If you think your new iPhone’s Face ID facial recognition feature or your bank’s fancy new fingerprint scanner will guarantee privacy and block hackers from accessing sensitive personal or financial data, think again.
In the coming year, cyberattacks will zero in on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition technology and passcodes, according to a new report from credit reporting agency Experian Plc. While biometric data is considered the most secure method of authentication, it can be stolen or altered, and sensors can be manipulated, spoofed or suffer deterioration with too much use.
Even so, as much as 63% of enterprises have implemented or plan to roll out biometric authentication systems to augment or replace less-secure passwords, Experian said in its report. The push toward biometric systems dates back to the turn of the century in the financial services industry.
Additionally, new security parameters dictated by the General Data Protection Regulation (GDPR) and other privacy regulations, are spurring greater adoption of biometrics as part of a multi-factor or stand-alone protection options.
As such, hackers are refocusing their attention, creating an uptick in attacks against touch screen, facial recognition and passcodes. Those were among the top five data breach trends for the past year, Experian noted in its report.
For example, in 2015, the Office of Personnel Management was breached, resulting in the theft of more than five million unencrypted fingerprints.
The report recommends that organizations ensure their biometric systems are secure in all layers. Biometric data should be encrypted and stored in secure servers. And while privacy regulations may eventually dictate how biometric data is treated, that information remains largely unregulated. Until sensors, scanners and other hardware can better detect anomalies, biometrics should be used as part of a multi-factor authentication system.
Computerworld spoke with Michael Bruemmer, vice president of Data Breach Resolution at Experian, about the report and its recommendations. Excerpts from that interview follow:
For how long has there been an uptick in touch screen and facial recognition hacking and why is it expected to increase in 2019? “We’ve been in the data breach response business for 15 years now. We’ve serviced close to 27,000 breaches in that period of time…, 5,100 breaches in the last 12 months.
“We’ve been following biometrics for a while. Banking is one of five areas in the predictions where we’ve seen biometrics. Device access, whether an Android phone or an iPhone or a tablet or a PC, generally there’s some sort of biometric identification there. Law enforcement uses both retina scans and fingerprints… [and biometrics is used for] employees to punch in and out. And, of course the good old TSA is a great example at the airport, whether going through pre-check or clear – and having [a] passport or driver’s license [for] facial recognition checks.
“The reason it’s risen this year is there have been a number of examples, most recently in the last week, that revealed how 3D printing could be used to make a plastic copy of your finger prints or more importantly a rudimentary face that would fool an iPhone in terms of the new facial recognition feature.
“It doesn’t take much to defeat biometrics; if it’s the only security layer, then you have the keys to the kingdom.
“So, with our recommendation, we say biometrics is very good…, but you can’t depend on it as your only layer of protection. You need a secondary or tertiary level of authentication.”
Other than the unscrupulous hackers, who’s to blame for the flaws in biometric authentication? “There are a number of ways every security system, not limited to biometrics, can be duped. And most of it, as we have found in post breach research, is due to some form of human error. Biometrics themselves may be very strong, just like malware protection or device security, but the hackers look for a [human] weakness. For example, biometrics may have different levels of sensitivity, and if the person setting up the biometrics doesn’t turn up the sensitivity high enough, more people are easily able to get in. If you turn it up too high, you have too many people rejected.
“Point I’m making is 80% to 85% of all breaches we service have a root cause in employees not doing the right thing, making a mistake, doing stupid stuff. It’s not necessarily that the hackers are so smart that they have all these different attack vectors that are so much better than the company’s security; they’re looking for the weakest link, and generally employees are the weakest link.”
How is stored security data, particularly in the cloud, accessed by hackers? “One of the other predictions we had is how cloud vendors can be compromised, enabling access through the cloud. If you have biometric data held to protect access to the cloud and we’ve seen mis-configurations of the settings, Uber, Time Warner, Accenture, were attributed to mis-configurations.
“Just like you wouldn’t put the keys to a safe right outside of it giving people access to it, with encryption keys, [they] can’t be stored right next to the data you expect them to protect. Cloud access is one that concerns us because so many people are putting data there. If the most valuable data is put there along with keys to access it, it could be pervasive.”
How are biometrics being used to commit fraud? “The biometrics are just a layer of defense. To commit fraud, you need to get through that layer of defense. In my opinion, biometrics are a new frontier for people to protect information. It’s not biometrics creating the fraud…, the fraud occurs when they get into system, whether it’s banking, criminal records, access to your device. One of our other predictions is about having all wireless carriers…be compromised at once. We talked about this SS7 or Signaling System 7, [telephony signaling protocols that perform a translation, prepaid billing, Short Message Service (SMS) and other mass market services.] The data contained in the phone is really where the fraud is going to occur.”
What can corporations do to address this issue? “First, have multiple layers of protection. Don’t exclusively rely on biometrics or any layer. Don’t rely exclusively on SMS authentication, or passwords or just knowledge-based questions to authenticate. You need to have multiple layer hackers have to go through.
“Second, it’s also changing up security protocols. Good companies don’t have the same security protocols week in and week out. They’ll change the regimen for updating passwords or they’ll update when they have new features.
“Third, do regular quality control and/or pin testing on what you’re doing. A good way to find out if hackers can get in: pay somebody to be a hacker and try to hack into your system. We recommend that as part of any preparation or pre-breach planning a company does. Go ahead and test out your systems to see if they’re impenetrable as they could be or are supposed to be”
What can individual users do? It’s basic protection of your user credentials and access rights to your personal information. It starts there. Most humans work for a corporation or small business. So, if you can access someone’s credentials or put them in a position where you’re socially engineering them to give up their credentials, it’s a problem.
“What I always advise as part of my top hit list:
- Never use public Wi-Fi.
- Always use a password repository, where you don’t have to remember passwords so you can have complex, difficult passwords.
- Never click on any links.
- Never answer any phone calls from people you don’t recognize. Back to the biometric hacking, there have been reported scams where people will call you up and ask, ‘Hey, are you Mike Bruemmer?’ and expecting the answer to be yes, they record that and use it with banks when they go through the [instant voice response] to ask if you want to approve a wire transfer. Using that with other credentials they may have gotten from another compromise will allow them to complete a wire transfer.
- Shred all your documents.
- Never use a debit card for shopping. In many cases that will be linked to a line of credit, a savings account and a checking account. And it allows you to have access to that money without a restricted limit, versus a credit card that generally has a smaller limit. Most credit cards have zero or limited liability to the consumer if fraud is committed, where debit cards not so much.
- Make sure you’re not sharing your work device, whether a laptop, tablet or phone with anyone else.”
We’ve heard a lot about threats from the dark web. What do you see as the greatest threat there? “The one thing I’d call out is the amount of data that has been put out on the dark web and the number of pieces of information that even non-sophisticated or non-tech savvy people can use. There are kits out there on the dark web to do Wi-Fi hacking, to be able to steal Bluetooth information, to do key logging, and you don’t have to have technical skills – just have to buy the kit and follow the instructions and you can become a bad guy overnight. For example, recently you could set up a fake cell tower – one people could supposedly connect to – and just like [a] pineapple device or Wi-Fi Router, you’re going to give up information on your phone to the fake cell tower without even knowing it.”