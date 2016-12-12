Hacker News new | comments | show | ask | jobs | submit login
Child uses sleeping mom's thumbprint to buy $250 worth of Pokémon toys (cnet.com)
73 points by dvdhnt 1 hour ago | 52 comments





i'm seeing two (obvious) bigger picture trends here that this story reinforces.

1. Digital authentication for purchasing is moving towards non-transferable biometrics ( i cant divulge my thumbprint like i can my pin )

2. Goods of all kinds are being delivered faster

The scary thing for me is that thieves love goods delivered quickly, so they can turn them quickly, and cut down on their ability to get intercepted.

So what does the 'mugging' or identity theft of tomorrow look like? Am I taken at my doorstep and forced to make purchases from my phone with my thumb, while a drone arrives 10 minutes later with 10 iPads OR do I have my phone stolen and thumb lopped off with tree clippers so the fraudster has more time? What happens as retinal scanning becomes more common? What if it is my blood that unlocks my finances & credit?

edit: i've heard thumbs are available for purchase

The most fascinating part for me is that 6 year old managed to find a way to circumvent biometric security without hacking off someone's finger: authenticate while the user is asleep.

Necessity is truly the mother of innovation.

> 1. Digital authentication for purchasing is moving towards non-transferable biometrics ( i cant divulge my thumbprint like i can my pin )

It's an interesting topic as we've seen in recent news coverage that authorities can compel the accused to provide a thumbprint to give investigators access. While this may be in accordance to something like password authentication, I'm still concerned about the ramifications. For example, what if authorities compel accused individuals to store their thumbprint rather than use it directly? Is that possible? And how will it be protected?

> Digital authentication for purchasing is moving towards non-transferable biometrics ( i cant divulge my thumbprint like i can my pin )

Yes you can. In fact, it's a lot easier for you to do so involuntarily.

EDIT: And, it should be noted, once it has been "divulged" or otherwise compromised, it's a lot more painful to change your thumbprint than a PIN or other non-biometric password.

There's a cool dystopian-ey youtube video briefly looking into that topic, among other things: https://www.youtube.com/watch?v=YJg02ivYzSs

very cool, thanks

They'd need your whole hand, since any finger can be used for a smartphone biometric scanner.

Truthfully, lots of different scannable areas will unlock a phone. I've successfully and reliably configured my toes, the knuckles on my hands, and the tip of my nose. All of them work pretty good.

Unless observed using biometric security in a specific manner, an adversary might have a hard time deducing what kind of print will provide access.

Even if they've determined that the phone contains biometric scans tied to security, how would they know it's yours, and not someone else's, or even a specially printed 3D key ring fob or something?

Then again, criminals don't always think deeply about such details during a crime. They might just chop off both hands, grab the phone, and figure out the rest on the run.

Chopping off your thumb is only in movies, where logic barely exists. In real life, you can cancel your funds and reverse their fraudulent transactions.

Only in movies? Lol

There's not a way to combine both Touch ID and PIN for iOS access, but some apps do provide a PIN or passcode setting.

For me, with the banking apps on my phone for example, I use my fingerprint to get into my phone and then manually type in the password. Seems like the best combo to me for mobile security. (Not that I'm worried about it, I'm just security minded.)

So is the 21st century version of stealing cash from your mom's purse?

Yup. In my opinion, this isn't a problem that needs solving. I bet with thumbprint security, money is more secure from house hooligans than it was when held in a wallet.

Maybe, but on the other hand, most people don't keep $250 in their wallets. Having an extra verification mechanism for expensive purchases seems appropriate.

Yeah I think there should be a limit (which you can override with a password) on how much money you can spend in a certain time period. Make it $10/day or something as default and let the user change it. Works well enough for mobile contracts to prevent over spend IMHO.

Depends how likely this scenario is. Adding security to a high risk, low occurence event can be seen as wasteful.

Also before this technology, people kept credit cards in their wallet, which suffered the same fate from house hooligans. And before credit, people did keep $250 in their wallet.

Well, the security could just be to ask for one's password again.

I guess the credit card part is true; around here most people have debit cards with PINs, and which can't be used remotely, so it's unlikely a six-year-old could use it without their parent's consent. Then again, around here those parents would have the legal right to return all those purchases.

> ordered 13 Pokemon gifts [...] was only allowed to return four of the items

What's up with that? Isn't there a law that limits liability for unauthorized purchases to $50? (And don't most banks and credit cards just make it $0?)

Here's an example of a lawsuit compelling refunds of in-app purchases made by minors:

http://www.reuters.com/article/us-apps-kids-idUSBREA2U0M9201...

Under the FCBA your liability for purchases made with a lost or stolen credit card is limited if you report the use to your card issuer in a timely manner. There's no requirement that Amazon voluntarily refund all your kids' purchases, and I'm not sure that unauthorized use of an Amazon account counts as theft of the physical credit card in this case anyway.

I'd guess that some of the products were from Amazon whilst others were from third-party vendors.

As for the question of liability, there's usually a proviso for taking legal/criminal action against the perpetrator. Even if the parent wanted to take action against their child, being below the age of criminal responsibility, the parents may be legally responsible in any case.

I get relatively annoyed about the facile pedantry of this argument, but this is exactly the poster case for it, so here goes: fingerprints are usernames, not passwords.

I disagree. Fingerprints are privacy locks, not security locks.

The lock in your bathroom isn't meant to secure the bathroom. It's just a way to ensure that people get the message, "please don't enter".

A fingerprint on a phone is a way of saying the same thing. This phone isn't meant for common use, please don't enter.

I mostly cringe at the argument I quoted because it is often misapplied due to how we have historically misapplied passwords.

A username is an identity. Historically due to the difficulty of verifying identities online, we have used passwords as a way to do so. And when all we need to do is verify an identity or control basic access levels (the bathroom lock!), a fingerprint is absolutely good enough. But a password is more authorization than authentication: requiring a password is appropriate when you need a conscious decision, not mere identification. Such as for paying for Pokémon toys.

So essentially what I'm saying is that I agree with you.

Identity <> Authentication (or authority)

I deal with this in my industry (telecommunications). Just because you've provided proof of identity (eg your phone number, account number), there are still things you're not allowed to do until you've authenticated your right to perform an action. This is accomplished through a password, a PIN, etc. Something in addition to identity that indicates intent and authority.

On a phone, it's an interesting shift because with a PIN, we essentially bypassed the need for identity and used only a password; regardless of who you are, you can get in if you have the right key.

With the move to identity being sufficient to unlock a device, we're saying that just on the basis of identity, the authority that used to come with authentication (sans identity) can be granted. It's a 180 degree turn.

I don't see a way on my iPhone 6s to require both Touch ID and PIN; it's one or the other. Very few interactions require both, i.e. after a restart it requires the PIN before Touch ID will work.

You're demonstrating the difference between authentication and authorization, not the difference between identity and authentication. Notice you use the word authority, which has the same root word as authorization. Authentication is merely the confirmation of identity...it is not the same thing as authorization.

The "deliberateness" or "conciencousness" of a lock is an interesting dimension.

A laser cutter I used to work with had two switches, one of which was a safety switch (like [1]) to prevent accidental activation. The goal here isn't security. It's a design decision to prevent accidents. It's almost a kind of intentional inconvenience.

[1] Safety switch with cap prevent accidental switching: http://acuteelectrical.com.au/safety-switch/

I bet legal experts could speak to this very well. At what point is someone breaking in?

reply


That's a really nice distinction.

It feels like there's a bit of a spectrum, though. The lock on a houses door won't prevent a determined criminal, but it sends a very strong signal and is inconvenient to break.

Perhaps we should thing of there as being multiple dimensions to locks, such as security, signaling, effort to circumvent, and convenience? (Perhaps also conscientiousness in disabling, in relation to @saosebastiao's point.)

Definitely a spectrum. Bike locks are for security, but mainly just to make your bike less convenient than another one nearby.

If someone wants into YOUR phone, they'll get it. If someone wants into A phone, a thumbprint may be plenty.

To expand on your analogy: a username says pretty much the same thing, except instead of a locked door, you have one of those "Do Not Disturb" signs on your door handle.

My passport is the username, my face matching the photo is the password.

Fingerprints are neither really suitable as usernames (because you can neither guarantee that users have them or that thhey don't change outside of your and the user's control or, really, even that they are unique, though they are conventionally assumed to be so) nor passwords (because they aren't secret, can't be changed if compromised, etc.)

Huh, I've actually never looked at them from that perspective, but it makes total sense.

Just make sure to use a fingerprint manager and rotate your fingerprints on a regular basis.

A true hacker.

Sounds like an excellent potential recruit for Team Rocket!

"used her mother's thumb to unlock a phone and open the Amazon app as mom napped on the couch"

Or she made it up.....

The mom?

I have a small child that's been coming up to me with my phone and trying to nonchalantly guide my finger to unlock it since she was 4. She's never done it in my sleep (that I know of), but I don't for a second doubt she'd be able to do it if she was motivated to.

reply


I remember loving the TV as a kid but recall that somehow, magically, my parents kept me off it outside TV hours without use of a password. I need to figure out that secret before its too late!

reply


Kids are not addicted in most cases, they are exploring. They don't know what options there are, or how far these things go, they just want to try it. If you present a child with lots of options, they won't stay with one all the time, for sure.

My parents were worried because I spent too much time reading, I've known people who's parents were worried because they spent too much time with music, or painting, or with friends, or playing football, or swimming, etc...

Children find things they like and explore them. Yes, as a parent your job is to get them to try a wider range of things and open them up to other stuff, but it's not 'screens' that are suddenly a new danger.

Parent here, of a toddler and a 1st grader, and based on my experience it's all about context. For example, if any of the following are true, the TV exists: TV is on or the children are inside and sedentary. Conversely, from the children's perspective, they tend to forget the TV exists or is an option if otherwise preoccupied indoors by activities like painting, reading, playing pretend, etc., or are in fact outdoors.

TL;DR - If kids can't see it, it doesn't exist.

To add to this (as the parent of a toddler), your usage patterns may have to change as well. I love taking videos of my daughter and she loves watching them. So when I pull out my phone to check email or a text, if she sees me do it, suddenly it exists in her world and she wants to watch videos asap.

reply


reply


It really does encourage you as a parent to have discipline with not only their screen time but your own as well.

Yes. Parent of 6 year old here. Screens are the modern day crack cocaine of childhood.

This is one of those stories where even if it is partially or entirely fabricated, the probability of something like it happening somewhere is nearly 100%. The odd thing about the story may be that this is the one that happened to get to the news, given how many times such things have probably happened.

(Similarly for the DailyWTF stories that people often claim can't be real. Well, even if the story you're looking at is made up, it's still happened a dozen times in the last week. Count yourself lucky that you can react in disbelief to these sorts of stories.)

This is the problem with "news" stories like this... and why I hate them. We would have no way of knowing if this happened or not. It's plausible, but plausible isn't the same as "it happened". One could say at best its value is as a cautionary tale to other parents, but I'm willing to bet that if you're a parent you've probably seen the potential for this sort of thing develop in your child already... of course that's speculation, too :-)

(As an aside... who the hell decided that autoplay video/audio was legit?! Yeah, I'm an old guy... and once upon a time that sort of thing was avoided... but really.)

> It's plausible, but plausible isn't the same as "it happened".

I don't entirely disagree but really, in the context of a fairly trivial matter for anyone who isn't the person in question, what's the difference?

For example, I found a 20 euro bill on the ground at the ATM the other day. It makes no difference to you whether that's true - it only makes a difference to me and the person that lost the bill. At best it serves as a cautionary tale to those that don't pay attention to their money at the ATM.

If the story is plausible (that is, possible and not unlikely) and isn't particularly exceptional (such as, "click here to find out about obama's secret slave trading circle"), what's the difference?

That is, what is the concrete difference, to you and anyone commenting here, whether that child really did that or not? It's not unlikely enough that it would not occur. And we've seen a lot of very real stories about children stealing credit cards to spend hundreds or thousands on mobile games. And if you don't believe those either I can give you a personal account: When I was a kid I repeatedly broke the parental phone lock to call expensive numbers on the TV.

This is an iteration of the same thing.

Relevant (a statistical look at internet stories): http://slatestarcodex.com/2016/12/12/might-people-on-the-int...

reply


> sites that autoplay audio or video should be treated the same as, say, sites that use the blink tag

At least <blink> didn't cause my browser to spontaneously start making noises.

"and once upon a time that sort of thing [autoplay video/audio] was avoided"

It was? I remember websites showing off their ability to make your browser automatically play background music as early as the late 90's / early 00's.

