Massive Fingerprint Hack Illustrates Why Anonymous Biometrics Are Critical To Security
I spend a lot of time looking over security, biometric and mobile app news articles for interesting tidbits to share with ImageWare’s followers. Over the last couple of years, I feel that the message has finally gotten out: pre-digital age security does not cut it in today’s connected society. Right now we are on the cusp of a global shift to change how we identify the individual. Smartphones, various other mobile devices, cloud-storage, and near-global access to cellular and wireless internet services have spear-headed a new paradigm in security: biometrics, the ability to identify a person via the traits that make them unique.
While this is great news for the security-conscious, there are still some significant pitfalls that must be overcome. As if illustrating the danger, last month a series of reports were released from the US Government stating that hackers had stolen personal data records from 21.5 million people; representing one of the biggest counterintelligence threats in American history. The stolen data included addresses, health and financial history, social security numbers, and most troubling, 1.1 million fingerprints. Unlike social security numbers, fingerprints are an integral part of the individual and cannot be changed.
While 1.1 million is a large number, it only represents a small fraction of the population, which leads many people to believe that something like this won’t happen to them. Unfortunately, unless more security measures are taken, this could easily become a massive and global issue.
Forward-thinking corporations, financial institutions, healthcare providers, retailers, and governments are all looking into ways to become more secure using biometrics. This is the new frontier: mainstream biometric identification is so cutting-edge that there is no universally-agreed-to standard to build upon. Initial adopters of personal biometric security, such as Apple’s TouchID and Samsung’s biometric sensor, wanted to alleviate their customer’s concerns over private and public-sector biometric collection, by opting to store biometrics locally on the device. Unfortunately, this method can be a nightmare for both the company and the end-user due to lack of security on individual devices. Recently, hackers declared they can remotely hack into Android devices and hijack the device-stored fingerprint. Whether it’s remote hacking, or the theft of the actual device, once a hacker has access to the device, they also have a lot of the data about who the person is.
Other biometric security adopters have opted to store their end-user’s data in their cloud or an in-house server, believing that the end-user’s concern over having their biometrics outside of their control is outweighed by the increased data security the company can provide. However, as we saw last month, even the US Government, who should have the highest security measures available, is not immune to hacking and theft. This should show that any company or organization that stores biometrics alongside personal identification information is at risk, and so are their customers.
The solution to all of this? ImageWare® Systems’ patented anonymous biometric solution that stores biometrics in the cloud. “Anonymous” means that the PII (personal identifying information), such as name, email, social security number, address, etc., are not associated with or stored alongside their biometric data. Furthermore, biometrics are converted into a unique series of digits that are stored and later compared via a pre-determined threshold of acceptability. In combination, this method assures both the end-user and the entity that the biometric is secure, even if the data or device is hacked.
ImageWare Systems, Inc. supports multi-modal biometric authentication including, but not limited to, voice, fingerprint, and facial recognition. All of these can be combined alongside other authentication and access control facilities, including tokens, digital certificates, passwords, and PINS, to provide the ultimate level of assurance and accountability for corporate networks, web applications, mobile devices, and PC desktop environments.