Facial Recognition and its Security Flaws

In the race to come up with even more secure forms of protecting your technology and your accounts, researchers have been experimenting with a variety of methods. Everything from two-step authentication to advanced biometrics (think fingerprint sensors) have been used in some way.

A new facial recognition sensor from a company managed to fall a little short, though. One of its new phone models allowed the user to store a “selfie” as the phone’s standard, then use the camera to scan the stored image alongside the live face for comparison. If the phone detected a match, it unlocked the device for use.

Unfortunately, a picture was worth a thousand words, or at least a thousand logins…

Prior to a security patch for that phone, the camera would readily accept a photo of the person instead of their actual face. The unlock process was a little slower but wasn’t halted completely. This is a departure from a fairly old aspect of facial recognition that requires the user to blink during the scan in order to prove the camera isn’t seeing a still image (unfortunately, even that level of security wasn’t hard to override). The test a user conducted in this case actually involved pointing the Samsung Galaxy 8 at another phone which displayed the picture.

This news is the latest in a long, questioning road to better biometric security protocols. What level of protection can our fingerprints, retinas, even our DNA provide, but more importantly, what can the bad guys do with it?

It’s important to understand that Samsung says this was never meant to be a security or “lock” feature, but rather is more like swiping the phone screen with your fingertip to wake it up. Rather than put down any items you might be holding or look at the screen while you’re busy, you could simply turn your face toward the phone or hold it up and point, and it would give you access to the phone screen.

With every new technology, it can often feel like we’re playing catch up. The innovation comes first, the security violation comes next, and then the fix follows on its heels. We can work to halt that process by asking the hard questions: how does this actually keep me safe? who else can interfere in the process? is this actually a step towards greater security, or just flashier tech? By knowing the answers to those questions and taking a good look at how the functionality works, you just might ward off any unexpected privacy problems.

If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.