When the Cost of Convenience is Compromise
We live in a world where everyone expects instant, always-on access to information, where if you haven’t already got ‘an app for that’, you can download one within minutes. Alongside every development team are user interface and graphic designers as well as user experience experts. Product Management and Product Marketing think as much about ease-of-use as they do about features.
Convenience sells. But unfortunately, when it comes to security, convenience can also come at a price.
Take, for example, Apple Touch ID. Unlocking your iOS device just by placing your finger on the home button is highly likely to make you smile at the sheer simplicity of the feature the first few times you do it. But the reality of using Touch ID as the only means of authenticating to sensitive apps -- such as banking applications from RBS and NatWest – is a perfect example of convenience taken too far.
Apple’s Touch ID fingerprint identity sensor is not able to provide a high enough level of assurance that the person using the device is the same person authorised to use an application. Apple has no concept of a fingerprint belonging to an individual user.
If a device is shared, any user can add a fingerprint to Touch ID. If unauthorized access is obtained to the device (by guessing or otherwise obtaining the passcode as opposed to an opportunist accessing an already unlocked iPhone or iPad) then the unauthorized user can also add their fingerprint for later use.
Any application that integrates with the Apple Touch ID API will simply receive a response that a trusted fingerprint has been used – there is no information as to which fingerprint it was and whom it belonged to. Access to an application would be granted to anyone that has saved a fingerprint over the life of the device.
In the home the worst case scenario may be that your partner or children can use the fingerprint they’ve stored to quickly and easily access your banking application -- or any other application that accepts Touch ID as a replacement for much less convenient passwords. Whilst this may be acceptable to some (don’t get me wrong I trust my children, mostly), it’s potentially a dangerous approach for any device that’s used by multiple individuals in an enterprise environment.
If a device is no longer going to be shared, changing the passcode alone is no longer enough to make that device your own. You need to delete all of the stored fingerprints as well.
Until Apple adds the concept of users -- and fingerprints belonging to individual users – sensitive applications such as banking applications should not use Touch ID as the only means of authentication.
This is not the first time we’ve got the balance of security and convenience (we used to call it usability) completely wrong.
Wi-Fi hit the stores, as an option on the Apple iBook under the brand name AirPort, in July 1999. Soon after, anyone could plug an access point in wherever there was power and a free Ethernet socket. Carnage followed – attackers began war-driving and even war-flying, looking for insecure networks. Coffee-shop hotspots became a popular place to grab a skinny latte along with a full fat helping of wireless data.
Access points could be secured, but security was not enabled by default out of the box. A whole wireless security segment rapidly emerged with products to help enterprises respond to the new wireless threat spectrum.
Over a decade later, September 2011, three men in Seattle were charged with war-driving in a 1988 Mercedes filled with networking kit and various antennas, targeting networks secured with the outdated Wired Equivalent Privacy (WEP) standard. They gained access to 13 businesses’ wireless networks stealing credit card numbers used to purchase goods, as well as payroll information allowing them to redirect payroll funds to accounts under their control.
The next IT paradigm shift – now that we’re all enjoying life in the Cloud, wirelessly accessing apps from our own personal devices and interacting with customers over social networks -- is the Internet of Things (IoT). Or the Internet of No Things depending on how much of the IoT turns out to be pure hype. Billions of connected devices are taking the world into a new era of automation and no doubt, to new levels of convenience.
Unlike Wi-Fi, the IoT potentially involves such a variety of different devices from so many different vendors that there is a greater chance that standards will be needed to deliver consumer value. Having 20 different ‘things’ under the stairs and around the house that all talk different languages and require 20 different apps on your iPad or Android phone are unlikely to deliver the level of simplicity and user experience that success and mass adoption will require. With standards comes the opportunity to strike the balance between security, incorporating the Identity of Things, and convenience.
In reality history tells us that we’ll go through a possibly prolonged period of time when attackers will have, at the very least, a great deal of fun at our expense – turning the heating up to maximum at the height of summer, cranking up the stereo and switching the lights on and off in time to the music, or setting off all the car alarms along the street at once.
I personally will be walking across the room to adjust the temperature until we get to IoT version 3. And I won’t be banking on my Apple iPhone 6 just yet either.
Richard Walters is General Manager and Vice President of Identity and Access Management (IAM) at Intermedia