Biometric Security…Maybe Not

By Jimmy Pike - September 28, 2015
A lot of people are very excited about the idea of biometric information—physical information about a person such as your fingerprint, voice, retina, or image—as a better form of security or at least as a nice substitute for passwords. I thought I liked this idea as well. However, for the very first time (at least to my knowledge), the US Office of Personnel Management (OPM) system breach has leaked a great deal of other very sensitive and personal information including 5.6 millions fingerprints which are now in the “ether”. We’ve all seen movies that included a clever way to get someone’s fingerprints, and I never thought much about it. Now a huge number of these biometric signatures are in the dark side of society. (I have no idea about the risk to which these folks have been exposed or what they can do for remediation, but I doubt they’re very happy right now.) No one can say if this directly relates to biometric security, but I cannot help but think about the implications. As far as security, I can always change my password, but my fingerprints and my image are well…”sort of permanent”. I realize a bunch of folks are going to jump on me to inform me about how sophisticated the key concept included in secure biometrics really is and how silly or implausible a hack of this info would be. I am also sure it would be extremely difficult to use this information even if you acquired it. Unfortunately, and just like this breach, I continue to be surprised. Let me share a couple of requirements to consider if you plan to use biometrics as a way to enforce security. Any form of biometric information taken absolutely must stay local to the device where it was acquired, and the authentication of this information also must be performed on this device. Ideally, there should be a two-step authorization method for anything remote (but most of us consider this a lot of trouble). Databases like the OPM database are going to exist, are essential to our modern society, and I am pretty sure the operators thought it was secure. I have been the victim of password theft in the past largely because I did something stupid. In fact, the simplest hack I ever experienced was a rogue program running on my system that popped up and simply asked for my password. Silly me, I just entered it! Fortunately, once I found out, I was able to change it…not so easy with biometrics. I wonder what I would do if one day my tablet simply asked me to touch and hold my finger on the fingerprint pad and look into the camera for authentication. More than likely, I’d begrudgingly comply. Is it possible for someone to come up with a clever hack maybe not just like this but a means to expose my biometrics? Could they become like a “scarlet letter” where I had to have a list of disclaimers and warning? How will the victims of the OPM hack be impacted? Hmmm…I can’t change any of my biometrics, so for now no biometrics for me! At least not until I am convinced this isn’t possible. “FAT chance”…but I will research it more. Food for thought! Disclaimer: The views and opinions represented in this work are mine and mine alone. They do not knowingly represent the views of any other individual or individuals living, dead, or otherwise. I make NO guarantee as to their accuracy NOR are they necessarily an accurate predictor of the future. They are the product of a partially lucid mind resulting from nearly four decades of fun in the information technology industry and the long term impact of said chaos. You should read them, possibly understand them, and immediately discard them…Other than that, I hope you find them useful.
+ posts