Industry Comment: Passwords Can Be Reset, Biometrics Can’t

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks. Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.


EXPERTS COMMENTS
Matan Or-El, Co-Founder and CEO,  Panorays
August 15, 2019
There have been numerous reports about exposed buckets of data, but this recent incident involving compromised biometric data from Suprema.
There have been numerous reports about exposed buckets of data, but this recent incident involving compromised biometric data from Suprema is particularly alarming: Unlike usernames and passwords, biometric information such as fingerprints and facial recognition records cannot be changed. And because Suprema is connected to thousands of organizations across the world, this compromised data has the power to rattle the entire supply chain. This event underscores the very real need for organizations to be vigilant about how they outsource their customer and employee data and how that data is stored and processed. Organizations need to ensure that their suppliers and business partners are on par with the organization’s own security standards and continuously uphold their suppliers to that standard. This should be part of their supplier management process, including vetting and continuously monitoring these suppliers to take action on any change in the security.
Emmanuel Schalit, CEO,  Dashlane
August 15, 2019
So what can you do if you’re affected? Reverting to passwords for any potentially affected services you use is a good start.
If we unpick today’s Biostar 2 biometric data hack, there are a number of alarming issues to address. Firstly, the biometric data that was leaked was stored in an unencrypted cloud-based database, which goes against all primordial security practices for the storage of personal data. GDPR states that personal data must be processed in a manner that ensures appropriate security of the personal data, including against accidental loss. Suprema, the company that offers Biostar 2, has joined the ranks of those already shown to not be following these regulations. Secondly, the actual contents of the breach: usernames, passwords, addresses, times of accessing secure areas, and fingerprint and facial recognition data. Some of these can be reset – passwords and usernames, for example. Some, however, like fingerprints and facial recognition data can never be changed. So what can you do if you’re affected? Reverting to passwords for any potentially affected services you use is a good start. While this could be inconvenient, you can change them easily if something happens. A password manager can help make it easier to change passwords, and will ensure your passwords are unique and secure. sing two-factor authentication as an added layer of account security is an excellent way to further protect your data.
Stuart Reed, VP ,  Nominet
August 15, 2019
specially given that the window of compromise was open for at least 8 days.
23 gigabytes of data and 30 million records being leaked, including highly sensitive biometric data, is a significant privacy issue for all those involved and a huge blow for the biometrics industry. If researchers at VPNMentor were able to gain access to the data from security tool, Biostar 2, then so too might hackers and the consequences of this would be vast. Not only the fact that there is little more sensitive data than someone’s biometrics – in this case including fingerprints and facial recognition data – but photographs, names, addresses, passwords and employment histories were also exposed. A significant element of this breach is the nature of how the biometric data was being used; to grant access to secure areas, for example in police stations. Unlike many other cyber incidents that we’ve seen which compromise digital data, this breach directly crosses over into physical security, demonstrating just how dangerous the data could be in the wrong hands. Especially given that the window of compromise was open for at least 8 days, with the breach being found on August 5th and privacy being restored on August 13th, and we’re still in the dark as to how long the tool may have been vulnerable before then. We know that hackers act fast which is exactly why we must not only use a combined approach of people, processes and technology to better secure our data, but we need more sophisticated technology to identify malicious behaviour and potential data theft fast. It is important we harness technology which is ubiquitous and therefore thorough, such as tapping into the DNS network layer for threat intelligence, and then integrating this with a seamless response. When biometric data is at stake, time has never been more of the essence.”
Sam Curry, , Chief Security Officer,  Cybereason
August 15, 2019
People adding themselves to the system, impersonation and of course identity theft.
The fact is that an enormous number of biometrics devices are straw houses that can fall in the lightest of winds. Not storing the data used to authenticate when it’s at rest is a cardinal sin, as is not securing administration or thinking about the whole cryptosystem. It’s as if you built a large shack, put a vault door on the front and then didn’t bother securing windows or the back door and called it a state of the art, secure mansion. The results here are obvious: People adding themselves to the system, impersonation and of course identity theft. Doing biometrics can become poisoned for future use because you can’t reset a fingerprint or an eye scan. That’s the equivalent of choosing a password for the first time in your life and having to use it from then on, forever. That’s not security, it borders on criminal negligence.

Join the Conversation

Join the Conversation


In this article