If we go to biometric IDs, will hackers try to steal your face?

Digitally stored fingerprints, palms, irises, faces raise data, privacy questions


If we go to biometric IDs, will hackers try to steal your face?
If we go to biometric IDs, will hackers try to steal your face?

By most estimates, consumer-friendly biometrics will soon replace the pain-in-the-neck, easy-to-hack PIN and password protocols that currently guard our debit and credit card transactions, as well as other sensitive financial information.

It's about time. After all, which would you rather present to prove that you are you: a matching fingerprint, palm, facial, iris or heartbeat scan -- or some crazy alphanumeric mash-up of your high school graduation date and your cat's name?

But as the midsummer hacking of 1.1 million fingerprint sets from a U.S. Office of Personnel Management database demonstrated, unsecured biometrics also could come with an unwelcome wrinkle.

The bad guys could steal your face.

A July 30, 2015, report from the Government Accountability Office mentioned just such an unpleasant possibility: "Because a person's face is unique, permanent (absent surgery), and therefore irrevocable, a breach involving data derived from or related to facial recognition technology may have more serious consequences than the breach of other information, such as passwords or credit card numbers, which can be changed."

The report continues, "Industry trade organizations, government agencies and privacy advocacy organizations have noted that commercial use of facial recognition technology raises the same security concerns as those associated with any personal data."

How much damage could a data thief do with your biometrics? According to experts from three different biometric modalities, the threat of someone virtually slipping into your skin is based far more on Hollywood-fueled paranoia than how biometrics are actually secured and deployed in the real world. "Hollywood has done an amazing job of stigmatizing biometrics, and we all gravitate to the negative aspect of it," says Marios Savvides, associate research professor and director of the CyLab Biometrics Center at Carnegie Mellon University. "Once we seek the truth and not urban myths, I think the cloudiness disappears."

[A] breach involving data derived from or related to facial recognition technology may have more serious consequences than the breach of other information, such as passwords or credit card numbers, which can be changed.

-- Government Accountability Office
"Facial Recognition Technology" report, July 2015

Iris scans: An eye for security
Savvides and CyLab focus on making iris scans the unobtrusive consumer biometric of choice for account authentication. He considers it the most scalable biometric because not only can it quickly verify the account holder, at the point of sale or online, but its facial recognition component is equally vital to help law enforcement scan crowds to find missing children and solve crimes.

He says scanners that detect the "live-ness" of the eye are essential to the widespread acceptance of iris scans, as well as preventing the misuse of iris data.

"There are ways to test to make sure you are looking at a real person instead of a hack attack using a static image; the pupil naturally contracts and dilates," says Savvides. "A system must have good live-ness. If a system simply takes a picture and then recognizes what's in front of them and doesn't do live-ness, then a simple hack would thwart it."

Savvides predicts iris scans and other biometrics will soon become as commonplace in America as they are at banks and ATMs around the world. "We're already seeing fingerprint authentication on Apple devices," he says. "We've heard biometrics cry wolf before, but I believe we'll start to see changes within the next two years for sure. It's better than remembering 15 PIN numbers!"  

Palm vein scans: Erase the gangster movies
Speaking of urban myths, remember the one about how mobsters would cut off a digit here and there for the purpose of fingerprint fraud?

Hollywood has done an amazing job of stigmatizing biometrics and we all gravitate to the negative aspect of it. Once we seek the truth and not urban myths, I think the cloudiness disappears.

-- Marios Savvides
CyLab Biometrics Center, Carnegie Mellon University

Fuggetaboutit, at least when it comes to palm vein scans, which use a noncontact, near-infrared light to trace the unique vein patterns on the inside of the hand.

"Our technology relies on the blood," says Charles "Bud" Yanak, director of product management and partner development for Fujitsu Frontech North America and a 20-year biometrics veteran. "If there's no blood flow, we can't identify you anymore. We're the only commercially available biometric modality that uses an internal feature."

Which may explain why Fiserv, which provides account processing services to more than a third of U.S. financial institutions, announced in July it has integrated Fujitsu's PalmSecure verification software into its DNA processing platform.

Yanak says any hacker intent on misusing biometrics to access financial accounts will quickly lose interest.

"Biometrics aren't as simple as a PIN number. Each vendor of ours has his own encryption key. Standards also dictate that there are two different kinds of transactions, enrollment and identification, and the templates cannot be the same. And that's before JPMorgan adds their layers of encryption," he explains. "So there are a lot of layers built in to prevent a hacker from stealing and misusing the data. You can't; it just doesn't happen."

Nymi Band: No database, no problem
Sometimes being the new kid on the block has its advantages.

Case in point: Nymi, the University of Toronto biometric startup that recently made big headlines when TD Bank and MasterCard chose its FitBit-like Nymi Band heart monitor for the world's first biometrically authenticated, wearable payment tool using one's heartbeat.

[T]here are a lot of layers built in to prevent a hacker from stealing and misusing the data.

-- Charles "Bud" Yanak
Fujitsu Frontech North America

That's right; it turns out certain physical attributes, including the size and shape of your heart and its orientation to your other organs, give your EKG a unique signature that enables Nymi's HeartID technology to recognize you in, well, a heartbeat.

By combining that biometric authenticator with the Nymi Band's touchless NFC capability, TD's 100 pilot band-wearers will authenticate their MasterCard purchases at Canadian Tap & Go payment terminals throughout the summer of 2015 by waving their wrists.

Shawn Chance, Nymi's vice president of marketing and business development, says the Nymi Band proudly lacks the one thing that most concerns consumers: a hackable database. "We've taken a very different approach to this in that we don't store any type of biometric database and neither do our partners," he says.

Instead, the user sets up the Nymi Band by creating a biometric profile using the band and their Apple or Android smartphone. If the band, the phone or both are lost or stolen, the encrypted biometric profile is useless for want of the right heartbeat. What's more, it provides no access to a larger database to even tempt a hacker. "We firmly believe that the user should be in charge of their own biometric," says Chance.

While you have to authenticate the Nymi Band every time you put it on, it seamlessly handles all of your authentication challenges throughout the day. Chance says if all goes according to plan, TD users may soon throw away their cheat sheet of PINs and passwords entirely.

"We're hoping that, down the road, we're going to get the industry to a point where that stuff just melts away and you can just go on with your day, almost like back in the old days where people recognized you because you were there; you didn't have to prove you were you every single time you saw someone new," he says. 

See related: Biometrics: Your body could be your next password, 4 ways crooks cash in on your personal and financial data

Published: August 14, 2015

Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Follow Us

Updated: 10-25-2016

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.