Advocates of biometric identifiers say worries are overblown, but a GAO report says digitally stored records of fingerprints, palms, irises, faces raise ID theft and privacy questions
It’s about time. After all, which would you rather present to prove that you are you: a matching fingerprint, palm, facial, iris or heartbeat scan — or some crazy alphanumeric mash-up of your high school graduation date and your cat’s name?
But as the midsummer hacking of 1.1 million fingerprint sets from a U.S. Office of Personnel Management database demonstrated, unsecured biometrics also could come with an unwelcome wrinkle.
The bad guys could steal your face.
A July 30, 2015, report from the Government Accountability Office mentioned just such an unpleasant possibility: “Because a person’s face is unique, permanent (absent surgery), and therefore irrevocable, a breach involving data derived from or related to facial recognition technology may have more serious consequences than the breach of other information, such as passwords or credit card numbers, which can be changed.”
The report continues, “Industry trade organizations, government agencies and privacy advocacy organizations have noted that commercial use of facial recognition technology raises the same security concerns as those associated with any personal data.”
How much damage could a data thief do with your biometrics? According to experts from three different biometric modalities, the threat of someone virtually slipping into your skin is based far more on Hollywood-fueled paranoia than how biometrics are actually secured and deployed in the real world. “Hollywood has done an amazing job of stigmatizing biometrics, and we all gravitate to the negative aspect of it,” says Marios Savvides, associate research professor and director of the CyLab Biometrics Center at Carnegie Mellon University. “Once we seek the truth and not urban myths, I think the cloudiness disappears.”
[A] breach involving data derived from or related to facial recognition technology may have more serious consequences than the breach of other information, such as passwords or credit card numbers, which can be changed.
|— Government Accountability Office|
“Facial Recognition Technology” report, July 2015
Iris scans: An eye for security
Savvides and CyLab focus on making iris scans the unobtrusive consumer biometric of choice for account authentication. He considers it the most scalable biometric because not only can it quickly verify the account holder, at the point of sale or online, but its facial recognition component is equally vital to help law enforcement scan crowds to find missing children and solve crimes.
He says scanners that detect the “live-ness” of the eye are essential to the widespread acceptance of iris scans, as well as preventing the misuse of iris data.
“There are ways to test to make sure you are looking at a real person instead of a hack attack using a static image; the pupil naturally contracts and dilates,” says Savvides. “A system must have good live-ness. If a system simply takes a picture and then recognizes what’s in front of them and doesn’t do live-ness, then a simple hack would thwart it.”
Savvides predicts iris scans and other biometrics will soon become as commonplace in America as they are at banks and ATMs around the world. “We’re already seeing fingerprint authentication on Apple devices,” he says. “We’ve heard biometrics cry wolf before, but I believe we’ll start to see changes within the next two years for sure. It’s better than remembering 15 PIN numbers!”
Palm vein scans: Erase the gangster movies
Speaking of urban myths, remember the one about how mobsters would cut off a digit here and there for the purpose of fingerprint fraud?
Hollywood has done an amazing job of stigmatizing biometrics and we all gravitate to the negative aspect of it. Once we seek the truth and not urban myths, I think the cloudiness disappears.
|— Marios Savvides|
CyLab Biometrics Center, Carnegie Mellon University
Fuggetaboutit, at least when it comes to palm vein scans, which use a noncontact, near-infrared light to trace the unique vein patterns on the inside of the hand.
“Our technology relies on the blood,” says Charles “Bud” Yanak, director of product management and partner development for Fujitsu Frontech North America and a 20-year biometrics veteran. “If there’s no blood flow, we can’t identify you anymore. We’re the only commercially available biometric modality that uses an internal feature.”
Which may explain why Fiserv, which provides account processing services to more than a third of U.S. financial institutions, announced in July it has integrated Fujitsu’s PalmSecure verification software into its DNA processing platform.
Yanak says any hacker intent on misusing biometrics to access financial accounts will quickly lose interest.
“Biometrics aren’t as simple as a PIN number. Each vendor of ours has his own encryption key. Standards also dictate that there are two different kinds of transactions, enrollment and identification, and the templates cannot be the same. And that’s before JPMorgan adds their layers of encryption,” he explains. “So there are a lot of layers built in to prevent a hacker from stealing and misusing the data. You can’t; it just doesn’t happen.”
Nymi Band: No database, no problem
Sometimes being the new kid on the block has its advantages.
Case in point: Nymi, the University of Toronto biometric startup that recently made big headlines when TD Bank and MasterCard chose its FitBit-like Nymi Band heart monitor for the world’s first biometrically authenticated, wearable payment tool using one’s heartbeat.
[T]here are a lot of layers built in to prevent a hacker from stealing and misusing the data.
|— Charles “Bud” Yanak|
Fujitsu Frontech North America
That’s right; it turns out certain physical attributes, including the size and shape of your heart and its orientation to your other organs, give your EKG a unique signature that enables Nymi’s HeartID technology to recognize you in, well, a heartbeat.
By combining that biometric authenticator with the Nymi Band’s touchless NFC capability, TD’s 100 pilot band-wearers will authenticate their MasterCard purchases at Canadian Tap & Go payment terminals throughout the summer of 2015 by waving their wrists.
Shawn Chance, Nymi’s vice president of marketing and business development, says the Nymi Band proudly lacks the one thing that most concerns consumers: a hackable database. “We’ve taken a very different approach to this in that we don’t store any type of biometric database and neither do our partners,” he says.
Instead, the user sets up the Nymi Band by creating a biometric profile using the band and their Apple or Android smartphone. If the band, the phone or both are lost or stolen, the encrypted biometric profile is useless for want of the right heartbeat. What’s more, it provides no access to a larger database to even tempt a hacker. “We firmly believe that the user should be in charge of their own biometric,” says Chance.
While you have to authenticate the Nymi Band every time you put it on, it seamlessly handles all of your authentication challenges throughout the day. Chance says if all goes according to plan, TD users may soon throw away their cheat sheet of PINs and passwords entirely.
“We’re hoping that, down the road, we’re going to get the industry to a point where that stuff just melts away and you can just go on with your day, almost like back in the old days where people recognized you because you were there; you didn’t have to prove you were you every single time you saw someone new,” he says.