Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/20/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Biometrics Are Coming & So Are Security Concerns

Could these advanced technologies be putting user data at risk?

From unlocking your smartphone with your face to boarding a flight with your fingerprints, the use of biometric data for authentication is becoming commonplace. In both identity management and identity verification, biometric applications are making marked improvements over current security protocols.

Traditional methods of identity management, while effective, are often a bother for end users. Passwords are hard to remember, even with password management software, and multifactor authentication (MFA) can be inconvenient. Despite the appeal of using biometric data to authenticate, are these systems actually more secure than passwords and MFA? And, more importantly, could they put user privacy at risk?

The risks of using biometrics fall into a few categories, including data and network hacking, rapidly evolving fraud capabilities, biometric enrollment security, familiar fraud (that is, caused by a family member or friend), spoofed sensors, and sensor inaccuracy.

One of the greatest risks is data security. Biometric sensors produce digital maps of a body part, which are then used for future matching and unlocking. That digital map can be stored locally on some devices (such as an iPhone fingerprint sensor) or transmitted across a network to a central storage database. Locally held data is significantly better protected because it is never out of your control while in transit. Data in motion must be encrypted on its way to storage and then secured. In both transit and storage, the data is vulnerable, and hackers are fairly adept at breaking into either, particularly if the data isn’t encrypted.

There have been many data hacking events over the past few years that demonstrate the potential for losing control of the data. For instance, the June 2015 hack of the US Office of Personnel Management resulted in the loss of 5.6 million unencrypted fingerprints of current and former US government employees.

Data in Danger
Biometric data is also at high risk when the data is first recorded and when the data is being changed. During these times, the data is in danger because it can be altered from a single point of interaction. Within biometric enrollment events, the biometric system can be exposed to fraud during the sign-up process. It is essential that identity is clearly established during the enrollment process, or the entire system is compromised. Familiar fraud is similar, as it takes place during enrollment or during a change to the recorded data. In this event, a person "familiar" to the person being identified gets control of the device that is used to sign up and records his or her own data instead of the data of the actual account owner.

Though it might seem difficult to fool a biometrics sensor, history has proven otherwise. The evolution of both sensors and the methods used to spoof them is an arms race between sensor vendors and black-hat hackers. Early fingerprint sensors could be fooled by a small piece of Play-Doh or a Gummy Bear. Image and facial recognition sensors have been fooled (in a laboratory environment) by 3-D images or unique shapes that can make the sensor "see" something different than the actual face, or identify the face in the image as the correct individual.

Sensor accuracy is somewhat of a security risk, but perhaps even more a privacy issue. When a user enrolls in a biometric system, his or her information is likely recorded in a well-lit, stable, predictable environment. But in the recurring use of the sensor, the conditions will not be ideal, and will probably have degraded. This opens up some issues, ranging from the simple inability to access a system to the misidentification of an individual. In practice, these problems can have significant implications because government agencies use simple fingerprint identification and increasingly more sophisticated facial recognition (or other biometrics) for identification and criminal investigation.

The central issue is that biometric authentication technologies pose privacy and security concerns: once biometric data has been compromised, there is no way to undo the damage. For a compromised password, you simply change it; for a fingerprint, ear image, or iris scan, you're stuck with the compromised biometric. You can, in some instances, change the biometric used, but even the ones that can be exchanged are limited. Biometric identifiers link the person to the system or activity in an explicit way. That's fine when unlocking your mobile device with a fingerprint or facial scanner, but there are other linkages that individuals will not find comfortable; for example, when used to authorize credit or debit transactions, your purchase history is uniquely tied to you.

Ultimately, the simplicity and performance of biometrics still outweigh most of the security and privacy risks. We should expect biometric use to continue to expand. The collection, use, and security of biometric data, however, is so far fairly unregulated. In the EU, the General Data Protection Regulation (GDPR), which goes into effect in May, does address biometric data as one of a few "special categories of personal data." With a few exceptions, the GDPR prevents the sharing of this data without express consent. In the US, however, there isn't a clear federal regulation addressing biometric data; instead, use of biometrics is managed by a series of overlapping and contradictory laws from both federal and state agencies.

Today, the best protection in the US comes from some self-regulating guidelines developed by industry groups and government agencies. As use grows, biometrics must become more regulated or user privacy could be at risk.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Michael Fauscette is the Chief Research Officer at G2 Crowd, a leading review website for business solutions. Prior to joining G2 Crowd, Mr. Fauscette spent 10 years as an executive and senior analyst at technology market research firm IDC, where he led worldwide business ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mehdi1973us
50%
50%
mehdi1973us,
User Rank: Apprentice
5/1/2018 | 6:08:44 PM
thanks
thanks very informative
thanks very informative
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...