Our fingerprints are entirely our own -- but what if they're not?
The recent news that 5.6 million fingerprints were stolen in a massive breach of the Office of Personnel Management (OPM) suggests that our unique identifier -- the tips of our fingers -- could end up in someone else's hands. And worse, on someone else's hand. What does that mean for the enterprise?
As security experts point out, the immutability of biometric authentication is its greatest asset, but also its greatest challenge. Fingerprints, retinas and voiceprints can't be replaced like a password, meaning that it's hard to recover once they've been compromised.
Elevating concerns is that fingerprint biometrics are not just being collected for security purposes by a government agency. The tips of our fingers are increasingly being used in authentication and security measures, such as unlocking a mobile phone, a car or homes, and also being used in mobile payments. When fingerprints are keys and payments, it's not hard to imagine the frightening implications of potential hacks. Fingered for a crime takes on new meaning.
The OPM has said concerns are mostly unwarranted because "the ability to misuse fingerprint data is currently limited," as the independent agency put it in a statement. But apparently victims aren't out of the woods yet.
"While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread," Tim Erlin, director of IT security and risk strategy at Tripwire Inc., based in Portland, Ore., said in a statement to ZDNet.
What do other security experts think of the OPM's hack and the future of fingerprint biometrics? Dave Aitel, CEO of Miami-based security company Immunity Inc., said the danger is already there in the physical world; now, it's just entered the digital realm.
"I'm never concerned about biometrics being stolen because I leave my fingerprints on every glass of beer I have at the bar," Aitel said. "It is new and interesting that a hacker who has enough access can get your fingerprints from a device or from a database full of fingerprints, without ever visiting your local bar."
Dave AitelCEO, Immunity Inc.
On the server side, databases that store sensitive fingerprints need to be as secure as possible. Companies should be "creating databases which contain encrypted parameters of fingerprint enrollment samples, but not the actual images of prints," Andras Cser, principal security analyst at Forrester Research Inc., in Cambridge, Mass., said in an email. "That way, fingerprints are harder to steal."
CIOs should take special note. "This is a warning sign for CIOs that they should, one, take better care of protecting solutions where the fingerprints are stored and matched on the server, and, two, evaluate solutions where the fingerprint is stored in a trusted secure enclave/execution environment and the match happens on the client side," Cser wrote.
Many mobile devices are getting fingerprint biometrics security right, according to Cser. Apple's Touch ID and Google's new Nexus Imprint store a person's fingerprints in the secure enclave on the device itself, making it much more difficult for hackers to reach it.
But using our physical traits as authenticators shouldn't be our only form of security, Aitel warns.
"In the end, biometrics is never a good sole authentication provider. You always combine them with a PIN or token to do anything real, if you're doing it right," Aitel said.
CIO news roundup for week of Sept. 28
Here is more technology news from the week:
- This week, Google unveiled its newest Nexus devices, including two phones and a tablet. Both nexus phones have a new fingerprint sensor that requires less than 600 milliseconds to recognize a fingerprint, and can be used not only to unlock your phone and make payments, but also for easy verification within third-party apps.
- Another breach, this time affecting U.S. T-Mobile customers. The credit bureau Experian was breached this week, exposing the data of 15 million customers who applied for credit from the popular cell service provider from 2013 to the present. T-Mobile CEO John Legere wrote in a statement that the company will "institute a thorough review of our relationship with Experian."
- "Can you hear me now?" Controversial whistleblower Edward Snowden just joined Twitter. His profile reads: "I used to work for the government. Now I work for the public." The only account he's following is the NSA.
- Transactions are about to get safer -- but you'll be waiting a couple more seconds at the checkout line. Starting this week, U.S. retailers will be required to accept payment on chip-enabled credit cards. Customers with a chip-enabled credit card will have to "dip" their card rather than swipe, in effort to help thwart fraud.
- A new app is being called Yelp for humans. It allows people to rate other people on a scale of one to five. It's already drawing criticism, but the company's shares are worth $7.6 million.
For more on fingerprint biometrics and the OPM breach, check out this coverage on our sister sites:
OPM breach: 5.6 million fingerprint records
OPM breach: Lesson learned
OPM breach: Learn these security basics