Skip to main content

Security at risk with the most secure biometrics

(Image credit: Image Credit: Flickr / AMISOM)

Creating challenging passwords with different characters was once the only way of securing your sensitive data. But as things got complex in life, so did the security it requires.

From punching in your office with a fingerprint scan to unlocking your smartphone with facial recognition, the use of biometric data for security authentication has become a prime part of our lives.

Traditional security methods are now limited to mainstream devices such as apps and few smartphones. They are less useful to secure large-scale infrastructure, and sophisticated systems as cyberthreats have evolved to crack them.

Passwords can be easily forgotten where the multifactor authentication (MFA) combined with password generating software are found to have loopholes that could severely damage sensitive information when breached.

But the question is, are biometrics the next stage for securing sensitive information or has it fall prone to vulnerabilities? Are they securer than passwords and MFA?

As stated by the General Data Protection Regulation, a Data Processing Impact Assessment (DPIA) has to be implemented if a party is processing sensitive data that falls under biometric protection to evaluate the risk and the set protocols to minimise the impact if necessary. That is the reason international privacy laws exist to give individuals the right to protect biometric data.

Keeping that in mind, immense risks of biometrics are summarised into categories that are biometric enrolment security, evolving fraud capabilities, sensors, sensor inaccuracy, known or familiar fraud and much more.

The misuse of biometric data

Loss of biometric data is not as the loss of a binary password which you can recover from or change. Exposure of biometric data could lead to multiple levels of privacy breaches leading to an endless array of identity attacks.

All humans have a single identity on which they get legal rights, travel, get your driver’s licence etc. Even if you are a spy or double agent, the identity you are born with remains the same unless you do prosthetic modifications. Otherwise, you will have singular biometric data such as your face, eyes, voice, fingerprints, veins (on palm) etc. 

There is a process involving storing biometric data. Whenever infrastructures use biometrics data for authentication, the system has to cross-check the results from an electronic profile of your data which goes through specific encryption protocols and firewalls to keep the biometric data protected.

When the biometric data is requested or scanned, the system verifies it in bits and pieces for assessment. If there is a vulnerability present in the storage design, the entire system will malfunction leaving room for misconfiguration and exposure of biometric data.

Keep in mind, even with the state of the art biometric protection it’s still left exposed to spoofing. You would be surprised to hear security researchers hacking a biometric authorisation arm device with the aid of a replica arm and photos.

Yet, the most daunting threat is not because of the storage or any other way of penetrating it, but because of the nature of biometrics itself. When you lose a password to hacking or only lack of remembering it. You can instantly change the password. With biometrics, you cannot alter it, or change it.

Once it’s compromised, your identity is in great danger and can be used against you while framing you for a crime you did not commit. Your face, eyes, fingerprints are intact to your identity, which can form a basis for future targeted attacks. 

That concludes that biometrics cannot be singled out for the only security protocol or authorisation. Hence, another security protocol has to be used, such as a password or two-factor authentication for backup.

Biometric breaches

Data hacking cases have increased over the time, and only a few appear on the headlines, as the hack of the US Office of Personnel Management in 2015 that led to a severe loss of 5.6 million unencrypted fingerprints of the US government employees at that time.

Another case that needs attention is regarding researchers who was found accessing a big biometrics database that was left unprotected and unencrypted. The database was in the use of the Metropolitan Police UK and other organisations, making it a serious crime and an alarming situation.

Later it was found, the researchers got access to 23 gigabytes-worth of data of facial recognition, personal details, facial photographs, fingerprints data and 27.8m records.

This allowed reconsidering biometric data as a form of protection.

Core obstacles for biometrics security

As we speak, the obstacles to cope with such threats are increasing as loopholes are being spotted for penetration. Among which the automation of human identity authentication creates havoc regarding the hint of a surveillance society

The concept behind biometric security is not meant to invade or threaten someone’s privacy. But in multiple cases, the protocols that are used to store and produce biometric data can lead to any other information being revealed about the person raising concerns for surveillance, privacy and security. 

Also, you need to keep in account that biometric sensors create digital maps of a human body part used for biometrics. It is then used for all future unlocking and code matching, which is a risk one will have to bear for a lifetime. The digital map could be saved someplace else if breached, or used for someone else’s identity and infiltrate the entire network of databases.

The data locally stored is protected better, but it has to be encrypted while its path to storage and security. Hence, the data in transit will be at risk and allow hackers to breach the encrypted tunnel and fetch it.

Biometric identification is a statistical procedure where the threat of variation in acquisition and enrolment are present. That means a 100 per cent match for all biometric indicators do not exist.

From a legal standpoint, any data with less than 100 per cent probability may not be accepted for identity verification. Which is why when we compare the accuracy of biometrics with a binary PIN, the latter is still a better choice as its probability of being 100 per cent correct is higher.

Zubair Hussain Khan, Content Strategist, Reviewsed