Biometric authentication systems have been around for ages, but it wasn’t until Apple released Touch ID alongside the iPhone 5s that it entered the mainstream. Building off that, a number of banks across the globe have started to update their mobile apps with with fingerprint and facial recognition systems in place of the tried and true password.
DON’T MISS: T-Mobile kills data plans and goes all in on unlimited data
While such systems are admittedly much more convenient than having to enter in a clunky password on a mobile device, they also aren’t without their share of security vulnerabilities. Speaking to this point, Meaghan Johnson, a researcher at a financial technology consulting firm ,recently discovered that she could bypass a bank’s authentication software using, of all things, Apple’s Live Photos feature. Because Live Photos capture 1.5 seconds of video both before and after an image is taken, Johnson discovered that a Live Photo could effectively trick a bank’s facial recognition software into thinking that she was present.
Speaking to Business Insider, Johnson explained:
What you have to do is log in using biometrics. Once you log in to the secure site on the app just blink a few times and it records you blinking. We got a picture of me blinking which then was a Live Photo. We pressed down on the Live Photo facing my phone with the facial recognition screen open. After 5 seconds it picked it up and it logged us straight into the app.
While nothing to worry about at the moment, such work-arounds may soon become more worrisome as more and more banks and financial companies begin increasing their reliance upon biometric authentication. As we highlighted last year, MasterCard is currently working on a new security scheme wherein the identity of a user attempting to complete an online transactions would be verified by said user taking a selfie. As a security precaution, MasterCard said that their mobile app will require users to blink once in order to prevent “a thief from just holding up a picture of you and fooling the system.”
That’s all well and good, but as Johnson’s research demonstrates, it may only take a Live Photo of a particular user in order to fool a given facial recognition system.