Endpoint

4/20/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Biometrics Are Coming & So Are Security Concerns

Could these advanced technologies be putting user data at risk?

From unlocking your smartphone with your face to boarding a flight with your fingerprints, the use of biometric data for authentication is becoming commonplace. In both identity management and identity verification, biometric applications are making marked improvements over current security protocols.

Traditional methods of identity management, while effective, are often a bother for end users. Passwords are hard to remember, even with password management software, and multifactor authentication (MFA) can be inconvenient. Despite the appeal of using biometric data to authenticate, are these systems actually more secure than passwords and MFA? And, more importantly, could they put user privacy at risk?

The risks of using biometrics fall into a few categories, including data and network hacking, rapidly evolving fraud capabilities, biometric enrollment security, familiar fraud (that is, caused by a family member or friend), spoofed sensors, and sensor inaccuracy.

One of the greatest risks is data security. Biometric sensors produce digital maps of a body part, which are then used for future matching and unlocking. That digital map can be stored locally on some devices (such as an iPhone fingerprint sensor) or transmitted across a network to a central storage database. Locally held data is significantly better protected because it is never out of your control while in transit. Data in motion must be encrypted on its way to storage and then secured. In both transit and storage, the data is vulnerable, and hackers are fairly adept at breaking into either, particularly if the data isn’t encrypted.

There have been many data hacking events over the past few years that demonstrate the potential for losing control of the data. For instance, the June 2015 hack of the US Office of Personnel Management resulted in the loss of 5.6 million unencrypted fingerprints of current and former US government employees.

Data in Danger
Biometric data is also at high risk when the data is first recorded and when the data is being changed. During these times, the data is in danger because it can be altered from a single point of interaction. Within biometric enrollment events, the biometric system can be exposed to fraud during the sign-up process. It is essential that identity is clearly established during the enrollment process, or the entire system is compromised. Familiar fraud is similar, as it takes place during enrollment or during a change to the recorded data. In this event, a person "familiar" to the person being identified gets control of the device that is used to sign up and records his or her own data instead of the data of the actual account owner.

Though it might seem difficult to fool a biometrics sensor, history has proven otherwise. The evolution of both sensors and the methods used to spoof them is an arms race between sensor vendors and black-hat hackers. Early fingerprint sensors could be fooled by a small piece of Play-Doh or a Gummy Bear. Image and facial recognition sensors have been fooled (in a laboratory environment) by 3-D images or unique shapes that can make the sensor "see" something different than the actual face, or identify the face in the image as the correct individual.

Sensor accuracy is somewhat of a security risk, but perhaps even more a privacy issue. When a user enrolls in a biometric system, his or her information is likely recorded in a well-lit, stable, predictable environment. But in the recurring use of the sensor, the conditions will not be ideal, and will probably have degraded. This opens up some issues, ranging from the simple inability to access a system to the misidentification of an individual. In practice, these problems can have significant implications because government agencies use simple fingerprint identification and increasingly more sophisticated facial recognition (or other biometrics) for identification and criminal investigation.

The central issue is that biometric authentication technologies pose privacy and security concerns: once biometric data has been compromised, there is no way to undo the damage. For a compromised password, you simply change it; for a fingerprint, ear image, or iris scan, you're stuck with the compromised biometric. You can, in some instances, change the biometric used, but even the ones that can be exchanged are limited. Biometric identifiers link the person to the system or activity in an explicit way. That's fine when unlocking your mobile device with a fingerprint or facial scanner, but there are other linkages that individuals will not find comfortable; for example, when used to authorize credit or debit transactions, your purchase history is uniquely tied to you.

Ultimately, the simplicity and performance of biometrics still outweigh most of the security and privacy risks. We should expect biometric use to continue to expand. The collection, use, and security of biometric data, however, is so far fairly unregulated. In the EU, the General Data Protection Regulation (GDPR), which goes into effect in May, does address biometric data as one of a few "special categories of personal data." With a few exceptions, the GDPR prevents the sharing of this data without express consent. In the US, however, there isn't a clear federal regulation addressing biometric data; instead, use of biometrics is managed by a series of overlapping and contradictory laws from both federal and state agencies.

Today, the best protection in the US comes from some self-regulating guidelines developed by industry groups and government agencies. As use grows, biometrics must become more regulated or user privacy could be at risk.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Michael Fauscette is the Chief Research Officer at G2 Crowd, a leading review website for business solutions. Prior to joining G2 Crowd, Mr. Fauscette spent 10 years as an executive and senior analyst at technology market research firm IDC, where he led worldwide business ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mehdi1973us
50%
50%
mehdi1973us,
User Rank: Apprentice
5/1/2018 | 6:08:44 PM
thanks
thanks very informative
thanks very informative
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.