InfoSec Insider

Biometrics in 2019: Increased Security or New Attack Vector?

Should we pump the brakes on the roll out of biometric security to first consider whether we are creating new vulnerabilities?

This year thousands of consumers unwrapped new smartphones and laptops which come with biometric sensors that are intended to protect their data and identities through strong authentication. Apple continues to gain popularity with its iPhone X facial recognition feature while more laptops and phones now incorporate fingerprint scanning.

But is this broad adoption of biometric security making consumers safer? And is everyone really comfortable sharing this form of identity data points with vendors, tools, and apps?

Last month, the Illinois Supreme Court took on a case where parents accused Six Flags of violating the Biometric Information Privacy Act (BIPA) when the park collected a 14-year-old boy’s fingerprints for a season pass. Six Flags officials argue the law wasn’t violated because the park didn’t cause injury to the child when it collected his biometric data.

Earlier this month, the world discovered Taylor Swift has been using facial recognition technology to scan her audience for stalkers. In this case, fans unknowingly shared their facial images while staring at a kiosk with videos of her rehearsal.  And this year, air travelers began sharing their facial images with the Transportation Security Administration (TSA) to speed through airport checkpoints.

Biometrics is also making its way into enterprise as part of hardware refresh cycles with fingerprint scanners being enabled to identify employees for permission to access data and equipment. But does it actually help enterprises safeguard company assets?

We are born with a specific set of attributes (i.e. two eyes, ten fingers, facial dimensions, etc.) that do not change, pending a traumatic life event or surgery. Due to this, we need to protect our biometrics data since it will, overall, not change for the rest of our lives; however, many consumers easily give away their data with a false sense of trust that it will not be misused. Just as individuals will need to determine if sharing this information is worth the convenience in return, companies and organizations will also have to deploy adequate protection measures to avoid a new level of data theft, such as storing data points to ensure replay attacks and biometric recreation of an individual’s features isn’t possible. As well as to ensure compliance such as the protection of biometric information required in privacy laws such as General Data Protection Regulation (GDPR), which can fine up to 4 percent of a company’s annual revenue.

Will biometrics be enough to stop hacks?

Biometric security devices were introduced as a way of replacing or enforcing two-factor authentication (2FA) measures to stop criminals. However, cybercriminals possess the intelligence and creativity needed to adapt to new security measures like biometrics by either attacking them directly, or finding new ways to bypass it. They will find ways to rob this data and exploit it for their personal and financial gain if not secured properly. It is not beyond the realm of possibility that we’ll see a black market pop up in 2019 for important faces, fingerprints, or genetics to bypass weaker implementations.

Just two years ago, the industry began seeing the vulnerabilities of biometric authentication when researchers at Michigan State University discovered a simple and inexpensive way to print the image of a fingerprint using a standard inkjet printer. And last year, researchers at New York University’s (NYU) Tandon School of Engineering boasted over the ability to match anyone’s fingerprints using digitally altered “masterprints.”

Apple claims its 3D-facial recognition technology can’t be breached or fooled by any 2D-photos or videos and has protections for record and replay attacks. But despite these claims, some facial recognition technologies have serious vulnerabilities that will likely be compromised by hackers. In 2016, security and computer vision specialists from the University of North Carolina defeated facial recognition systems using publicly available digital photos from social media and search engines in conjunction with mobile VR technology.

Adding consumer behaviors to the mix

Just like 2FA measures, facial recognition alone won’t be able to protect companies, government agencies and consumers completely. To be more effective, this technology should incorporate behavior sensors that enable continuous authentication, for example tracking a person’s physical actions such as keystrokes, mouse movements, scroll speed, and how they toggle between fields. This approach can also factor in how someone manipulates their phone based on the accelerometer, gyroscope, how they swipe or the fingers they use.

The point is that one should reinforce any form of security whether 2FA or biometrics with behavior modeling to know what the user is doing at the time, when and where – not just a facial image or thumbprint alone, which is often a “one-off” authentication event. By understanding how someone acts on a network, personal device or within an application, organizations can identify anomalies that establish risks or trust.

On the individual and personal level, it may be impossible to prevent biometric data from being broadly collected and used. All but three U.S. states allow software to identify an individual using images taken without their consent while in public. And in many cases, people are readily volunteering their biometric data as a way to gain easier access to jobs, homes, cars and personal devices.

However, they must insist that their data be responsibly and securely stored and used, which will ultimately be addressed through legislation for biometric privacy laws like those in Washington, Illinois, and Texas.

No one should be surprised next year when the next data breach includes credit cards, social security numbers and fingerprints or faces.

(Nicolas (Nico) Fischbach serves as Forcepoint’s global CTO. Before joining Forcepoint, he spent 17 years at Colt, and was responsible for company-wide strategy, architecture and innovation. He ran global network security engineering and operations for eight years, building Colt’s first Security Operation Center and deploying the first DDoS mitigation solution in Europe. Nico is a recognized authority on service provider security as well as on next-generation network and cloud architectures. He also sits on the advisory board of Versa Networks and is a member of The Honeynet Project, a research organization dedicated to internet security.)

 

Suggested articles