You might have missed the news that over 1 million biometrics data records were breached recently. The company that was breached, Suprema and its primary product BioStar 2 were the targets, exposing fingerprint and facial recognition data.
You may be thinking; no big deal, breaches happen all the time. There have been over 3,800 reported breaches in 2019 so far. Why is this news?
When you receive a breach notice you can take tangible steps to reduce the damages:
- Change your password
- Pay for a credit monitoring service
- Never buy from the failing company again
Things like changing your password are inconvenient, but still effective.
How can you change your fingerprint? How do you change your facial recognition?
Some of my colleagues try to convince people that "biometrics" is much better and safer to use than dull and passé passwords. They say that it is the best security because it is literally attached to the person themselves and therefore the best method to verify who you are dealing with.
The problem with that argument is it’s a trick on logic. The suggestion that a simple device knows the difference between a human being and some facsimile is silly. To most of us, using some unique part of your body as the best way to identify you makes sense. Only when one understands that devices use sensors to see whatever it presented to them, do you begin to see how simple devices can be deceived. In fact, MythBusters did an episode on fingerprints, Fingerprints Busted, that was just awesome. The episode demonstrates how not only fingerprint recognition can be fooled, but the ease of fooling the device was enhanced by the facsimile being cruder. Less quality of the facsimile = faster and better bypass of security.
Adding to the fun, a German security researcher was able to recreate someone else's fingerprint by simply taking a photo of their victim's hand from a nice distance away. Imagine waving goodbye to your identity forever.
Unlike changing a password, you cannot change your fingerprint nor can you change your face. Therefore, it ranks among the "ultimate hacks" out there when you can get your hands-on biometric data. One loss = forever breached. Clearly unacceptable in today's world of companies who clearly don’t have a strong cybersecurity strategy.
The cybersecurity world could simply reject these companies offering biometric identity solutions. However, they lack the will.
So we are on a crash course with a dreadful reality. Adversaries need only compile biometrics data from:
- the police
- the military
- large companies
Yes, the very same targets being breached every day.
Once the adversaries have your biometric data, how will you prove you are yourself? How can you prove you didn't do it? How will you explain your erratic and almost insane behaviors by being all over the place and engaging in some very questionable activities?
If we allow the entities mentioned above to use biometrics like they are relentlessly pursuing now... you cannot.
The global Tech Data Security Solutions team stands ready to help in the meantime. We have recruited outstanding cybersecurity talent and we work together to stay at the peak of cybersecurity competency. I am now leading the Tech Data Cyber Range, based on a proven model of cybersecurity excellence. We are incorporating continuous learning, with advocacy, with technology assessments, and community outreach for awareness and cybersecurity engagement. The only way to gain access to our amazing team is to utilize a Tech Data partner. We have well over 100k of them worldwide. Reach out to us at https://www.techdata.com/security
About the Author
Brett Scott serves as director of security solutions for Tech Data where he is responsible for new supplier research and recruitment. Brett is the co-founder and technical architect of the Arizona Cyber Warfare Range, a non-profit organization leading the country in teaching hands-on cyber security skills in a real-world environment to those motivated to develop real competence in cyber security. A hands-on leader with years of experience leading technical teams, Brett has worked in an array of industries and is an expert on cyber security issues facing companies today.