Searchlight News Roundup

News Stay informed about the latest enterprise technology news and product updates.

Evaluating fingerprint biometrics in a post-OPM hack world

The OPM breach called into question the safety of fingerprint biometrics. What can CIOs learn from it? Plus: Google unveils latest Nexus devices; Experian hack exposes 15 million T-Mobile customers.

Our fingerprints are entirely our own -- but what if they're not?

The recent news that 5.6 million fingerprints were stolen in a massive breach of the Office of Personnel Management (OPM) suggests that our unique identifier -- the tips of our fingers -- could end up in someone else's hands. And worse, on someone else's hand. What does that mean for the enterprise?

As security experts point out, the immutability of biometric authentication is its greatest asset, but also its greatest challenge. Fingerprints, retinas and voiceprints can't be replaced like a password, meaning that it's hard to recover once they've been compromised.

Elevating concerns is that fingerprint biometrics are not just being collected for security purposes by a government agency. The tips of our fingers are increasingly being used in authentication and security measures, such as unlocking a mobile phone, a car or homes, and also being used in mobile payments. When fingerprints are keys and payments, it's not hard to imagine the frightening implications of potential hacks. Fingered for a crime takes on new meaning.

The OPM has said concerns are mostly unwarranted because "the ability to misuse fingerprint data is currently limited," as the independent agency put it in a statement. But apparently victims aren't out of the woods yet.

"While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread," Tim Erlin, director of IT security and risk strategy at Tripwire Inc., based in Portland, Ore., said in a statement to ZDNet.

What do other security experts think of the OPM's hack and the future of fingerprint biometrics? Dave Aitel, CEO of Miami-based security company Immunity Inc., said the danger is already there in the physical world; now, it's just entered the digital realm.

"I'm never concerned about biometrics being stolen because I leave my fingerprints on every glass of beer I have at the bar," Aitel said. "It is new and interesting that a hacker who has enough access can get your fingerprints from a device or from a database full of fingerprints, without ever visiting your local bar."

I'm never concerned about biometrics being stolen, because I leave my fingerprints on every glass of beer I have at the bar.
Dave AitelCEO, Immunity Inc.

On the server side, databases that store sensitive fingerprints need to be as secure as possible. Companies should be "creating databases which contain encrypted parameters of fingerprint enrollment samples, but not the actual images of prints," Andras Cser, principal security analyst at Forrester Research Inc., in Cambridge, Mass., said in an email. "That way, fingerprints are harder to steal."

CIOs should take special note. "This is a warning sign for CIOs that they should, one, take better care of protecting solutions where the fingerprints are stored and matched on the server, and, two, evaluate solutions where the fingerprint is stored in a trusted secure enclave/execution environment and the match happens on the client side," Cser wrote.

Many mobile devices are getting fingerprint biometrics security right, according to Cser. Apple's Touch ID and Google's new Nexus Imprint store a person's fingerprints in the secure enclave on the device itself, making it much more difficult for hackers to reach it.

Cser sees a future in which fingerprints biometrics, as well as voiceprints and facial recognition, are commonplace in the enterprise.

But using our physical traits as authenticators shouldn't be our only form of security, Aitel warns.

"In the end, biometrics is never a good sole authentication provider. You always combine them with a PIN or token to do anything real, if you're doing it right," Aitel said.

CIO news roundup for week of Sept. 28

Here is more technology news from the week:

  • This week, Google unveiled its newest Nexus devices, including two phones and a tablet. Both nexus phones have a new fingerprint sensor that requires less than 600 milliseconds to recognize a fingerprint, and can be used not only to unlock your phone and make payments, but also for easy verification within third-party apps.
  • Another breach, this time affecting U.S. T-Mobile customers. The credit bureau Experian was breached this week, exposing the data of 15 million customers who applied for credit from the popular cell service provider from 2013 to the present. T-Mobile CEO John Legere wrote in a statement that the company will "institute a thorough review of our relationship with Experian."
  • "Can you hear me now?" Controversial whistleblower Edward Snowden just joined Twitter. His profile reads: "I used to work for the government. Now I work for the public." The only account he's following is the NSA.
  • Transactions are about to get safer -- but you'll be waiting a couple more seconds at the checkout line. Starting this week, U.S. retailers will be required to accept payment on chip-enabled credit cards. Customers with a chip-enabled credit card will have to "dip" their card rather than swipe, in effort to help thwart fraud.
  • A new app is being called Yelp for humans. It allows people to rate other people on a scale of one to five. It's already drawing criticism, but the company's shares are worth $7.6 million.

Check out our previous Searchlight roundups on hybrid cloud environments and HP's job cuts.

Next Steps

For more on fingerprint biometrics and the OPM breach, check out this coverage on our sister sites:

OPM breach: 5.6 million fingerprint records

OPM breach: Lesson learned

OPM breach: Learn these security basics

Dig Deeper on Enterprise information security management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think fingerprint biometrics have a bright future in the enterprise? Why or why not?
Cancel
Unfortunately fingerprints and other biometrics do not help for better security in most cases. Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.



Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.



Cancel
Fingerprint biometrics are just  part of the solution; a real and evolving solution will require a combination of multiple biometrics AND one-off encryptions at the origination level, and similar authenticatuons at the processing venue, all in real time. The rapidly growing use of Mobile "wallets" is a potential disaster without a better solution.
There's more, but I'd have to charge you for the consult.
Cancel
Not really.  I saw on the TV show Mythbusters how easy it was to get around the fingerprint bio-metric scanning.  It did not make me feel comfortable at all. You can spend a lot of money for something with a little effort can be bypassed. I also read a story where a young kid 5 or 6 hacked his dad i-phone with the bio-metric protection to play games. How did he accomplish this at his age?? Just scanned his dads finger while his dad was asleep.
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close