At a recent Black Hat Security Conference several hacks demonstrated on the Android and Windows frameworks revealed methods by which malware could grab your biometric data and ship it off to a third party.
This becomes an issue for pay-via-biometrics data, as hackers could theoretically pay for things from your accounts just by getting you to install a pirated copy of Angry Birds 2.
More tinfoil hat traversing down the potential rabbit hole has people completely stealing your identity and framing you for murder, but that’s probably more in the SyFy or Lifetime movie of the week realm.
What’s more likely is credit card companies having to set up a biometric block on compromised individuals, who will never be able to pay with a compromised biometric scan ever, since although you can change a SSN, change passwords, etc., it’s awfully hard to change your fingerprints.
At the moment there’s no evidence these attacks are in the wild, and it can be assumed that the big software manufacturers are working to patch this. In the meantime, if you don’t have a biometric scanner you’re probably safe.
If you still want to use fingerprint unlock/payment options you might want to consider only letting your phone ever see one or two of your fingers until such time as everyone gets their security act together and patches everything.
While Apple devices are more secure with the biometric storage, it’s still theoretically possible to grab a new image of a print from any device that lets applications talk to the fingerprint hardware.
Anyway, at the moment it’s a potential issue that really needs to be addressed before people en-mass start with the biometrics adoption. Apple may have addressed it correctly, but we’ll have to see if anyone can crack that.
Alternately a very secure method of payment via biometrics would be you swiping your finger on your phone and then another finger at the payment location… One finger for unlock, one for data, the two combine to form the Voltron of easy, secure payment options. Even if thieves got your biometric info for one finger, they’d have to print up a glove to complete a transaction.