Every new iPhone tends to have one marquee feature that catches everyone's attention. The iPhone 4 had a radical and sleek redesign. The 4S had Siri, the voice-activated personal assistant. The 5 had a larger screen. And now, Apple (AAPL) brings us the iPhone 5S, whose killer feature is a new home button with a fingerprint sensor that lets you unlock the phone and make purchases with a simple touch. That should make people more likely to lock their phones, and make thieves less likely to swipe iPhones, knowing they'd need a fingerprint to break into them.
But is the fingerprint scanner really as safe as it seems?
A few people have joked on Twitter that it will lead to rash of fingertip amputations by smartphone thieves. That seems unlikely, but a Wall Street Journal report debunked the notion anyway, observing that the scanner probably requires some sign of life. But beyond that, there are concerns that it's not the foolproof security system that it appears to be.
"Fingerprints are not secret: we leave copies of them wherever we go, even if we're trying hard not to, as cop show [aficionados] will be well aware," writes security expert John Hawes. "Once someone devious has got hold of a copy, purely visual sensors can be fooled by photographs, while more sophisticated techniques which measure textures, temperatures and even pulses are still open to cheating using flesh-like materials, or even gelatin snacks."
Yes, there's actually a grain of truth in those heist movies where someone lifts an impression of a fingerprint, presses it against a fingerprint reader, and then goes on to steal, say, the Declaration of Independence. Presumably that's not an issue for people concerned about getting mugged for their smartphones, though business users with valuable data on their devices should think twice about using a fingerprint as their only line of defense.
But another concern is what could happen if a database of fingerprint information is breached. After all, when a company like LivingSocial discovers that someone hacked its database of encrypted passwords, it tells its users to change their passwords as a precaution. But you can't change your fingerprint -- except with "acid, sandpaper or some other hardened-gangster technique," writes Hawes.
And if fingerprint scanners get more common as a security procedure, it essentially means that you'll be using the same "password" -- your finger -- for multiple accounts, which is not ideal.
The good news in this case is that there will be no central database to be hacked -- Apple says your fingerprint will be stored locally, on the phone's chip. Still, Dawes writes that we should "expect this storage area and the connections to it to become the subject of frenzied investigations by hackers of all persuasions."
Apple products have generally proven more difficult to hack than other smartphones, so this doesn't seem to be an imminent concern. But just know that securing your phone with what seems like spy technology doesn't guarantee that it's uncrackable.
As a final note, it must be said that this isn't all about keeping your phone secure. As many observers have pointed out, the real boon for Apple here is that the fingerprint reader allows users to quickly make purchases without having to punch in a password. That's going to mean a lot more impulse buys, so perhaps the biggest risk here is that you'll find yourself buying more songs and apps now that you no longer have that passcode barrier slowing you down.
You Thought You Were Safe? The Myths and Realities of Your Online Security
Is the iPhone 5S Fingerprint Sensor All It's Cracked Up to Be?
For years, security professionals have emphasized the importance of shredding your personal documents before you throw them out. But Holland notes that shredding isn't as much of a priority as it used to be. "There aren't nearly as many documents with personal information out there as there were even just two years ago," he explains. "These days, it's much easier to get your information off your computer."
Passwords are your first line of defense against intruders. But, as Holland points out, even the most careful people sometimes have password breaches. "I've helped chief privacy officers from health care and security firms," he notes. "If they're getting hit, then anyone is vulnerable." While Holland notes the importance of having a good password, he emphasizes that the most important thing is paying attention to password breach notifications. If you hear that one of your passwords may have been breached, he counsels, change it immediately. And, because many of your accounts may be linked, he notes, it's not a bad idea to change the rest of your passwords as well.
One piece of advice that you don't often hear is to keep on top of software updates. But, Holland argues, updating your operating system, your software, and your security programs is one of the easiest and most important ways to ensure your security. Software companies spend a lot of time and money trying to stay ahead of online intruders -- it only makes sense to take advantage of their work.
Even if you are convinced that your security is state-of-the-art and your password is unbreakable, it never hurts to double-check your most sensitive accounts. Holland suggests regularly checking your bank and credit card statements to ensure that there aren't any inappropriate charges on your accounts. As a side benefit, this is also a great way to catch any unexpected fees that your bank may try to spring on you.
When a breach happens, a fast response can mean the difference between a minor annoyance and a major pain in the neck. With that in mind, Holland suggests talking to your bank about having transaction alerts placed on your account. Every time your account is credited with a transaction over a particular amount -- $50, for example -- your bank will send you an e-mail or text notification. If it's an expected transaction, you can discard the message; if not, you'll be able to respond immediately.
Every year, you are entitled to a free credit report from each of the reporting bureaus. Holland suggests taking advantage of this free service, noting that your credit report is a great way to track your outstanding debts and ensure that nobody is trying to open false accounts in your name. He emphasizes, however, that the best way to get your free report is by going to AnnualCreditReport.com, not FreeCreditReport.com. "That site's a scam," he laughs.