Bio-Crime is Far from Mission Impossible

Biometrics is the measurement and statistical analysis of people's unique physical and behavioural characteristics. The technology is mainly used for identification and access control, or for identifying individuals who are under surveillance.

-Margaret Rouse, Search Security

Let me paint you a picture and its starts with a very well-known film – can you guess it?

"It’s because it’s connected by gait analysis - a step beyond facial recognition. These cameras actually know how the agent walks, how he talks, how he moves - right down to his facial tics."

If you hadn’t guessed the film, clue is in the title.

That’s right: we’re already familiar with biometrics thanks to the magic of Hollywood. From the likes of Star Trek to The Incredibles, we’re used to seeing people scan their eyes, palms, and even voices to gain access. What we might not have picked up on, is that biometrics is by no means confined to the silver screen anymore.

The Time is Now

By now, many of us have grown familiar with unlocking devices using our fingerprints or staring into it lovingly with our eyes. Now, we are increasingly seeing businesses integrate the use of biometrics for authentication to their services. Banks, for example, have started using voice recognition for telephone banking.

Biometrics is used for so much more than just authentication, however. We see the digital space exploding with the use of eye-tracking technology to see where your eyes focus mainly on a particular web page; galvanic skin response to detect your sweat level and degree of emotional arousal; facial expression to detect your emotions, like joy, surprise, and disgust.  Biometric technology is everywhere – it really is watching you! The question is, are you watching you?

A Complete Myth...?

As we say in the industry: It's not IF, it's WHEN. You can do your best to secure yourself, but you are never 100% safe.

Regardless of what you might be advised, it is completely possible for cyber criminals to exploit the use of biometrics - particularly the use of fingerprints and facial recognition; the rest they’re likely working on. 

How can they do that, you ask? What will they do, chop off your finger? Don’t worry – It’s not quite like in the films. Cyber criminals can obtain a copy of a fingerprint and use silicone to mould the fingerprint; this is referred to as ‘biometric spoofing’. 

Fooling a biometric system can even be as easy as showing a picture of the required face to authenticate facial recognition. Biometric data is also impossible to replace - once your fingerprint is stolen, that is it, you can't simply get a new finger.  

Meanwhile, 'Deepfake' technology uses artificial intelligence to synthesize a human image/voice. It is used to combine and superimpose existing images and videos onto source images or videos using a machine learning technique known as 'generative adversarial network'. 

One recent example comes from a large energy provider. The Chief Executive of said energy firm was tricked into sending over ￡177k to one of their Hungarian suppliers following a telephone call, thinking he was speaking to his boss – ouch!

This was possible because the AI was able to mimic the voice, even down to its tonality. The phone call was then followed by a fake email and the money was sent, never to be seen again...It is happening, and this case is not the only one of its kind. 

Biometrics Will Solve all Security Problems, They Say

Biometric data is pretty high profile don't you think? Ergo far more valuable and appealing to cyber criminals. Logically and realistically, the place this kind of data is stored becomes a highly attractive place for cyber criminals to target. 

Of course, we hope that high-profile data tends to be secured at a stronger level, but do I really trust companies holding my irreplaceable data to secure it properly? Zero trust works both ways, after all. 

The issue is, as biometrics become more 'commonplace', complacency starts to rise too. The security measures we have in play today are not always used because there is this weird rumour going around that biometrics can solve all security problems – “it’s unique, how is that going to get stolen? How can it be replicated?” Well wakey-wakey: it is being stolen and more methods of committing bio crime are on the rise.

There is no such thing as a weak fingerprint, it either is or isn't the fingerprint. To some extent, it may be considered that the individuality and sensitivity of biometric information makes it a much more secure way of authenticating someone is who they say they are. On the whole, biometrics can reduce risk of cyber theft. Now how I say reduce, not remove. 

Biometrics is not the answer, but then neither is the law

Where is the law on biometric privacy? Have we got one? Yes, we do: GDPR. Biometrics are defined as personal data. That still doesn't help me sleep at night though. All those falling in scope of GDPR had 2 years to prepare for it (#happybirthdaygdpr you are 1 year old and guess what? Your impact on the world hasn't quite solved all of our security issues.) We have seen Google fined over ￡44m, British Airways over ￡180m - and that’s just to name a few! These are large businesses…if they can’t keep our data safe do you really think allowing our biometric data into the wild is a good idea? I, for one, do not.

What Can We Do?

What are the questions we should be asking ourselves as individuals and as businesses using biometric data? One of the most important questions to consider is where is the biometric data stored? How secure is it? Is the authenticity of the user correct?

Unfortunately, GDPR won’t save our identities and neither will the rising number of companies who choose not to invest in their cyber security. This is where personal responsibility comes into play as well as corporate.

Ask yourself “does this company REALLY need my biometric data?” Look at the type of information granted by your biometric authentication - is your biometric data more sensitive? If you can use a less invasive form of authentication, do it. Passwords can be changed, memorable information can be changed; don't give up what you can never get back.

Ask how your data will be used and where it will be stored. Ask how it is secured. Gain an understanding from the company you register your biometric data with on why it is necessary to have your biometric data. You decide if it really is necessary. 

Given the increasing use of biometrics, the future of our threat landscape is a tough one. The only way to guarantee you personally or professionally are secure is to ensure you follow best practice; get the basics right and build on it. The world has become a safer place than it was previously thanks to GDPR, but we have so much more work to do, not just in securing ourselves, but also in raising awareness of others. 

Soon the emerging technologies we see, such as biometrics, will become commonplace and with that can come complacency over the technology’s compliance and security. Biometric data is arguably the most valuable data you or any business could possess, once leaked or stolen, it is IMPOSSIBLE to get back.

If you have further insight into this area of security and value to add, please do share your comments, I would love to hear them.