Following recent breaches of biometric databases, online security awareness advocate Javvad Malik gives his insight into the integrity of such systems.
With many apps, devices and payment methods switching to biometric data to prove identity, it has left people wondering whether the system offers better security than a traditional password. But, like many cyber security questions, the answer is not straightforward.
Last month, a biometric database breach exposed the fingerprints of more than one million people.
With more of us opting to use our face to log into phones and thumbs to access bank accounts, the value of biometric information is only set to increase.
Although many subscribe to the assumption that using a biometric identifier is more secure than the traditional password, this is not always the case.
Javvad Malik, a security awareness advocate at cyber security firm KnowBe4, claims that, while they both function similarly, passwords and biometrics operate very differently.
“Looking at the technology in isolation, biometrics is far better than using passwords,” Malik says.
“However, when you start picking it apart, biometrics is more like a username than a password because of the fact it can’t be changed and works more as an identifier.”
This raises new questions about what to do if your personal information is compromised online.
Malik adds: “If someone has made a 3D model of your fingerprint to unlock your phone there isn’t much recourse you can have.
“As an industry we are continually banging our heads, telling people not to use the same password across different sites.
“The thing with biometrics is that you don’t have that option — it’s linked to you and is unchangeable.
“So in that regard, it is actually weaker than a password.”
What to do if you’re a victim of a biometric hack
One positive is that biometrics are often linked to individual devices, meaning that a criminal would have to have access to a victim’s phone and fingerprint in order to access their information.
This “greatly reduces the avenues of attack” for cyber criminals, according to Malik.
However, this may change. In China, Alibaba-owned Ant Financial has launched “pay with a smile” which uses facial recognition technology to make a payment without the need to have a phone or card on your person.
Similarly, Amazon was revealed to be trialling a hand recognition system that would let customers pay in stores using a scan of their palm.
Malik says: “From the user experience side of things, looking at a phone to unlock it is much better than having to type something in.
“For a lot of people, that’s a perfectly acceptable risk. The real concern is when companies start rolling out biometrics for the sake of it.”
Instead, Malik would recommend using two-factor authentication where available, which is slightly more inconvenient, but more secure.
Although it is not entirely clear what criminals can do with biometric information as of yet, they are gathering biometric data to use further down the line.
He adds: “It could be the case that criminals could replace someone’s fingerprint with their own on the database, or add an additional fingerprint to the ones on file.
“When you start considering things like that, then you can see why storage is such a major issue. Small cracks can lead to big explosions.”
What can companies do to improve their biometric data security?
One of the biggest issues affecting proper implementation of biometric data security is cost and this is where Malik anticipates most issues will come from.
He says: “If you’re a big bank or Apple or Android, then you can invest the right resources into making biometric authentication secure.
“In an ideal world, tech companies won’t store an exact copy of your fingerprint – instead they will take a cryptographic hash of it and store that.
“It means that, even if that data is compromised or breached, a criminal couldn’t recreate the fingerprint from that information.”
However, even companies the size of Facebook have been found guilty of storing customer passwords in plain text.
There is a risk that companies will take the cheaper option of storing biometric data in a database.
Malik says: “The big concern is that when those databases are compromised the bad guys will have access to the raw biometric information — whether that’s a fingerprint or voice identifier.
“That’s where some of the dangers will really crop up.”
“Any business considering implementing a biometric security feature must first ask themselves whether it’s necessary.
“Businesses need to consider the risk they are trying to address and need to work out whether introducing biometric security solves it or just complicates matters,” says Malik.
“Companies need to understand the uses and limitations before choosing to implement biometrics, and educate their customers to provide clarity on how their security systems work.”
If not, they run the risk of becoming the next victims of a biometric data breach.