More complex and less secure than I thought.
By David Geer
Commissioned by CACM Staff, June 23, 2022
Biometric markers such as fingerprints, the irises of one's eyes, and individual's entire faces are increasingly popular for proving identity. If criminals can steal such biometric data, they can pose as users, potentially accessing your Intellectual Property, customer data, and financial assets.
"While criminal hackers can offer the stolen biometric data for sale online for huge sums, the goal is targeting specific networks to bring them down," says Jake Moore, global security adviser for ESET UK, an anti-malware company. Cybercriminals sell the data on the Dark Web, an uncharted part of the Internet where buyers and sellers reach sites via encrypted channels using TOR browsers.
Organizations go to the trouble of adding biometrics to other authentication factors such as the one-time passcodes (OTPs) that arrive on your smartphone because the data they protect is precious. A successful biometric hack combined with other compromised authentication factors almost certainly equate to massive losses for an enterprise.
"With persistent attacks comes continual entry," says Moore. Though cybercriminals often have to work to hack biometrics successfully, once they are in the system, significant disruption is likely; without the proper security procedures and continuity plans in place, it can take a long time for organizations to return to business as usual, Moore says.
You should store biometric data using encryption for data at rest, and transmit it using encryption for data in transit to mitigate the risk of compromise. Never use biometrics as your only factor of authentication.
"As the world moves toward digitization and people and organizations widely adopt biometric systems, the risk of data breaches leaking sensitive biometric data to malicious hackers increases," says Marios Savvides, director of the CyLab Biometrics Center of Carnegie Mellon University's Security and Privacy Institute. "The criminals can then create exploits and replay attacks for the biometric data, which they can use to break into the system," Savvides concludes.
Cybercriminals utilize replay attacks, in which a video of the person with the biometric markers is replayed on an iPad in front of the biometric scanner, says Savvides. "Replay attacks can happen for any biometrics system, whether it's a system to access your computer, bank account, or critical infrastructure," Savvides says.
It is easy to understand common threats to biometric data. "Protecting biometric data is difficult. Organizations find it challenging to secure face, voice, and fingerprint data from criminal hackers who collect it at coffee shops using high-resolution cameras and high sample rate audio recorders in the smartphones in their pocket," explains Brett Seals, a senior industrial cybersecurity consultant for 1898 & co, a business consulting and services company.
The Samsung Galaxy S22 Ultra camera phone offers 108 megapixels (MP) resolution according to Digital Camera World, which is higher than what is available with most professional cameras. That's more than enough for cybercriminals who take videos of highly placed executives for replay to facial recognition systems. .... '
No comments:
Post a Comment