And they said this could never happen…
Yet, it did. I am talking about a breach of biometric data. Personal irreplaceable data that many in the biometric industry assured us could never be compromised.
The breach was disclosed this past week. Here is what was exposed: Personal biometric data for 23 million users occurred at the biometric security company Biostar2. Biostar2 manages facial recognition and fingerprint scanning used by thousands of organizations to control access to buildings and secure areas.
As I write this, the company’s website is unresponsive.
What do we know? Cybersecurity researchers discovered that large parts of Biostar2’s massive database were unencrypted and unsecured. Dark Reading reported that Noam Rotem and Ran Locar, both Internet privacy researchers, first discovered the leak on August 5. The database held "almost every kind of sensitive data available," researchers wrote in a blog post. The exposed biometric data included more than 1 million fingerprints; facial recognition data and user images. In addition, other records such as access to client admin panels, dashboards, back-end controls, and permissions; and unencrypted usernames and passwords were also exposed. The researchers also found that they could change the exposed information… that’s right, they could change biometric identity data for individuals!
What is alarming about the Biostar2 Fail is that it occured at a security company that knew the importance of the data they protected. But the researchers found that many accounts had ridiculously insecure passwords, like 'Password' and 'abdc1234.' The stupidity doesn’t stop there, the researchers could view passwords across the database because they were stored as plaintext files! (See Login 101 Blog Post for a simple test you can use to identify this bad practice before you trust a business with your private data.) BioStar 2 secured the database on August 13, but how long had it been exposed? Who else might have discovered it? We don't know the answers to those questions. What if you were one of the victims whose biometric data was exposed?
The Question Is Answered
As a victim of multiple data breaches, I started hopr to help solve the problem of data breaches, but also because I have grave concerns with the direction Industry was leaning to fix what they have called “The Password Problem”. Their argument (and it includes such accomplished individuals such as Bill Gates) is that the password must die because it is an outdated mode of authentication and no longer able to protect the user that created it. What should replace the password as a login credential? Biometrics (such as fingerprints and facial images) of course! Microsoft has already begun its transition to facial recognition for login with its Windows Hello operating system.
For some time, there has been a nagging question in the back of my mind when it came to the security for biometric data. If companies cannot keep passwords secure, then why should I trust them with my biometric data? I think the Biostar2 breach has answered that question!
Experts suggest that biometric data should remain on the device where it is collected and never be exposed in transit. This is the approach that Apple took with the iPhone 6 through 8 when fingerprints could be used to unlock the home screen on the devices. While this is a nice approach to protecting the biometric data from theft, it fails to recognize that at some point the fingerprint or facial image must become a digital representation that is readable by software. In other words, the pattern of bits and bytes can be read, copied, and overwritten like any other digital data within a computing system.
Convenience And False Security
I know that biometrics have a convenience value to users, for example, you always have the credential with you and you don’t have to remember anything to use it. And login or unlocking is usually quick. But biometrics login has its downsides, too. For example, if the data or device are stolen (such as was the case for the US Government OPM data breach or the Biostar2 breach) then the biometric cannot be replaced. And once stolen biometric data can be misused with significant personal consequences. Biometrics offer an appearance of security without the reality of it. While there are situations where biometrics make sense (such as high security installations such as military bases or large financial systems), I don’t think they are a safe solution for the public and consumers. Using them as a replacement for passwords is not a secure alternative.
The Password Isn’t The Problem
The Biostar2 breach wasn’t just about biometrics. We also see in the story that, once again, people often prefer simple passwords that are easy to remember. The reasons for this include human behavior and psychology, but some of it is the result of years of frustration with ineffective security policies that are forced on users by businesses that don’t have a better solution and then force their customers to bear the burden, increasing frustration and delay. The password may be the scapegoat in many data breaches, but many people create good strong passwords given the right situation, tools, and motivation. My takeaway is that the problem isn’t the password, but rather it lies at a more fundamental level with the login system itself. Something in our authentication systems is badly broken, and it's widespread. We just haven't done a good job of giving ordinary users the right tools to remain secure. Maybe you're also feeling that the login process is broken and your private data is at risk of loss. Or maybe you've been the victim of a data breach or had frustration with password login for your online accounts. If so, hopr has a simple, secure, and private offer that you can try for free with no risk to you. hopr's password hopping® technology produces dynamic passwords that are short-lived soe users and businesses experience a simple, secure, and private login experience.
A Final Thought
One of the tenets of good access control security is to discard compromised credentials and never use them again. I think a lot of Biostar2’s customers will be scratching their heads trying to figure out how to preserve the security of their facilities now that a primary security system is vulnerable. Obviously, it won’t be practical to ask their employees to create new fingerprints.