
Child uses sleeping mom's thumbprint to buy $250 worth of Pokémon toys - dvdhnt
https://www.cnet.com/news/child-uses-sleeping-moms-fingerprints-to-buy-pokemon-gifts/
======
jenamety
i'm seeing two (obvious) bigger picture trends here that this story
reinforces.

1\. Digital authentication for purchasing is moving towards non-transferable
biometrics ( i cant divulge my thumbprint like i can my pin )

2\. Goods of all kinds are being delivered faster

The scary thing for me is that thieves love goods delivered quickly, so they
can turn them quickly, and cut down on their ability to get intercepted.

So what does the 'mugging' or identity theft of tomorrow look like? Am I taken
at my doorstep and forced to make purchases from my phone with my thumb, while
a drone arrives 10 minutes later with 10 iPads OR do I have my phone stolen
and thumb lopped off with tree clippers so the fraudster has more time? What
happens as retinal scanning becomes more common? What if it is my blood that
unlocks my finances & credit?

edit: i've heard thumbs are available for purchase

~~~
jcadam
I had to disable touch ID on my iPhone out of frustration. It works for me
maybe 1 out of 10 times no matter which finger I try to use (my wife has no
problem with hers).

But I've always had trouble with fingerprint readers. At the DMV, govt ID card
office (back when I was in the Army), etc. "Place your finger on the scanner.
Nope, try again.. press harder. No, harder."

I have no idea what's wrong with my fingers :|

~~~
mb0
I've heard that people with hyperhydrosis have a lot of trouble with
biometrics devices as well as smart phones. If your skin is too moist it just
kinda gums up the works.

~~~
Declanomous
I have a lot of problems with touch screens. Some screens refuse to register
my touch, and other screens register my touch before I even make contact with
the screen. If you turn on developer tools in android and look at the
"touches", you can see them registering all over if I have my fingers a cm or
so above the screen.

I have really moist skin, so I wouldn't be surprised if this was the issue. I
had a fingerprint reader on my gen 1 Motorola Atrix and that worked just fine
though. I think the company that built that authentication system was
purchased by Apple and used in the iPhones. I wonder if his wife would have
the same issues with his phone, it might be that his fingerprint scanner is
less sensitive.

------
dexwiz
So is the 21st century version of stealing cash from your mom's purse?

~~~
Waterluvian
Yup. In my opinion, this isn't a problem that needs solving. I bet with
thumbprint security, money is more secure from house hooligans than it was
when held in a wallet.

~~~
icebraining
Maybe, but on the other hand, most people don't keep $250 in their wallets.
Having an extra verification mechanism for expensive purchases seems
appropriate.

~~~
Waterluvian
Depends how likely this scenario is. Adding security to a high risk, low
occurence event can be seen as wasteful.

Also before this technology, people kept credit cards in their wallet, which
suffered the same fate from house hooligans. And before credit, people did
keep $250 in their wallet.

~~~
icebraining
Well, the security could just be to ask for one's password again.

I guess the credit card part is true; around here most people have debit cards
with PINs, and which can't be used remotely, so it's unlikely a six-year-old
could use it without their parent's consent. Then again, around here those
parents would have the legal right to return all those purchases.

------
makecheck
It seems like they could add a few less-predictable factors to improve the
security of thumbprints without completely ruining their convenience.

For instance:

— Maybe you must use two or more particular fingerprints in sequence, selected
by you in advance. This would require a “sleep attack” to at least try
different combinations of your fingers (without knowing which to use first or
how many fingers are required).

— Maybe you have to hold down your thumb in a pattern that you set in advance
(e.g. at least 2 seconds on, followed by one second off and one second on).

— Maybe a 3-by-3 grid appears and you have to tap one of the squares that were
set in advance by you before using your fingerprint. This is faster than
having to enter a whole pass-code but slightly stronger than just tapping a
finger.

Of course, each of these trades off time (convenience) for slightly better
security.

~~~
goda90
I'm just imagining the court case where they can force the defendant to put
their finger to the reader, but they can't force them to say what order it has
to be in, so they'll slowly make the defendant try all the combinations.

~~~
spacehome
Then that's just back to the situation today with passwords/passcodes. The
answer is rate limiting.

------
saosebastiao
I get relatively annoyed about the facile pedantry of this argument, but this
is exactly the poster case for it, so here goes: fingerprints are usernames,
not passwords.

~~~
Waterluvian
I disagree. Fingerprints are privacy locks, not security locks.

The lock in your bathroom isn't meant to secure the bathroom. It's just a way
to ensure that people get the message, "please don't enter".

A fingerprint on a phone is a way of saying the same thing. This phone isn't
meant for common use, please don't enter.

~~~
saosebastiao
I mostly cringe at the argument I quoted because it is often misapplied due to
how we have historically misapplied passwords.

A username is an identity. Historically due to the difficulty of verifying
identities online, we have used passwords as a way to do so. And when all we
need to do is verify an identity or control basic access levels (the bathroom
lock!), a fingerprint is absolutely good enough. But a password is more
authorization than authentication: requiring a password is appropriate when
you need a conscious decision, not mere identification. Such as for paying for
Pokémon toys.

So essentially what I'm saying is that I agree with you.

~~~
justinkramp
Identity <> Authentication <> Authority

I deal with this in my industry (telecommunications). Just because you've
provided proof of identity (eg your phone number, account number), there are
still things you're not allowed to do until you've authenticated your identity
--and the system determines your authority, to perform an action. This is
accomplished through a password, a PIN, etc.

On a phone, it's an interesting shift because with a PIN, we essentially
bypassed the need for identity and used only a password; regardless of who you
are, you can get in if you have the right key.

With the move to identity being sufficient to unlock a device, we're saying
that just on the basis of identity, the authority that used to come with a
password (sans identity) can be granted. It's a 180 degree turn.

I don't see a way on my iPhone 6s to require both Touch ID and PIN; it's one
or the other. Very few interactions require both, i.e. after a restart it
requires the PIN before Touch ID will work.

edit: to clarify the difference

~~~
saosebastiao
You're demonstrating the difference between authentication and authorization,
not the difference between identity and authentication. Notice you use the
word authority, which has the same root word as authorization. Authentication
is merely the confirmation of identity...it is _not_ the same thing as
authorization.

~~~
cookiecaper
In the case of a single-user phone, is there a difference? The phone's owner
has authorization to do anything, including spend funds they've previously
enrolled into the phone's wallet systems, etc., so it's kind of a moot point
for the purposes of this incident.

You seem to be suggesting we add extra layers here so that merely
authenticating as the device's owner is insufficient authorization to conduct
some actions, and re-authenticating as the owner by using something they know
(secret token like PIN/password) instead of something they possess (finger)
will re-grant authorization, but users find this constant re-auth very
annoying.

Most would probably prefer device makers to allow them to trust the people
whom they sleep around rather than input another authentication method all the
time. Personal responsibility has to enter into the equation _somewhere_.

My advice to this parent would be to keep their phone and/or body inaccessible
while unconscious.

------
nfriedly
> _ordered 13 Pokemon gifts [...] was only allowed to return four of the
> items_

What's up with that? Isn't there a law that limits liability for unauthorized
purchases to $50? (And don't most banks and credit cards just make it $0?)

~~~
dangrossman
Under the FCBA your liability for purchases made with a lost or stolen credit
card is limited if you report the use to your card issuer in a timely manner.
There's no requirement that Amazon voluntarily refund all your kids'
purchases, and I'm not sure that unauthorized use of an Amazon account counts
as theft of the physical credit card in this case anyway.

~~~
IanCal
Strange. In the UK at least this would have been covered under existing
regulation:

[http://www.which.co.uk/consumer-rights/advice/i-want-to-
retu...](http://www.which.co.uk/consumer-rights/advice/i-want-to-return-
something-bought-online)

------
distantsounds
A fingerprint is /who you are/, i.e. a username. A password is /what you
know/, i.e. a phrase or string of characters.

Confirming you're the correct person is only half of the equation.

------
anotherevan
Do the fingerprint readers on phones check if there is a pulse?

I believe that most biometric readers for security (e.g., offices and such)
look for a pulse or other indicator so using a severed body-part would not
work. Always annoys me when I see that done in movies.

(One office I worked in had fingerprint access. The bathrooms were outside the
secured area, and I soon got into the habit of rubbing my hands together after
washing to warm them up, as a cold finger wouldn't read.)

------
crististm
Fingerprints are not passwords. They are more like (but not exactly)
usernames.

People seem to numb out when they hear this in person. I don't understand
why...

------
bryanmgreen
There's not a way to combine both Touch ID and PIN for iOS access, but some
apps do provide a PIN or passcode setting.

For me, with the banking apps on my phone for example, I use my fingerprint to
get into my phone and then manually type in the password. Seems like the best
combo to me for mobile security. (Not that I'm worried about it, I'm just
security minded.)

~~~
soneil
It'd seem fairly trivial for, e.g. Amazon (as in this case) to ask for your
Amazon password if you go over a certain dollar-spend - or even weigh the risk
of various product categories (e.g., you commonly overnight items from
household goods, so we'll trust your thumbprint; but you've never ordered 5
TVs before, you're gonna need your password for that one).

~~~
bryanmgreen
Smart authentication/authorization is really interesting and I think a good
middle ground for most people.

------
intopieces
I disabled the iPhone feature that unlocks my phone with my thumbprint and
changed it to an alphanumeric password of 20 characters. That feature has
always been hit or miss for me anyway. Now it's harder for me to unlock my
phone, which has a bonus side-effect of making me use it less often.

------
maverick_iceman
Talk about a Midas touch.

------
datpuz
A true hacker.

------
sova
this kid will undoubtedly read hn in the future

------
andrewclunn
Sounds like an excellent potential recruit for Team Rocket!

------
aaron695
"used her mother's thumb to unlock a phone and open the Amazon app as mom
napped on the couch"

Or she made it up.....

~~~
sbuttgereit
This is the problem with "news" stories like this... and why I hate them. We
would have no way of knowing if this happened or not. It's plausible, but
plausible isn't the same as "it happened". One could say at best its value is
as a cautionary tale to other parents, but I'm willing to bet that if you're a
parent you've probably seen the potential for this sort of thing develop in
your child already... of course that's speculation, too :-)

(As an aside... who the hell decided that autoplay video/audio was legit?!
Yeah, I'm an old guy... and once upon a time that sort of thing was avoided...
but really.)

~~~
sosodaft
Relevant (a statistical look at internet stories):
[http://slatestarcodex.com/2016/12/12/might-people-on-the-
int...](http://slatestarcodex.com/2016/12/12/might-people-on-the-internet-
sometimes-lie/)

(Autoplay is the scourge of the internet and sites that autoplay audio or
video should be treated the same as, say, sites that use the blink tag)

~~~
yellowapple
> sites that autoplay audio or video should be treated the same as, say, sites
> that use the blink tag

At least <blink> didn't cause my browser to spontaneously start making noises.

