We’ve written a few posts in the past about how people are the weak link in most data security systems – see, for example, “Human Factors Data Security Threats,” and “For Data Security, Employees Are the Weakest Link.”
Banks have also noticed this problem. The NYTimes recently ran an article titled, “Goodbye, Password. Banks Opt to Scan Fingers and Faces Instead.”
Banks are starting to use many different kinds of biometric identification: fingerprints, eye scans, voice recognition, and facial scans.
Biometrics are suddenly surging in popularity as two separate trends come together: on the one hand, cybercrime is getting worse every year. On the other hand, smartphones are increasingly becoming “biometric friendly,” with features such as fingerprint readers and high resolution cameras capable of providing the level of detail needed for reliable facial or eye scanning.
One security executive in the finance business, Tom Shaw of USAA, is quoted in the Times article as saying, “We believe the password is dying. We realized we have to get away from personal identification information because of the growing number of data breaches.”
The only problem is biometric protection is far from foolproof.
Shortly after the iPhone 5S was introduced with a TouchID fingerprint sensor, members of the Chaos Computer Club claimed to have successfully defeated the technology by photographing an iPhone user’s fingerprint from a glass surface. They also claim to have used commercially available software (VeriFinger) to create a picture of a fingerprint that could be used to open an iPhone by processing closeups of photos of a person taken from different angles.
Fingerprint technology has improved – a picture alone will no longer work. But that’s OK – there are ways to foil even more sophisticated fingerprint systems.
Anil Jain, a professor at Michigan State University, recently was visited by police seeking his help. Jain is a computer scientist specializing in biometric identification. The police wanted his help in solving a murder.
They had the victim’s iPhone, and believed that clues to who killed him could be found on the phone. Rather than trying to force Apple to cooperate – and Apple is notoriously uncooperative with law enforcement attempts to hack into its phones – the police in this case decided to try fooling the biometric login.
The police have a scan of the victim’s fingerprints that were taken while he was alive – it seems he was known to the police. They asked Professor Jain if he could create 3D replicas of the fingerprints that could be used to open the phone.
The issue is a little complicated – it’s not enough to hook the scan up to a 3D printer and make a fingerprint. Fingerprint readers now rely on the conductivity of the finger, and the usual plastic used in 3D printers doesn’t work. So the professor coated the 3D printed fingers with metallic particles to give it conductivity.
There is no public confirmation as yet whether the method worked, but one thing you can be sure of: if the police are working on such techniques, the “bad guys” are as well.
It also needs to be remembered that ultimately the biometric data is reduced to a string of ones and zeroes – and if someone can intercept that string, they may be able to use that information to foil cybersecurity networks. Researchers have also worked on attacking the software that runs the fingerprint scanning.
Biometrics are useful auxiliaries in the battle for data security, but they are not a panacea. The best data security would come from using biometrics combined with a password to access a secure vault storing the Master Secrets used in PACid’s Bolt-on Strong Security (BoSS) system.