Biometrics Identification – Boon or Bane?

By Madhu Maganti, CPA, CISA, MS, Director of IT Advisory and Security – Doeren Mayhew

Biometric identification technology may still be an emerging technology, but its usage is increasing rapidly around the globe, so the question is – what is it and how will we see it impact us as consumers? Biometric identification is how a person can be uniquely identified by evaluating one or more distinguishing biological traits, such as fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA and signatures. Companies worldwide are evaluating the use of biometric authentication to create physical access barriers as well as to protect sensitive data.

According to the 2018 State of Enterprise Information Technology (IT) Infrastructure & Security survey by Ping, 92% of organizations surveyed felt biometric authentication was effective at protecting on-premises information, while 86% felt it was effective in protecting cloud-based data. Despite the survey showing IT or Security professionals viewing this authentication method effective, it has a disproportionately low utilization rate of 28% for on-premises information and 22% for cloud-based data.

Biometric identification is not limited to just companies – individuals also use it when they use fingerprint scanners or unlock their phones with the facial recognition feature. Voice features are used to activate and interact with Alexa, Siri, Google, etc.

Advantages and Disadvantages

Some advantages of biometric authentication include more accurate identification and increased accountability, which can improve a system’s security and reduce the likelihood of a data breach. Accountability and security are also increased thanks to connecting personnel with specific actions or events.

Biometric systems are also efficient and easy to incorporate into the physical security system of a building because of its scalability and easy process to add or remove employees. The Return on Investment on a biometric system is very high as it is much more effective at avoiding fraud than most other security systems.

5 Key Steps to Protect your Biometric Information

Consider these five key steps to keep your biometric information protected:

1. Try to limit the number of sources who have access to your biometric information if your employer requires you to provide it. In the wake of the Suprema breach, opting out of biometric authentication in the office (if possible) is highly recommended.
2. Ensure your software is regularly updated if your biometric information is saved on a personal device. Although it is a convenience, using your smartphone’s facial recognition or fingerprint scanner features can put your biometric data at an increased risk.
3. Avoid using any services that require permission to use your biometric data, such as DNA testing kits and virtual assistants. DNA kits such as Ancestry.com require you to submit a sample of your DNA and keep this information on file. In 2018, MyHeritage experienced a data breach that resulted in 92 million accounts having their usernames and passwords revealed on the internet.

Additionally, virtual assistants such as Siri, Alexa and Google services store and process your unique vocal patterns. While vocal patterns may not be commonly used for authentication, most consumers probably wouldn’t want their data saved on a server somewhere – especially with the rise of deep fakes and other Artificial Intelligence created content.

4. Ask yourself the following questions before giving a third party or device possession of your biometric data:
   • Is the biometric data saved in a secure manner?
   • Where are the data being stored and what countries’ laws is the data subject to?
   • Who will have access to the data?
   • How long is the data kept for?
   • Is there any chance that the data will be sold?
5. Stay up to date on new legislation regarding biometric data. Congress is considering the Commercial Facial Recognition Act of 2019, which may change the landscape of biometric data in the future.

Recent Data Breaches

Below are two examples of the impact of a biometric information data breach:

• Suprema is a retailer that sells biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules, and deals with 5,700 organizations across 83 countries, including governments, banks, and police officials. Security researchers discovered almost 28 million records across 23 gigabytes of data, which included fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, as well as personal details of staff. Additionally, plain text passwords of administrative accounts were found as well as highly sensitive information such as usernames and passwords. Researchers were able to gain access to the systems, but more importantly, they were also able to change data and add new users. Once stolen, fingerprint data almost becomes useless since it cannot be changed.
• The U.S. Customs and Border Protection (CBP) experienced a massive breach through a vendor named Perceptics, who they had been working with since 1982. Although the breach affected fewer than 100,000 people, those who were affected would have an image of their license plate and face leaked.

In April 2019, the CBP reported that it had used this biometric information to catch more than 7,000 visitors who overstayed their visa. Considering the Department of Homeland Security estimates that less than 2% of visa holders stay past their visa’s expiration date, and that many travelers to the United States do not hold visas, it can be extrapolated that the CBP has analyzed millions of innocent individuals with their biometric authentication technology. In fact, by 2023, the Department of Homeland Security aims to use facial recognition on 97% of all departing air passengers.

With new technology and new devices hitting the market constantly, the usage of biometrics will only increase but we need to be prudent in protecting our biometric data. Otherwise, we might reach a point where our biometrics mean nothing in the real or cyber world.

Doeren Mayhew’s dedicated IT Advisory and Security Group works closely with businesses to assess an organization’s security and identify solutions to ensure confidential data is protected. To learn more, contact us today.