Skip to main content

Why Biometric Data Use Poses Unique Security Risk

By: Morey Haber, CTO, BeyondTrust

We live in sensitive times. One “sensitive”, under-discussed topic that we need to directly confront and have an open conversation about is around the sensitivity of data. Yes, that’s right, what do people today consider “sensitive” data?

The definition of Personally Identifiable Information (PII) often includes your name, email addresses, usernames, passwords, birthdate, address, social security number, credit card information, medical history, etc. I would stipulate that most people can agree that these are all sensitive data sets.

But there is an entire classification of sensitive data in the world that we do not discuss and is going to be a problem in the very near future. The sensitive data we are failing to adequately address is the linkage of our physical, carbon-based human bodies to all the biometric data being stored by IoT devices and services in the cloud. If you think this sounds farfetched, ask yourself if you or any of your loved ones participated in an ancestry DNA kit or received a new notebook, mobile device, or smartwatch that stores health or login data via fingerprints or facial recognition—I am willing to bet, that either you or someone close to you has.

Compromised biometric data poses unique risks
To understand the sensitivity of biometric data and why it should be a part of your conversations, consider the potential risk. You are a person. Typically, you have one single identity. One could argue that, even if you are a spy or have a criminal alias, you still only have one identity since, regardless of your aliases or the names you impersonate, you only have one set of biometric data. You cannot change your fingerprints, voice, face, eyes, EKG, or even veins in your arm.

When information technology uses biometric data for either authorization or authentication (and yes, they are different), it needs to compare the results with a stored profile of your biometric data. The storage is electronic.

While extraordinary safeguards can be placed on the storage and encryption of biometric data, at some point, it needs to be reassembled (at least in parts) to compare to assessed input. If the storage is flawed by design, has vulnerabilities, or the host system is misconfigured, we have a potential exposure of the most sensitive biometric data.

However, the biggest problem with biometric data is not the storage or authentication technology used, rather it is the static nature of biometric data itself. If a password is compromised, you can change it, putting a stop to password re-use attacks that rely on the compromised password. However, if biometric data is compromised, you cannot change it. Your eyes, face, or fingerprints are permanently linked to your identity (excluding bio-hacking which is a topic for another day). Any future hacks that solely rely on compromised biometric data can be an easy target for threat actors.

Biometrics alone should never be used to authenticate or authorize action or commit a transaction. Biometrics should be paired with a password or, better yet, a two-factor or multi-factor authentication solution for a higher degree of confidence.

Assessing how your biometric data is being used and accessed
Some vendors emphasize security for biometric data (Apple Secure Enclave), while others treat biometric data with little safe regard. If you think my latter claim is questionable, consider VTech’s My Friend Cayla doll and the ramification for sales, collection of voice fingerprints, and the mischievous potential for a threat actor against you or your children.

The storage of biometric data is quickly increasing, but the implications are just beginning to be understood and well-grasped. We need to begin discussing what we will allow to be stored about our identity and what is just too risky. And, most importantly by whom.

Just consider all the new technology that may now possess your biometric data:

  • Personal Assistants: Devices from Amazon, Google, and Apple all process voice recognition commands and can be programmed to understand individual voices. Your unique vocal patterns are stored and processed in the cloud. While threat vectors for human voice patterns are still very theoretical, be mindful that this data is being stored. 
  • DNA Kits: If you purchased or used one of these, your DNA is now on file. And, if you give permission, your data can be used by law enforcement to help solve outstanding criminal cases. Your most private and sensitive data, your DNA, is now in the hands of a third party. You should be aware of everything they can do with it and what the ramifications are if those services are ever breached. 
  • Mobile Devices and IoT: Cellular phones, tablets, and even door cameras capture some form of biometric data and stores it on the device or in the cloud—even if it is not used for authentication or authorization. The risk here is obvious. Some door cameras, based on location, capture photos or video based on movement and may capture your picture just by your walking or driving past it. Your likeness, unknown to you, is now potentially on another end user’s device, or in the cloud. And, your mobile phone or tablet now has fingerprints and facial metrics stored within it too. There are plenty of tools and documents on how to bypass these security models if you have the device in hand. You cannot trust these security models based on biometrics alone, and AI may actually make the matter worse by performing the PII linkage for a threat actors.

Opening up a dialogue about biometric data
Now is the time to begin sensitive discussions on biometric data. When you purchase a device, use a new technology, or consider how you are interacting with a new service, ask yourself, and potentially the vendor (especially, if the technology is used for work), the following:

  • How are you storing biometric data? 
  • Where is it being stored? (especially, what countries, since this may have other legal and compliance ramifications.)
  • How is it secured? Who has access?
  • Is my biometric data being purged over time? 
  • Do you sell my biometric data?
  • Does law enforcement have access to my biometric data or logs? Even with a warrant?

Biometric data is perhaps the most sensitive information you possess. It is a part of your identity and can never be changed. It is a worthy conversation we need to have in this sensitive world. It affects everyone, does not discriminate, and as new technology emerges, stands to cause potential trouble for everyone unless we understand how our likeness is being captured, stored, processed, and ultimately utilized.

- Ends - 


Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

Insurtech startup Kruzr raises $1.3 Million from Saama Capital and Better Capital

InsurTech startup Kruzr has raised 1.3 Million USD (Rs. 9.5 Cr) for its seed round led by Saama Capital with participation from Better Capital. Kruzr is a preventive motor insurance technology which helps insurance companies personalize policy premiums & improve their risk model by delivering an engaging preventative driving assistant to their customers. Kruzr is founded by Pallav Singh, Ayan, and Jasmeet Singh Sethi.

Kruzr blends the power of voice technology and artificial intelligence in its personal driving assistant that helps drivers minimize mobile distractions, drowsy driving, speeding and external risks like weather and accident-prone zones. In pilots with insurers, Kruzr managed to cut down distracted driving by 80%. Kruzr is working with motor insurance companies in Europe, UK and India to bring its technology to their customers to prevent accidents & improve claims.

“Road accidents cause over 1.3 million deaths globally every year, and motor insurance companies los…