Skip to main content
Beware biometrics?

Beware biometrics?

What worries you most these days? Personally, I find myself agonising over concepts that we humans haven’t thought through, more than anything else.

Plastics for instance. What did we think would happen to all that waste? The original idea of making cheap containers for almost everything – from food to bottled water and even garden plants (!) – out of plentiful mineral oil compounds sounded great. But now we’ve woken up to the nightmare of plastic pollution and can’t even eat sea-bred mussels without worrying how many plastic particles they contain. We’re even breathing in plastic particles.

Likewise, I have a sneaking fear about biometrics. They’ve been promoted for years as the answer to all authentication problems. What could be more perfect? It’s your fingerprint, iris, face, voiceprint, so it must be you.

The trouble is any physical characteristics used in this way must be digitised, probably reduced to some kind of number, then stored in a database. And we all know what happens to those, sooner or later.

Imagine this. Your employer has been happily using your fingerprint to let you “clock on” at work, but suddenly there’s a data breach – as happened with the US Office of Personnel Management (OPM) in 2015 when 5.6 million American federal workers’ fingerprints were stolen –  and now the little squiggly, very personal patterns on the ends of your fingers, which you thought were going to be an essential part of your digital life from here on, are now “out there”.

Then out of the blue a few weeks later (and yes, I’m going into the realms of supposition or future-scoping, but bear with me) a letter arrives from your bank advising you that because of your employer’s data breach, you can no longer use your fingerprints for web banking. Then similar communications follow about you no longer being able to log on to use your credit cards, or access online accounts for your mortgage, insurance, health care, social security etc. 

In other words, your digital life starts to unravel.

Allen Hamilton

Database expert, prolific author and campaigner on identity protection (as well as former partner at global consulting firm Booz Allen Hamilton) George Tillmann told me: “Biometric security systems are a broken promise. They provide no more protection than your current credit card number, yet they’re a greater threat to your security if stolen. 

“Your bank can easily replace your credit card with a new number. But what are you going to do if your fingerprints are stolen?”

I also spoke on the matter of web banking security to Dr Terrance Boult, Professor of Innovation and Security at the University of Colorado, Colorado Springs. He said: “If your bank were to accept fingerprints and someone acquires yours, then they have a much greater chance to impersonate you and it would be hard to argue it was not you. Databases with lots of fingerprints will thus become targets for hacks, like the OPM one.”

After the OPM revealed it had lost all those US Government employees’ fingerprints, the expert view seemed to be that while hackers may not necessarily be able to use the lost biometric information to impersonate individuals right now, advances in algorithms might make this a real danger in future.

Sadly, criminals aren’t regulated as to how long they’re allowed to keep such information, so they’re likely to keep it forever. “It may take longer for thieves to understand how to use these new pieces of information, but they will eventually be used,” says identity theft expert John Sileo on his website.

Sileo says he lost his former business and more than $300,000 to identity theft and data breach, before using these experiences to his advantage, eventually ending up working for the Department of Defense, Pfizer and the FDIC. 

Fingerprint

“Ultimately, this could be more dangerous than having your ATM PIN, credit card number, or Social Security Number stolen, and it will take longer to clear up. In a worst-case-scenario, someone inside of the biometric database company could attach their fingerprint to your record — and suddenly they are you. The reverse is also true, where they put your fingerprint in their profile, so that if they are convicted of a crime, the proof of criminality is attached to your finger.

“What will you do when your digitized fingerprints wind up on a government No-Fly list? If you think it takes forever to board a plane now, wait until every law enforcement agency in the free world has your fingerprints on file as a suspected thief or, worse, a terrorist. 

Access console

“The reality is that biometrics could be a great alternative to securing one’s identity – and they are quickly becoming a part of everyday identification.  But we can’t go forward into the new world of biometrics thinking that it solves all of our problems. Like the ‘security codes’ on the back of our credit cards, like the two forms of authentication required for most banks, like wireless encryption standards – thieves eventually find work-arounds. And so too will they work around biometrics.”

“While it's easy to update your password or get a new credit card number, you can't get a new finger,” wrote renowned security expert Bruce Schneier in a blog shortly after the OPM hack.

“And now, for the rest of their lives, 5.6 million US government employees need to remember that someone, somewhere, has their fingerprints. 

“We really don't know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies.”

In my own (albeit depressing and slightly dystopian) view of the drawbacks of a “biometric-everything” future, I’m wondering if financial organisations might insist that customers who know their prints – or any other biometric data – may have been compromised, should (by law) come clean and declare this fact.

Might this lead to the creation of an underclass, who are considered less secure for things like web banking or even less employable? Who knows? Personally, I’m not really looking forward to finding out.

June 21, 2018 | By Jonathan Craymer

Social Media

Copyright © 2017 Cloud-pin Limited. All rights reserved.