James Thew - Fotolia
In the recent OPM breach, 5.6 million fingerprints were stolen. What are the ramifications of this on biometric security? Can attackers duplicate fingerprints and use copies to fool biometric authentication systems and access victims' devices or accounts? Can fingerprint records be used by attackers in other ways besides biometric security attacks?
The Office of Personnel Management and the Department of Defense have discovered that of the 21.5 million individuals who had sensitive information stolen in the recent OPM data breach, approximately 5.6 million also had their fingerprint records stolen -- initially this figure had been put at 1.1 million. The stolen personal data included Social Security numbers, residency history, employment and education history, as well as health, criminal and financial histories. This information, which was contained in people's background information applications, can be used in identity theft fraud, but the loss of fingerprint data creates a different threat, one the security industry doesn't yet fully understand.
The OPM has largely downplayed the severity of risk involved with stolen fingerprints, saying, "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited." However, fingerprint data has been successfully used to defeat some simple biometric systems, so their misuse is only limited by the fact that it's difficult for attackers to automate the abuse of stolen biometrics in the same way they can with passwords.
Authentication using biometrics such as fingerprints is becoming increasingly common as a means of logging into computers and smart devices. Biometrics use the uniqueness of certain features of a user, such as retinal pattern, fingerprint and even typing characteristics, to accurately identify and authorize a user. Unlike credit cards and passwords, which can be revoked and reissued when compromised, biometric data is permanently associated with a user and cannot be replaced. This is one of the major drawbacks with biometric identification, and there are now 5.6 million people who can be potentially impersonated.
The fact that biometric identifiers can't be reissued leaves anyone who has had their fingerprint data stolen open to possible threats as cybercriminals find more efficient ways to use them. Fingerprints are certainly the weakest form of biometric authentication, as they're difficult to keep secret; people leave them behind whenever they touch something -- something a security-minded individual would never do with a password -- and it's fairly easy to copy them and create a replica in silicone. The same problem applies to voice and facial recognition, as both biometrics can be captured to recreate duplicates capable of deceiving biometric systems. Biometric identifiers that are harder to duplicate, such as iris patterns, present the least risk of compromise, but with all identifiers there is an element of interpretation during the identification process.
With a password-based model, it is easy for a computer system to check whether the password submitted equals the password stored in its database. With biometrics, the comparison is more "like" than "equal to" as the raw biometric data has to be converted from analog information into digital data called a template that computers can read, measure and analyze. It is this template data that was stolen by the hackers in the OPM data breach. The matching algorithm has to make a decision based on an acceptance threshold, which means identification is subject to false negatives and false positives that allow unauthorized users to authenticate successfully. With the compromised fingerprint data of 5.6 million individuals for sale on the underground market, false positives could become more of a problem.
The driving force behind the adoption of biometric verification has been convenience, but more has to be done to ensure it delivers improved security over the passwords it is trying to replace. Those looking to deploy biometric authentication systems need to encrypt biometric data at all times. The ISO/IEC 24745 standard provides guidance for the protection of biometric information during storage and transfer. It also aims to address the risks of biometric information being compromised. Cancelable biometrics is the most promising option, and it works by distorting the biometric image or features before storing them; this is similar in a way to using salt when hashing a password. The distortion characteristics can easily be changed, and the same biometrics can be mapped to a new template if the biometric store is compromised. Efforts to make this a feasible and standard implementation need to be accelerated to avoid the prospect of more people having their biometric data compromised.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn more about behavioral biometrics in the enterprise
Dig Deeper on Biometric technology
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading