Summer Hirst Keeping an eye on the cyber world 10 min read

The defining features of our bodies have now become our ticket to a number of things – from banking and social media accounts to gaining access to secure areas. Whether it’s the tone of your voice, your facial features, or your fingertips – these features can help identify you to unlock accounts and get access to physical locations.

If you used the fingertip scanner of your phone to unlock and read this article, you just used biometrics for identity verification and this is what we’re going to discuss here.

We have a number of methods to log in securely into our accounts. There are PINs and passwords but there is no other method that has grown and been accepted faster than biometrics, possibly because of its ease of use.

Biometrics have started replacing document-based identification such as pass cards or ID cards to gain access to secure areas. The much-used username–password combination has also started to phase out with time.

The Appetite for Biometrics is Growing

According to the World Bank and the United Nations, about 2.4 billion people all over the world lack any official documentation. These two organizations advocate secure national ID systems, and this can be done safely with biometrics.

Today’s public is getting familiar with biometrics. You’ll see fingerprint scanning and facial recognition technology in offices, airports, and several other places. Since biometric devices have become affordable, they can easily be used in small-sized offices and workshops.

The Fly to Gate solution by Gemalto is working to create a biometric pathway that will help passengers check in themselves and then board the plane. This will let people have a smoother experience as there will be fewer bottlenecks in the process.

Some areas in which biometric technology is currently being used are law enforcement, passports/visas, the FBI fingerprint database, and the social ranking system of China.

Apart from these areas, banks use voice recognition system to verify customers on phone calls, casinos use facial recognition technology to find card counters, and hospitals use vein patterns on the patient’s hands to identify them. These applications are just the beginning.

According to a recent study, 75% of customers reported that they are comfortable with biometrics and don’t have a problem in using it. About 87% of respondents said they will be comfortable if only biometrics are used for authentication in the future.

Out of all age groups, millennials were the happiest with this new technology. This just proves that biometrics is the future and things are changing pretty fast.

Here are some novel applications of biometrics that might interest you:

Biometrics – Sounds Too Good to Be True?

You might forget your password but you can’t lose your thumb impression. While this makes it a more secure deal than passwords, biometric technology isn’t exactly foolproof.

In 2016, researchers from Michigan State University created fake fingerprints using special paper and an inkjet printer. These fake prints were 3D and were accurate enough to fool smartphone fingerprint readers.

The total equipment used for this experiment came for less than $500, which means an average hacker with minimal skills can break open into accounts that are locked with fingerprint-based security.

But then again, hackers would need access to your fingerprints to copy them, right? Wrong! Researchers from the National Institute of Informatics, Tokyo, were able to replicate fingerprints based on a photo taken from nine feet away when the subject was making the peace sign.

This means that if your fingerprints are visible on social media in a pic you shared, your phone is vulnerable for an attack.

Similarly, facial recognition data is also at the risk of being hacked.

A study conducted at Georgetown University, Washington, found that about 50% of Americans have their photos in the facial recognition database of the police. It could be a mugshot or a simple driver’s license photo.

A seasoned hacker can break into these databases to steal some records. But they don’t really need to. Your photos can be downloaded from your social media profiles. Or even captured on the street as you’re walking by.

This data can be used as a weapon. Just like they created a 3D model of fingerprints, researchers created a 3D model of someone’s head using just his Facebook photos. Using the photos, they created a movie that fooled 80% of facial recognition tools that were tested.

While biometric technology offers a more stable and sustainable alternative than passwords, it’s not free from risks and vulnerabilities.

Let’s consider MasterCard’s selfie pay system where it’s possible for a criminal to get a selfie from their victim (through Facebook or other sources) and use it during checkout.

Thumbprint authentication isn’t 100% safe either. It can be duplicated easily, as explained above. As we develop technologies to make things more secure, hackers and fraudsters come up with new ways to find loopholes in them.

You’re a Criminal – Don’t Blame Us, Blame Facial Recognition

New figures have revealed that the facial recognition system in London misidentifies 96% of people as criminals.

The Met Police said that they got the software to help them hunt down criminals but it has proven to be a waste of public money.

Trials conducted from 2016-2018 in London showed that there were false positives in 96% of the cases. People who passed through the scanning area were shown as criminals, whether or not they had a criminal background.

Who Will Guarantee the Security of Your Data?

There are several different types of risks associated with biometric technology. These include network and data hacking, biometric registration security, spoofing, sensor inaccuracy, and others.

The greatest risk of them all is of data security.

Biometric sensors create digital maps of a particular body part. This map is used for authentication and unlocking of a device or an account. Digital maps can be stored on devices such as fingerprint sensor of your iPhone or can be sent to be stored on a central server.

Local data is better protected than centralized storage since you will always be in control of it. Centralized data, on the other hand, isn’t under your control. If a company’s database is hacked, hackers can steal all the information stored on it, including the digital maps of your biometric identification.

Also, the data that’s being transmitted can be stolen. It’s important to encrypt and secure this data so it can stay safe and not fall in the hands of fraudsters. This can be done using virtual private networks.

The hacking incidents that have happened all over the world in the last few years have shown that it’s easy to lose control of this data. For example, about 5.6 million fingerprint records were stolen from the US Office of Personnel Management in 2015.

It Might Become Mandatory to Give Out Biometric Data

In India, giving biometric details has become mandatory. If you want any services from the government of India, you need to be enrolled in their biometric database that’s run by the Unique Identification Authority of India.

The statistics given on the website of the Press Information Bureau of Indian government shows that 93% of adults in the country have enrolled in this program. People in the US have always resisted such systems but there are chances that they might soon arrive in the mainstream.

There are several biometric applications that might not be mandatory but are too attractive to resist. For example, John Hancock, the US insurance company adds fitness tracking features to all their policies.

This means users will have to wear fitness trackers and let the company monitor their daily activities. The device will be able to determine when they exercise, have sex, or sleep. That’s pretty creepy.

And What If Someone Grabs Our Biometrics?

Walk into a public place and you can be subject to facial recognition technology through public CCTV cameras. Public facial recognition is being increasingly used and involves 3D face modeling techniques.

Also, a new technology by Photon-X is able to identify and track people from far away. This can help corporations and governments to track people overtly or covertly. This data can be matched with the already existing database to identify people in public places.

There are even non-contact fingerprint readers that can work from a distance of a few feet. And then there are biometric devices that read body posture movements and micro-expressions.

There is a lot of identification data that can be used by machines to recognize us. Question is, how safely do we store this data?

But Biometric Data is Largely Unregulated

Another hidden risk is that the process of biometric data collection and use is pretty unregulated.

While there are some laws governing the collection and use of biometric data, in a large part of the world, there are still no concrete laws.

Here are some laws that regulate biometric data:

The General Data Protection Regulation of EU considers biometric data as a special category of personal data.

The Biometric Information Privacy Act (BIPA) of Illinois require consent from users before companies can collect their biometrics. It also states that this data has to be deleted regularly.

The law of Texas offers the samsse rights as the law of Illinois and requires consent for collection of biometrics as well as the deletion of data after some time.

While the law applies to entities that identify as “commercial purpose,” it does not discuss what is included in the commercial purpose.

The biometric law of Washington applies to businesses and individuals and controls the way these two entities collect, use, and store biometric data. Any company or individual must obtain consent before collecting biometric data.

These laws might act as an obstacle for some companies

Many tech companies, including Google and Facebook, have faced lawsuits over their facial recognition tools. They have faced lawsuits over BIPA violations and Facebook has unsuccessfully tried for legislative revisions many times.

When biometric laws won

The most recent report comes from Illinois where the fingerprints of a 14-year-old were taken without parental approval.

The company that took the fingerprints, Six Flags, argued that they cannot be held liable unless there’s been a tangible injury to the plaintiff.

However, the court ruled that a user need not face actual damage to prove the violation of their rights under the biometric law.

This ruling has been applauded by privacy groups including Electronic Frontier Foundation.

And yet, these laws are just a handful

While there are biometric laws in certain states in the US, this area is largely ungoverned in several other countries. As the use of biometrics grows, governments should regulate their use and storage so that people’s privacy isn’t at risk.

What Happens When Records Get Compromised

The problem with biometric data is that unlike passwords, your bodily features cannot be reset. Let’s say a user’s fingerprint data is stolen by a hacker.

Now instead of using that particular finger, the user can switch to using the print of another finger. But what if the print of all 10 fingers is stolen? Similarly, if a hacker steals a retina scan or facial feature map, you cannot switch to another set of eyes or a different face.

You can reset your compromised password with just a few clicks but resetting biometric data might mean undergoing a surgery – and that’s not very pleasant.

If the banking industry and other companies are collecting your fingerprints and if someone finds out a way to hack and manipulate this data, it could lead to problems.

And once the biometric data gets compromised, you cannot undo the damage. If someone gains access to your fingerprints and creates fake prints, you cannot change your fingerprints. You’re now stuck with the compromised biometrics.

You might want to switch from one biometric to another but these changes aren’t always possible. For example, if your office uses fingerprint scanning for authentication, you cannot just change it to facial recognition. You can, however, change it on your phone if it offers two biometric choices.

This creates a very unique problem. Someone is out there, using your facial map to get access to restricted areas and you cannot reset the data.

Also, since biometric identifiers link a user to the system in a very transparent way, not everyone might be comfortable using them.

It’s fine when you use facial recognition or fingerprint scanning to unlock your phone but you might not be comfortable linking your credit card authorization to your biometrics since your purchase history may become visible this way.

On the surface, biometric authentication might seem secure but once this data is compromised and replicated, there’s nothing you can do to fix that. And since there are no strict laws around the world governing the storage of this data, there are chances of hackers stealing these records for fraudulent purposes and getting away with it.

How to Safeguard Biometric Data

As discussed earlier, biometric data, once compromised, cannot be replaced. That’s the fundamental problem with biometrics.

However, it’s not all bad. The governments all around the world are realizing that they need to protect their data so it doesn’t get stolen. Companies try not to retain this information on their servers so it’s not vulnerable to hacks.

It’s best for companies and government agencies to depend on a system that stores biometric information on the user’s device instead of a central server.

This process will involve the user grafting their biometric identifier (for example, a fingerprint or a voice signal) on a computer or a phone. When the user has to log into their account or transact with another user, this biometric information can act as a key to send a confirmation signal to carry out a certain action.

This is how things work with Apple Pay on iPhone. When you transact using Apple Pay, your fingerprint’s copy isn’t sent to the merchant. Instead, a confirmation signal is used to authorize the transaction. This system is becoming standardized these days.

There are several protocols (such as FIDO) to facilitate such authentication.

As more companies and governments embrace the biometric technology, they should take care not to build central databases where all records are kept and can be accessed by hackers. This will expose consumer data to a number of risks, which will be worse than their passwords getting stolen since biometric data cannot be reset.

Another way to store biometric data is by keeping only a part of the data on the device. For example, instead of storing the entire fingerprint, the device will contain only a part of the print. The remaining print will be stored on a central server.

This way, a hacker will need to have access to the company’s or government’s servers as well as individual devices, which is almost impossible to achieve.

And then there are some more fixes:

Multi-factor Authentication

Just like using multi-factor authentication with passwords, you can use multi-factor authentication with biometrics. This can be done using multiple biometric options or combining text and biometrics.

Depending on user preferences, several layers of authentication can be created. For example, they can combine fingerprint scanning with facial recognition. This will be even more difficult to hack than single factor biometric authentication.

Or biometrics can be combined with other authentication factors such as passwords and authentication codes that can be sent through SMS.

Changeable Biometrics

While most biometric identifiers stay the same, not all of them do. For example, pregnancy and hypertension can change the patterns of blood vessels in the retina of a woman. This can confuse retinal scanners.

Static biometrics such as face shapes, iris scans, and fingerprints face security risks. To overcome these risks, there is a need for the creation of changeable biometric solutions.

A group of researchers from the University of California came up with a technology called passthought that measures your brainwaves (link to the previous article I wrote on brainwaves) to check what you thought.

If you thought about the right password, you will be granted access to the system. You’ll need to wear a special headset that contains brainwave sensors.

The key could be anything, really – it could be a mental image, a song, a phrase, or just about anything you’re comfortable in remembering. Your thoughts are not transmitted via the headset – just their mathematical representation.

Since everyone thinks about the same thoughts differently, a hacker wouldn’t be able to impersonate you even if they knew the password.

The only way a hacker can trick the system is by using phishing. So if they make you think about your passthought, they can capture your thought and using its mathematical representation to gain authentication.

But then again, since passthoughts aren’t static, they can be changed. That’s one biometric option that can be reset easily.

Human Touch

People are smarter than AI robots. Artificial intelligence and machine learning are vulnerable to mistakes. A human can check the identity of a user more accurately. This adds reliability to the system. Heavy makeup might fool a facial recognition system but it won’t fool a human being.

This is why no matter how advanced the machinery becomes, we’ll still need a human at the security check.

More Data Points

For accurate results, there need to be more data points when scanning the biometrics. For example, taking note of the micro-emotions of the face will ensure the results are highly precise.

The fingerprint scanner and facial recognition systems on your phone are pretty basic and cannot produce highly defined scans. On the other hand, devices used by FBI and big corporations have more data points in their biometrics to make sure the system cannot be fooled easily.

The simplicity and performance of biometrics outweigh a number of security risks. We can expect this technology to expand in the near future.

While it’s always a pleasure to not have to remember long passwords and just be recognized by your device and your accounts. However, there’s always a risk of your data being stolen and not being able to reset the system.

The biometric technology is maintaining the fine balance between cool and creepy and there’s a need for the governments all over the world to wake up and smell the coffee. It’s time there were some well-defined laws all over the world related to biometrics.