The Apple iPhone 6s “Live Photo” feature may present a biometric security vulnerability in various mobile banking applications.
According to security researcher Meaghan Johnson from Fintech consultancy firm 11:FS, the Live Photo capability enabled her to bypass the facial recognition security method on mobile banking apps for two financial institutions.
Typically, the facial recognition security requires a user to hold the camera up to their face for a certain amount of time and captures some sort of movement to ensure what’s being presented is not actually a phone. But Business Insider reported that Johnson was able to gain access to accounts using the iPhone’s Live Photo feature instead.
“What you have to do is log in using biometrics. Once you log in to the secure site on the app, just blink a few times, and it records you blinking,” Johnson explained to Business Insider.
“We got a picture of me blinking, which then was a Live Photo. We pressed down on the Live Photo facing my phone with the facial recognition screen open. After five seconds, it picked it up, and it logged us straight into the app,” she continued.
Though this may not introduce a serious threat to security, it still reveals a flaw in the way facial recognition works on the apps.
“If I were a bank that offered this, I would just inform your customers that there are ways in which it is not secure. When you go to an ATM, it says be careful of your PIN. Maybe you need a warning like that,” Johnson added.
Earlier this year, a study from the Government Accountability Office (GAO) exposed the existence of a database of more than 411 million photos maintained by the FBI.
The agency reportedly uses the photos — gathered from a variety of sources, such as driver’s licenses, passport applications and visa applications — and facial recognition software to find criminals
In its study, the GAO, an internal watchdog agency within the federal government, said the FBI has failed at properly disclosing how the existence of its database may have implications on public privacy.