James Thew - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

OPM breach: What's the risk of exposed fingerprint data?

Millions of fingerprint records were exposed in the OPM breach. Expert Michael Cobb explains how attackers can abuse such biometric data and what enterprises can do about it.

In the recent OPM breach, 5.6 million fingerprints were stolen. What are the ramifications of this on biometric security? Can attackers duplicate fingerprints and use copies to fool biometric authentication systems and access victims' devices or accounts? Can fingerprint records be used by attackers in other ways besides biometric security attacks?

The Office of Personnel Management and the Department of Defense have discovered that of the 21.5 million individuals who had sensitive information stolen in the recent OPM data breach, approximately 5.6 million also had their fingerprint records stolen -- initially this figure had been put at 1.1 million. The stolen personal data included Social Security numbers, residency history, employment and education history, as well as health, criminal and financial histories. This information, which was contained in people's background information applications, can be used in identity theft fraud, but the loss of fingerprint data creates a different threat, one the security industry doesn't yet fully understand.

The OPM has largely downplayed the severity of risk involved with stolen fingerprints, saying, "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited." However, fingerprint data has been successfully used to defeat some simple biometric systems, so their misuse is only limited by the fact that it's difficult for attackers to automate the abuse of stolen biometrics in the same way they can with passwords.

Authentication using biometrics such as fingerprints is becoming increasingly common as a means of logging into computers and smart devices. Biometrics use the uniqueness of certain features of a user, such as retinal pattern, fingerprint and even typing characteristics, to accurately identify and authorize a user. Unlike credit cards and passwords, which can be revoked and reissued when compromised, biometric data is permanently associated with a user and cannot be replaced. This is one of the major drawbacks with biometric identification, and there are now 5.6 million people who can be potentially impersonated.

The driving force behind the adoption of biometric verification has been convenience, but more has to be done to ensure it delivers improved security over the passwords it is trying to replace.

The fact that biometric identifiers can't be reissued leaves anyone who has had their fingerprint data stolen open to possible threats as cybercriminals find more efficient ways to use them. Fingerprints are certainly the weakest form of biometric authentication, as they're difficult to keep secret; people leave them behind whenever they touch something -- something a security-minded individual would never do with a password -- and it's fairly easy to copy them and create a replica in silicone. The same problem applies to voice and facial recognition, as both biometrics can be captured to recreate duplicates capable of deceiving biometric systems. Biometric identifiers that are harder to duplicate, such as iris patterns, present the least risk of compromise, but with all identifiers there is an element of interpretation during the identification process.

With a password-based model, it is easy for a computer system to check whether the password submitted equals the password stored in its database. With biometrics, the comparison is more "like" than "equal to" as the raw biometric data has to be converted from analog information into digital data called a template that computers can read, measure and analyze. It is this template data that was stolen by the hackers in the OPM data breach. The matching algorithm has to make a decision based on an acceptance threshold, which means identification is subject to false negatives and false positives that allow unauthorized users to authenticate successfully. With the compromised fingerprint data of 5.6 million individuals for sale on the underground market, false positives could become more of a problem.

The driving force behind the adoption of biometric verification has been convenience, but more has to be done to ensure it delivers improved security over the passwords it is trying to replace. Those looking to deploy biometric authentication systems need to encrypt biometric data at all times. The ISO/IEC 24745 standard provides guidance for the protection of biometric information during storage and transfer. It also aims to address the risks of biometric information being compromised. Cancelable biometrics is the most promising option, and it works by distorting the biometric image or features before storing them; this is similar in a way to using salt when hashing a password. The distortion characteristics can easily be changed, and the same biometrics can be mapped to a new template if the biometric store is compromised. Efforts to make this a feasible and standard implementation need to be accelerated to avoid the prospect of more people having their biometric data compromised.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about behavioral biometrics in the enterprise

Find out if facial recognition authentication helps mobile security

Discover how simple photography can fool biometric systems

This was last published in February 2016

Dig Deeper on Biometric technology