Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/20/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Biometrics Are Coming & So Are Security Concerns

Could these advanced technologies be putting user data at risk?

From unlocking your smartphone with your face to boarding a flight with your fingerprints, the use of biometric data for authentication is becoming commonplace. In both identity management and identity verification, biometric applications are making marked improvements over current security protocols.

Traditional methods of identity management, while effective, are often a bother for end users. Passwords are hard to remember, even with password management software, and multifactor authentication (MFA) can be inconvenient. Despite the appeal of using biometric data to authenticate, are these systems actually more secure than passwords and MFA? And, more importantly, could they put user privacy at risk?

The risks of using biometrics fall into a few categories, including data and network hacking, rapidly evolving fraud capabilities, biometric enrollment security, familiar fraud (that is, caused by a family member or friend), spoofed sensors, and sensor inaccuracy.

One of the greatest risks is data security. Biometric sensors produce digital maps of a body part, which are then used for future matching and unlocking. That digital map can be stored locally on some devices (such as an iPhone fingerprint sensor) or transmitted across a network to a central storage database. Locally held data is significantly better protected because it is never out of your control while in transit. Data in motion must be encrypted on its way to storage and then secured. In both transit and storage, the data is vulnerable, and hackers are fairly adept at breaking into either, particularly if the data isn’t encrypted.

There have been many data hacking events over the past few years that demonstrate the potential for losing control of the data. For instance, the June 2015 hack of the US Office of Personnel Management resulted in the loss of 5.6 million unencrypted fingerprints of current and former US government employees.

Data in Danger
Biometric data is also at high risk when the data is first recorded and when the data is being changed. During these times, the data is in danger because it can be altered from a single point of interaction. Within biometric enrollment events, the biometric system can be exposed to fraud during the sign-up process. It is essential that identity is clearly established during the enrollment process, or the entire system is compromised. Familiar fraud is similar, as it takes place during enrollment or during a change to the recorded data. In this event, a person "familiar" to the person being identified gets control of the device that is used to sign up and records his or her own data instead of the data of the actual account owner.

Though it might seem difficult to fool a biometrics sensor, history has proven otherwise. The evolution of both sensors and the methods used to spoof them is an arms race between sensor vendors and black-hat hackers. Early fingerprint sensors could be fooled by a small piece of Play-Doh or a Gummy Bear. Image and facial recognition sensors have been fooled (in a laboratory environment) by 3-D images or unique shapes that can make the sensor "see" something different than the actual face, or identify the face in the image as the correct individual.

Sensor accuracy is somewhat of a security risk, but perhaps even more a privacy issue. When a user enrolls in a biometric system, his or her information is likely recorded in a well-lit, stable, predictable environment. But in the recurring use of the sensor, the conditions will not be ideal, and will probably have degraded. This opens up some issues, ranging from the simple inability to access a system to the misidentification of an individual. In practice, these problems can have significant implications because government agencies use simple fingerprint identification and increasingly more sophisticated facial recognition (or other biometrics) for identification and criminal investigation.

The central issue is that biometric authentication technologies pose privacy and security concerns: once biometric data has been compromised, there is no way to undo the damage. For a compromised password, you simply change it; for a fingerprint, ear image, or iris scan, you're stuck with the compromised biometric. You can, in some instances, change the biometric used, but even the ones that can be exchanged are limited. Biometric identifiers link the person to the system or activity in an explicit way. That's fine when unlocking your mobile device with a fingerprint or facial scanner, but there are other linkages that individuals will not find comfortable; for example, when used to authorize credit or debit transactions, your purchase history is uniquely tied to you.

Ultimately, the simplicity and performance of biometrics still outweigh most of the security and privacy risks. We should expect biometric use to continue to expand. The collection, use, and security of biometric data, however, is so far fairly unregulated. In the EU, the General Data Protection Regulation (GDPR), which goes into effect in May, does address biometric data as one of a few "special categories of personal data." With a few exceptions, the GDPR prevents the sharing of this data without express consent. In the US, however, there isn't a clear federal regulation addressing biometric data; instead, use of biometrics is managed by a series of overlapping and contradictory laws from both federal and state agencies.

Today, the best protection in the US comes from some self-regulating guidelines developed by industry groups and government agencies. As use grows, biometrics must become more regulated or user privacy could be at risk.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Michael Fauscette is the Chief Research Officer at G2 Crowd, a leading review website for business solutions. Prior to joining G2 Crowd, Mr. Fauscette spent 10 years as an executive and senior analyst at technology market research firm IDC, where he led worldwide business ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mehdi1973us
50%
50%
mehdi1973us,
User Rank: Apprentice
5/1/2018 | 6:08:44 PM
thanks
thanks very informative
thanks very informative
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7814
PUBLISHED: 2020-07-10
RAONWIZ v2018.0.2.50 and eariler versions contains a vulnerability that could allow remote files to be downloaded and excuted by lack of validation to file extension, witch can used as remote-code-excution attacks by hackers File download & execution vulnerability in ____COMPONENT____ of RAONWIZ...
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...