最有看点的互联网金融门户

最有看点的互联网金融门户
国际资讯基于互联网平台的金融业务

纽约时报:指纹支付潮流来临 安全问题引发关注

本月初,全球最大的支付公司之一的万事达卡(MasterCard)宣布,该公司正在测试一种带有指纹传感器的信用卡。用户无需在纸质支票上签名或输入密码,只要把手指按在银行卡上进行指纹验证,就可以证明自己的身份。该公司宣布,新型信用卡的研发已经基本完成,目前正在南非进行集中测试,有望在年底之前进行全球推广。该消息在发布之后再次将"指纹支付"推到了风口浪尖,引发了人们对于支付安全问题的广泛讨论。

什么是指纹支付

其实早在2014年,苹果公司和阿里巴巴旗下的支付软件Apple Pay和支付宝就分别推出了指纹支付功能。指纹支付,也称指纹消费,是采用已成熟的指纹系统进行身份认证,从而完成消费过程的一种新型支付模式。指纹支付的流程是,首先将指纹录入手机,然后在支付软件的手机密码一栏中开启指纹密码,通过指纹比对和支付密码等一系列校验后,指纹支付将正式开启。一旦开启,用户在使用电子钱包进行购物和转账时,不再需要输入数字密码,只需拿手指在位于HOME键的指纹传感器上进行指纹验证,系统就可以判断用户身份,并最终完成或叫停支付活动。此外,指纹支付的优越性还体现在,商家现有的支付设备就可以满足其新型支付技术的需要,不需要再增加花销更新设备。

指纹支付一经推出就受到了广泛的关注的,其新颖的支付模式和便捷的操作流程吸引了大批的用户。上到一百多万美元的超级跑车,下到几美分的杂货,用户只需一根手指就可以完成整个支付流程,"剁手"变得更加方便。

安全隐患亟待关注

然而,指纹支付技术在给移动支付带来巨大便利的同时,也催生了一系列的安全隐患。简单来说,由于指纹一定要接触式采集,不可避免的会留下指纹痕迹;而日常生活中也会在各种地方留下指纹痕迹,这无疑在不知不觉中泄露了指纹信息,提高了伪造的风险。而随着3D打印技术的发展,伪造指纹和手指也将变得更加容易。

近日,美国纽约大学和密歇根州立大学联合发布研究报告,聚焦指纹支付中存在的安全问题。报告指出,目前,iPhone与Android系列手机产品的指纹支付系统仍不完善,通过打印指纹等方式可以轻松破解手机的指纹解锁。来自这两所大学的研究人员自主研发了一套指纹破解程序"万能指纹"(MasterPrint),对一个人的指纹拍照,然后通过该程序进行打印,打印出来的模型就可以解锁手机的支付软件,准确率高达65%。

在报告发布之后,尽管部分业内专家表示,由于在现实生活中存在着大量其他的影响因素,指纹破解程序的匹配率将远远低于65%,但该研究结果还是引发了公众对于指纹支付安全问题的担忧。加拿大卡尔顿大学信息工程学院的Andy Adler教授表示,目前,指纹支付所面临的问题还远远未达到像报告所描述的那样严重,但也足以引起人们的警觉。

那么,到底是什么原因导致我们的指纹密码如此轻而易举的就没破解了呢?要知道,人类指纹重复率极小,大约150亿分之一,故其称为"人体身份证",指纹的构造也极为复杂,伪造起来绝非易事。

究其根本,导致指纹支付密码被轻松破解的关键在于智能手机的指纹读取机制和用户设置指纹密码的不当操作。

人类指纹特征分为两类:整体特征和局部特征。整体特征的组成十分复杂,通常难以伪造,而由于智能手机附带的指纹扫描仪通常较小,只能读取部分指纹,因此,只需要伪造出指纹的局部特征即可破解指纹密码。此外,在设置指纹支付密码时,支付软件通常会要求用户提供8到10个不同的指纹图像,以完成初始设置。而大部分用户贪图方便,只用1到2个手指指纹进行设置,从而造成了安全隐患。

作为最早涉足指纹支付的公司之一,苹果公司表示,早在开发Touch ID系统时,公司就已经对系统可能遇到的安全攻击进行了测试,并引入了一系列新的安全功能。目前,用户在使用Apple Pay的指纹支付功能时,只有5次重新输入的机会,之后 Touch ID 就不再接受任何指纹,要再输入密码才能解锁。据统计,苹果用户指纹密码被破解的概率仅为五万分之一,即0.002%。

然而,部分业内专家认为苹果公司的此番说法着实有些言过其实。他们认为,出于商业机密的考虑,以苹果和谷歌为代表的科技公司通常不会向公众吐露关于指纹支付的技术细节。以谷歌公司为例,由于该公司对旗下软件的安全问题避而不谈,导致全球数十家Android手机制造商不得以降低手机安全等级的方式迎合谷歌产品的设计标准。

除了安全问题外,指纹支付也存在诸多弊端。有专家提出,手指受伤导致指纹破损、空气过湿等情况,可能会影响到指纹支付的识别。而一些人从事的职业使得双手长期浸泡在水或化学物品中,如洗衣工、厨师、化工厂员工等,也可能偶然出现指纹无法识别的状况。另外,指纹支付还存在如下问题,例如:部分人群的指纹特征点少,难以成像;老年人指纹变的干涩难用,以致难以采集等。甚至很多手机暂时没有相关配置,而市面上的部分智能手机采用虚拟"Home"键的设置,用户也无法输入指纹。

指纹支付难定位

克拉克森大学的技术研究中心主任Stephanie Schuckers表示,如今大多数手机制造商已经意识到了指纹支付的安全隐患,并正在通过加紧研发反欺诈技术来完善安全系统。其中,美国手机芯片制造商高通公司已经发布了新型指纹传感系统,通过利用超声波技术来检测手指深层皮肤图案,验证指纹的真实性。

指纹支付专家Boehnen博士则认为,安全问题是指纹支付这种新型技术与生俱来的弊端,很难从根本上得到解决。他表示,新的指纹传感系统能够从某种意义上缓解当前的困境,同时,以虹膜扫描为代表的新型生物识别技术也能够有效控制欺诈行为的发生,这些应用都将成为移动支付的一种补充,也是一种创新和突破,但是要成为主流普及到广大用户中还需要很长时间,其自身的缺陷也决定了它们难以成为主流的方向。

Fingerprint sensors have turned modern smartphones into miracles of convenience. A touch of a finger unlocks the phone — no password required. With services like Apple Pay or Android Pay, a fingerprint can buy a bag of groceries, a new laptop or even a $1 million vintage Aston Martin. And pressing a finger inside a banking app allows a user to pay bills or transfer thousands of dollars.

While such wizardry is convenient, it has also left a gaping security hole.

New findings published Monday by researchers at New York University and Michigan State University suggest that smartphones can easily be fooled by fake fingerprints digitally composed of many common features found in human prints. In computer simulations, the researchers from the universities were able to develop a set of artificial “MasterPrints” that could match real prints similar to those used by phones as much as 65 percent of the time.

The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions. Still, the findings raise troubling questions about the effectiveness of fingerprint security on smartphones.

“It’s almost certainly not as worrisome as presented, but it’s almost certainly pretty darn bad,” said Andy Adler, a professor of systems and computer engineering at Carleton University in Canada, who studies biometric security systems. “If all I want to do is take your phone and use your Apple Pay to buy stuff, if I can get into 1 in 10 phones, that’s not bad odds.”

Full human fingerprints are difficult to falsify, but the finger scanners on phones are so small that they read only partial fingerprints. When a user sets up fingerprint security on an Apple iPhone or a phone that runs Google’s Android software, the phone typically takes eight to 10 images of a finger to make it easier to make a match. And many users record more than one finger — say, the thumb and forefinger of each hand.

Apple said the chance of a false match in the iPhone’s fingerprint system was 1 in 50,000 with one fingerprint enrolled. Ryan James, a company spokesman, said Apple had tested various attacks when developing its Touch ID system, and also incorporated other security features to prevent false matches.

Google declined to comment.

The actual risk is difficult to quantify. Apple and Google keep many details of their fingerprint technology secret, and the dozens of companies that make Android phones can adapt Google’s standard design in ways that reduce the level of security.

Stephanie Schuckers, a professor at Clarkson University and director of the Center for Identification Technology Research, was cautious about the implications of the MasterPrint findings. She said the researchers used a midrange, commercially available software program that was designed to match full fingerprints, limiting the broader applicability of their findings.

“To really know what the impact would be on a cellphone, you’d have to try it on the cellphone,” she said. She noted that cellphone makers and others who use fingerprint security systems are studying anti-spoofing techniques to detect the presence of a real finger, such as looking for perspiration or examining patterns in deeper layers of skin. A new fingerprint sensor from Qualcomm, for example, uses ultrasound.

Phone makers have acknowledged that fingerprint sensors are not foolproof, but said that the ease of touching a finger to unlock a phone meant that more users actually turned on security features instead of leaving their phones unlocked — a common habit in the early days of smartphones.

Dr. Ross acknowledged the limitations of the work. “Most of the current smartphone vendors do not give us access to the fingerprint image,” he said.

For a thief or spy to turn master fingerprints into smartphone keys would require a lot of additional work. “In order to launch this attack, you still have to make fake fingers,” Dr. Ross said.

Still, the team’s fundamental finding that partial fingerprints are vulnerable to spoofing is significant, said Chris Boehnen, the manager of the federal government’s Odin program, which studies how to defeat biometric security attacks as part of the Intelligence Advanced Research Projects Activity.

“What’s concerning here is that you could find a random phone, and your barrier to attack is pretty low,” Dr. Boehnen said.

Phone makers could easily increase security by making it harder to match the partial fingerprint, he said, “but the average phone company is more worried about you being annoyed that you have to put your finger against the phone two or three times than they are with someone breaking into it.”

Adding a larger fingerprint sensor would also decrease the risk, Dr. Boehnen said. And some newer biometric security options, such as the iris scanner in Samsung’s new Galaxy S8, are harder to trick. (Face recognition, another security option available on some phones, is considered less secure than fingerprints.)

Phone users can also protect themselves by turning off fingerprint authentication for their most sensitive apps, such as mobile payments, Dr. Boehnen said.

Dr. Memon said that despite his research, he was still using fingerprint security on his iPhone.

“I’m not worried,” he said. “I think it’s still a very convenient way of unlocking a phone. But I’d rather see Apple make me enter the PIN if it’s idle for one hour.”


用微信扫描可以分享至好友和朋友圈

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

张沛祺未央编辑团队

153
总文章数

TA还没写个人介绍。。。

[未央翻译]Fintech国际资讯周报|2017年第27周

张沛祺 07-14

面临金融局势持续动荡,比特币在印度流行指日可待

高旭 07-07

Fintech创企Curve推出新功能 购物后仍能更改付款账户

吕林倩 07-05

MasterCard拟投资100万美元 助力非洲金融科技

张沛祺 06-21

印度移动支付公司MobiKwik以十亿美元估值寻求融资

张沛祺 06-18

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备13049013号-2