I got drunk last night and got robbed because I was using Touch ID :-(

laDouche · December 2014

hi guys,

not looking to blame anyone but thought i'd share my tale of sorrow here...

long story short, i was at a party last night and i passed out after some heavy drinking. i woke up this morning and walked to an atm machine wanting to get some cash out for a cab. to my amazement, the transaction was declined. so i whipped out my shiny new iphone 6, fired up 1password, placed my thumb for the touchid, and logged in to my online banking website.

what do i find in there? well... nada... someone has made a few money transfers from my a/c and cleaned me out. some bas**** at the party has logged into my bank a/c using 1password and my thumb and made out with my money while i was knocked out.

im currently working with the police and my bank to try and get my money back but, be really careful guys. touchid on 1password is a bad idea when it comes to scenarios like this.

from now on, i will never use touchid with 1password. but it's a real hassle typing in the master password all the time. wish there was a quick unlock code option for those of us who don't wanna use touchid.

thanks!

naar · December 2014

Thanks for sharing your experience.
Drinking a lot is always a bad idea, did u not have any passcode or any password on your phone? Sim pin code?

It is recommended to have a strong passcode on your phone, this way ur whole phone is secured and u can keep using the thumb for ur 1password without any worry.

Ben · December 2014

Thanks for sharing. An important consideration to make. If you're a binge drinker, prone to passing out, you may want to consider using the more secure Master Password vs Touch ID, and also consider securing your phone with a PIN vs Touch ID.

This is in line with what the call the 'wrench scenario:'

The best security in the world cannot protect you if you give an attacker the keys (either under duress or intoxication).

laDouche · December 2014

oh well... this was the first time i passed out.

i now understand it was quite silly of me to protect both my phone and 1password with touchid...

really hope you guys implement a quick unlock code for 1password, because my master pass is like 15 characters long and its tedious work entering it several times a day :-)

so yeh... let this be a lesson to everyone using touchid :-)

MrC · December 2014

from now on, i will never use touchid with 1password
...
i now understand it was quite silly of me to protect both my phone and 1password with touchid...
...
so yeh... let this be a lesson to everyone using touchid :-)

I'm afraid you've learned the wrong lesson. :)

laDouche · December 2014

lol... yeh the correct lesson would be to not drink till passing out. but what if i was drugged?
or what if i bring home a stranger and they give me sleeping pills or something :-)

MrC · December 2014

Maybe one lesson to learn is to hang out with good, trustworthy people, who are truly interested in your well being, who watch your back, and provide a safety net. That pretty much dissolves your other scenarios.

Or turn off your phone before entering the party and quaffing the brew.

Or drain your account first to buy the keggers. :)

laDouche · December 2014

hahaha all good points...

but how would i take selfies and post on instagram if i turned off my phone? lol B)

MrC · December 2014

After rebooting your iDevice, you'll need to enter your passcode, so TouchID is essentially disabled for 1Password until then.

Or disable TouchID upon entering a hostile environment such as a frathouse, Isla Vista block party, or your mother-in-law's house.

Edit: my posts were mostly Tongue-in-cheek, just having some fun.

jpgoldberg · December 2014

Right, so the next time you are blind drunk, @laDouche‌, have the presence of mind to turn off your phone.

Somehow, I don't see that as the kind of security advice we can anticipate people following. After all, one of the pleasures of intoxication is that you don't worry about such stuff.

What we can (and can't) do.

I can't promise anything, but we've been trying to find ways to reliably provide a "require Master Password after N minutes".

We did offer such a thing for a while, but because we have no reliable way to take action after a certain time, we switched to making it on
reboot. We were able to get away with the unreliability before use of the 1Password application extension, but once people start using extensions, the ability to quickly and reliably unlock, even after the 1Password app had fully closed, became more important. (Plus, iOS 8's AccessibleWhenPasscodeSetThisDeviceOnly made us more comfortable keeping a Master Password equivalent around longer).

We continue to explore refining the settings and behavior of TouchID, PIN codes, etc. But as I said, we can't promise anything.

khad · December 2014

One thing to consider (that doesn't require a device restart) is to simply use Settings > Security > Lock Now in 1Password. Even with Touch ID enabled in the app, your Master Password will now be required to unlock 1Password.

Take all the selfies for Instagram that you want, just don't unlock 1Password with your Master Password until you are safely back in your own bed.

If my own past experience is any indication, being that inebriated may likely help keep 1Password locked presuming it requires accurately typing the Master Password.

jpgoldberg · December 2014

Even quicker than @khad‌'s excellent suggestion:

One thing to consider (that doesn't require a device restart) is to simply use Settings > Security > Lock Now in 1Password. Even with Touch ID enabled in the app, your Master Password will now be required to unlock 1Password.

is to attempt to unlock with the wrong finger a few times. After a few failures, 1Password will throw away the TouchID key and require your full Master Password thereafter.

rob · December 2014

Or just hit Cancel on 1Password's Touch ID prompt. So many options! :)

laDouche · December 2014

awesome guys!!! those are all doable workarounds until the devs come up with a better solution...

cheers!

benfdc · December 2014

I wonder how well the “wrong finger” gambit would work against the cops.

rob · December 2014

@benfdc Interesting article for sure. I've actually thought through this before, and that's when I decided on the "Cancel" approach. If I ever feel it's necessary, I can quickly launch 1P and press Cancel and the data will be locked down to the Master Password. For the phone, it's not as quick -- shutting it off is probably the fastest way to disable Touch ID access.

great · December 2014

i don't buy it.
What are you saying is: that you passed out i guy come and search you to find your phone which he knew it had a fingerprint reader and took your hand put in on the home button unlock it, then search through your apps to find the 1password app which was too lucky for him to find it and knew what the app can do, then use your finger again to unlocked it while you are not awake, went to the web browser which again he knew that the app has that and can unlock a web page, find out your bank entry use it to logon and transfer money.
all of the banks have a third way of authenticate via a Token or something similar and for sure you could find him since he had to transfer the money to his own account and that can be found by the logs.

jpgoldberg · December 2014

@great, leDouche's account of events doesn't have to be "likely" for it to be true. And it doesn't even have to be true for it to remain a legitimate concern.

I think that we can have a useful and productive discussion here without calling anyone a liar. So I will choose to read your comments as pointing out that this isn't the kind of attack we should expect to be common. That, I think, is a very fair point.

I got drunk last night and got robbed because I was using Touch ID :-(

Comments

What we can (and can't) do.