allow authorities to use face recognition technology to compare the faces of suspected criminals to their driver’s licenses and ID photos. Think of it as an unregulated, out-of-control virtual line-up.

It doesn’t take a great stretch of the imagination to visualise what could happen if that database fell prey to a massive cyber attack like the ones we’ve witnessed in recent months. If at the time we happened to be relying on face recognition cameras to keep our phones, bank accounts, and perhaps even our cars, houses – hell, even our DNA – safe, then the game really would be on.

Jeremy Corbyn warns of the threat that cyber hacking poses

We’re becoming addicted to technologisation. We’re spending and saving our money in virtual code through the emergence of hyper-volatile cryptocurrencies like Bitcoin. It’s rumoured that the iPhone 8 will include facial recognition technology. Alexa is listening.

We’re voluntarily integrating every part of our lives into the omniscient internet of things. Effectively, that’s a way of inviting increasingly sophisticated attackers to use our lives as their playground.

At a recent dinner, I had the pleasure of sitting next to the head of technology for one of Britain’s largest companies. It was a relaxed affair and we talked about his teenage daughters being “digital natives” and “total whizzes” when it comes to technology.

I told him that I’d only just dipped my toes into the world of mobile banking and that I still feel weird about dealing with considerable sums of money on such a flimsy, transportable and easily stolen device.

“What?” he exclaimed. “But you’re so young! You need to embrace the future.”

If even the smartest tech guy in the room is encouraging us to stay in this ferocious evolve-or-get-caught race, then perhaps you should be more panicked than even I already am.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in