Your smartphone may help fight cybercrime
Smartphones can be identified just by analysing one photo taken by the device, an advance that paves the way for a new authentication process - instead of fingerprints or passwords - to deter cybercrime.
"Like snowflakes, no two smartphones are the same. Each device, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture they take," said Kui Ren, from University at Buffalo in the US.
"Its kind of like matching bullets to a gun, only were matching photos to a smartphone camera," said Ren.
The technology could become part of the authentication process - like PIN numbers and passwords - that customers complete at cash registers, ATMs and during online transactions.
For people who have had their personal identification stolen, it could also help prevent cybercriminals from using that information to make purchases in their name, said Ren.
Digital cameras are built to be identical. However, manufacturing imperfections create tiny variations in each cameras sensors.
These variations, called photo-response non-uniformity (PRNU), can cause some of sensors millions of pixels to project colours that are slightly brighter or darker than they should be.
This lack of uniformity forms a systemic distortion in the photo called pattern noise. Extracted by special filters, the pattern is unique for each camera.
PRNU analysis is common in digital forensic science. However, it has not been applied to cybersecurity because extracting it had required analysing 50 photos taken by a camera, and experts though that customers would not be willing to supply that many photos.
Compared to a conventional digital camera, the image sensor of a smartphone is much smaller. The reduction amplifies the pixels dimensional non-uniformity and generates a much stronger PRNU, researchers said.
As a result, it is possible to match a photo to a smartphone camera using one photo instead of the 50 normally required for digital forensics.
The study discusses how such a system might work. First, a customer registers with a business - such as a bank or retailer - and provides that business with a photo that serves as a reference.
When a customer initiates a transaction, the retailer asks the customer (likely through an app) to photograph two QR codes (a type of barcode) presented on an ATM, cash register or other screen.
Using the app, the customer then sends the photograph back to the retailer, which scans the picture to measure the smartphones PRNU.
The retailer can detect a forgery because the PRNU of the attackers camera will alter the PRNU component of the photograph.
More tech savvy cybercriminals could potentially remove the PRNU from their device. However, the new protocol can spot this because the QR codes include an embedded probe signal that will be weakened by the removal process.
The transaction is either approved or denied based upon these tests.