Biometrics Identification – Boon or Bane?
Written by: Madhu Maganti, CPA, CISA
Biometric identification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits. Unique identifiers include fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures.
Biometric identification is still an emerging technology but is seeing its usage increasing rapidly around the globe. Companies all over the world are evaluating the use of biometric authentication to create physical access barriers as well as to protect sensitive data. According to the 2018 State of Enterprise IT Infrastructure & Security survey by Ping, 92% of organizations surveyed felt that biometric authentication was effective at protecting on-premises information while 86% felt it was effective in protecting cloud-based data. Despite the survey showing IT or Security professionals viewing this method of authentication effective, it has a disproportionately low utilization rate of 28% for on premises information and 22% for cloud-based data.
Biometric identification is not limited to just companies. Individuals use biometric identification in their personal lives be it via the fingerprint scanners or the facial recognition feature to unlock their phones. Voice features are used to activate and interact with Alexa, Siri, Google, etc.
Advantages of using biometric authentication include more accurate identification and increased accountability, which can increase the security of a system and reduce the likelihood of a data breach occurring. Accountability and security are also increased thanks to connecting personnel with specific actions or events. Biometric systems are not only efficient and easy to incorporate into the physical security system of a building, but the systems are also scalable as they allow for employees to be added and removed with ease. The ROI (Return on Investment) on a biometric system is very high as it is much more effective at avoiding fraud than most other security systems.
Recent Breaches
- Suprema is a company that sells biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions, and embedded fingerprint modules. It is a large company that deals with 5700 organizations across 83 countries, including governments, banks, and the police. Security researchers discovered almost 28 million records across 23 gigabytes of data. This data included fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, as well as personal details of staff. Plain text passwords of admin accounts were also found in this discovery. Highly sensitive information including usernames and passwords were left unencrypted according to the security researchers who discovered the breach. The researchers were able to gain access to the systems, but more importantly were also able to change data and add new users. Once stolen, the fingerprint data almost becomes useless since it cannot be changed.
- The US Customs and Border Protection (CBP) had a massive breach through one of their vendors, Perceptics. Perceptics and CBP had been working together since 1982. CBP has declared that the breach affected fewer than 100,000 people, but those who were affected would have an image of their license plate and face leaked. In April, the CBP reported that it has used this biometric information to catch over 7,000 visitors who have overstayed their visa up to this point in time. Considering the Department of Homeland Security estimates that less than 2% of visa holders stay past their visa’s expiration date, and that many travelers to the united states do not hold visas, it can be extrapolated that the CBP has analyzed millions of innocent individuals with their biometric authentication technology. In fact, by 2023, the Department of Homeland Security aims to use facial recognition on 97% of all departing air passengers.
Steps to protect your biometric information
- While your company might require you to provide biometric information as part of your employment, you should try to limit the number of sources that have access to such information.
- In the wake of the Suprema breach, opting out of biometric authentication in the office (if possible) is highly recommended.
- If you have biometric information saved on one of your own devices, ensure that the software is kept up to date in order to limit security vulnerabilities.
- Chances are that your smartphone has facial recognition and a fingerprint scanner, so if you’re using either of those two features you are putting your biometric data at an increased risk for additional convenience.
- Avoid using any other services that require permission to use your biometric data, such as DNA testing kits and virtual assistants.
- DNA kits such as Ancestry.com require you to submit a sample of your DNA, which they will keep on file.
- “MyHeritage” suffered a data breach last year, in where the usernames and passwords of 92 million accounts were discovered on the internet.
- Virtual assistants such as Siri, Alexa, and Google services store and process your unique vocal patterns. While vocal patterns may not be commonly used for authentication, most people probably wouldn’t want their data saved on a server somewhere- especially with the rise of deep fakes and other AI created content.
- DNA kits such as Ancestry.com require you to submit a sample of your DNA, which they will keep on file.
- Ask yourself the following questions before giving a third party or device possession of your biometric data:
- Is the biometric data saved in a secure manner?
- Where are the data being stored and what countries’ laws is the data subject to?
- Who will have access to the data?
- How long is the data kept for?
- Is there any chance that the data will be sold?
- Stay up to date on new legislation regarding biometric data.
- Congress is considering the Commercial Facial Recognition Act of 2019, which may change the landscape of biometric data in the future.
With new technology and new devices hitting the market constantly, the usage of biometrics will only increase but we need to be prudent in protecting our biometric data, else we might reach a point where our biometrics mean nothing in the real or cyber world.