Q

OPM breach: What's the risk of exposed fingerprint data?

Millions of fingerprint records were exposed in the OPM breach. Expert Michael Cobb explains how attackers can abuse such biometric data and what enterprises can do about it.

In the recent OPM breach, 5.6 million fingerprints were stolen. What are the ramifications of this on biometric...

security? Can attackers duplicate fingerprints and use copies to fool biometric authentication systems and access victims' devices or accounts? Can fingerprint records be used by attackers in other ways besides biometric security attacks?

The Office of Personnel Management and the Department of Defense have discovered that of the 21.5 million individuals who had sensitive information stolen in the recent OPM data breach, approximately 5.6 million also had their fingerprint records stolen -- initially this figure had been put at 1.1 million. The stolen personal data included Social Security numbers, residency history, employment and education history, as well as health, criminal and financial histories. This information, which was contained in people's background information applications, can be used in identity theft fraud, but the loss of fingerprint data creates a different threat, one the security industry doesn't yet fully understand.

The OPM has largely downplayed the severity of risk involved with stolen fingerprints, saying, "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited." However, fingerprint data has been successfully used to defeat some simple biometric systems, so their misuse is only limited by the fact that it's difficult for attackers to automate the abuse of stolen biometrics in the same way they can with passwords.

Authentication using biometrics such as fingerprints is becoming increasingly common as a means of logging into computers and smart devices. Biometrics use the uniqueness of certain features of a user, such as retinal pattern, fingerprint and even typing characteristics, to accurately identify and authorize a user. Unlike credit cards and passwords, which can be revoked and reissued when compromised, biometric data is permanently associated with a user and cannot be replaced. This is one of the major drawbacks with biometric identification, and there are now 5.6 million people who can be potentially impersonated.

The driving force behind the adoption of biometric verification has been convenience, but more has to be done to ensure it delivers improved security over the passwords it is trying to replace.

The fact that biometric identifiers can't be reissued leaves anyone who has had their fingerprint data stolen open to possible threats as cybercriminals find more efficient ways to use them. Fingerprints are certainly the weakest form of biometric authentication, as they're difficult to keep secret; people leave them behind whenever they touch something -- something a security-minded individual would never do with a password -- and it's fairly easy to copy them and create a replica in silicone. The same problem applies to voice and facial recognition, as both biometrics can be captured to recreate duplicates capable of deceiving biometric systems. Biometric identifiers that are harder to duplicate, such as iris patterns, present the least risk of compromise, but with all identifiers there is an element of interpretation during the identification process.

With a password-based model, it is easy for a computer system to check whether the password submitted equals the password stored in its database. With biometrics, the comparison is more "like" than "equal to" as the raw biometric data has to be converted from analog information into digital data called a template that computers can read, measure and analyze. It is this template data that was stolen by the hackers in the OPM data breach. The matching algorithm has to make a decision based on an acceptance threshold, which means identification is subject to false negatives and false positives that allow unauthorized users to authenticate successfully. With the compromised fingerprint data of 5.6 million individuals for sale on the underground market, false positives could become more of a problem.

The driving force behind the adoption of biometric verification has been convenience, but more has to be done to ensure it delivers improved security over the passwords it is trying to replace. Those looking to deploy biometric authentication systems need to encrypt biometric data at all times. The ISO/IEC 24745 standard provides guidance for the protection of biometric information during storage and transfer. It also aims to address the risks of biometric information being compromised. Cancelable biometrics is the most promising option, and it works by distorting the biometric image or features before storing them; this is similar in a way to using salt when hashing a password. The distortion characteristics can easily be changed, and the same biometrics can be mapped to a new template if the biometric store is compromised. Efforts to make this a feasible and standard implementation need to be accelerated to avoid the prospect of more people having their biometric data compromised.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about behavioral biometrics in the enterprise

Find out if facial recognition authentication helps mobile security

Discover how simple photography can fool biometric systems

This was first published in February 2016

Dig Deeper on Biometric Technology

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
Related Discussions

Michael Cobb asks:

How should organizations handle exposures of fingerprint records? Should they move away from biometric authentication?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close