Endpoint

4/20/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Biometrics Are Coming & So Are Security Concerns

Could these advanced technologies be putting user data at risk?

From unlocking your smartphone with your face to boarding a flight with your fingerprints, the use of biometric data for authentication is becoming commonplace. In both identity management and identity verification, biometric applications are making marked improvements over current security protocols.

Traditional methods of identity management, while effective, are often a bother for end users. Passwords are hard to remember, even with password management software, and multifactor authentication (MFA) can be inconvenient. Despite the appeal of using biometric data to authenticate, are these systems actually more secure than passwords and MFA? And, more importantly, could they put user privacy at risk?

The risks of using biometrics fall into a few categories, including data and network hacking, rapidly evolving fraud capabilities, biometric enrollment security, familiar fraud (that is, caused by a family member or friend), spoofed sensors, and sensor inaccuracy.

One of the greatest risks is data security. Biometric sensors produce digital maps of a body part, which are then used for future matching and unlocking. That digital map can be stored locally on some devices (such as an iPhone fingerprint sensor) or transmitted across a network to a central storage database. Locally held data is significantly better protected because it is never out of your control while in transit. Data in motion must be encrypted on its way to storage and then secured. In both transit and storage, the data is vulnerable, and hackers are fairly adept at breaking into either, particularly if the data isn’t encrypted.

There have been many data hacking events over the past few years that demonstrate the potential for losing control of the data. For instance, the June 2015 hack of the US Office of Personnel Management resulted in the loss of 5.6 million unencrypted fingerprints of current and former US government employees.

Data in Danger
Biometric data is also at high risk when the data is first recorded and when the data is being changed. During these times, the data is in danger because it can be altered from a single point of interaction. Within biometric enrollment events, the biometric system can be exposed to fraud during the sign-up process. It is essential that identity is clearly established during the enrollment process, or the entire system is compromised. Familiar fraud is similar, as it takes place during enrollment or during a change to the recorded data. In this event, a person "familiar" to the person being identified gets control of the device that is used to sign up and records his or her own data instead of the data of the actual account owner.

Though it might seem difficult to fool a biometrics sensor, history has proven otherwise. The evolution of both sensors and the methods used to spoof them is an arms race between sensor vendors and black-hat hackers. Early fingerprint sensors could be fooled by a small piece of Play-Doh or a Gummy Bear. Image and facial recognition sensors have been fooled (in a laboratory environment) by 3-D images or unique shapes that can make the sensor "see" something different than the actual face, or identify the face in the image as the correct individual.

Sensor accuracy is somewhat of a security risk, but perhaps even more a privacy issue. When a user enrolls in a biometric system, his or her information is likely recorded in a well-lit, stable, predictable environment. But in the recurring use of the sensor, the conditions will not be ideal, and will probably have degraded. This opens up some issues, ranging from the simple inability to access a system to the misidentification of an individual. In practice, these problems can have significant implications because government agencies use simple fingerprint identification and increasingly more sophisticated facial recognition (or other biometrics) for identification and criminal investigation.

The central issue is that biometric authentication technologies pose privacy and security concerns: once biometric data has been compromised, there is no way to undo the damage. For a compromised password, you simply change it; for a fingerprint, ear image, or iris scan, you're stuck with the compromised biometric. You can, in some instances, change the biometric used, but even the ones that can be exchanged are limited. Biometric identifiers link the person to the system or activity in an explicit way. That's fine when unlocking your mobile device with a fingerprint or facial scanner, but there are other linkages that individuals will not find comfortable; for example, when used to authorize credit or debit transactions, your purchase history is uniquely tied to you.

Ultimately, the simplicity and performance of biometrics still outweigh most of the security and privacy risks. We should expect biometric use to continue to expand. The collection, use, and security of biometric data, however, is so far fairly unregulated. In the EU, the General Data Protection Regulation (GDPR), which goes into effect in May, does address biometric data as one of a few "special categories of personal data." With a few exceptions, the GDPR prevents the sharing of this data without express consent. In the US, however, there isn't a clear federal regulation addressing biometric data; instead, use of biometrics is managed by a series of overlapping and contradictory laws from both federal and state agencies.

Today, the best protection in the US comes from some self-regulating guidelines developed by industry groups and government agencies. As use grows, biometrics must become more regulated or user privacy could be at risk.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Michael Fauscette is the Chief Research Officer at G2 Crowd, a leading review website for business solutions. Prior to joining G2 Crowd, Mr. Fauscette spent 10 years as an executive and senior analyst at technology market research firm IDC, where he led worldwide business ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mehdi1973us
50%
50%
mehdi1973us,
User Rank: Apprentice
5/1/2018 | 6:08:44 PM
thanks
thanks very informative
thanks very informative
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.