Biometric security – which uses fingerprints, voice or facial recognition or retina identification to authenticate users to services – has crossed the chasm into the mainstream, thanks to the prevalence of features like fingerprint readers on laptops and FaceID for iPhones. However, researchers say that information security issues affecting these systems are significant, and must be addressed.
Kaspersky researchers found that in the third quarter, one in three (37 percent) of computers within the firm’s telemetry that collect, process and store biometric data were targeted by malware attacks. The malware in question included spyware and remote access trojans (RATs), which accounted for 5.4 percent of all computers analyzed; followed by malware used in phishing attacks (5.1 percent), ransomware (1.9 percent) and trojan bankers (1.5 percent).
“It should be noted that other types of malware also included malicious programs designed to steal banking data (1.5 percent). It is not likely that these malicious programs were intended for stealing biometric data,” according to Kaspersky’s analysis, released Monday. “However, it can be expected that mass-distributed malware designed to steal biometric data from banks and financial systems will appear in the near future.”
As for the source of the attacks, standard protocol reigned – most campaigns observed in the third quarter came in the form of typical phishing emails containing links to malicious websites or attached Office documents with embedded malicious code.
“An analysis of threat sources has shown that, as with many other systems that require heightened security measures (such as industrial automation systems, building management systems, etc.), the internet is the main source of threats for biometric data processing systems,” according to the report. In fact, 14.4 percent of all attacks on biometric data processing systems were internet-borne, including those targeted by phishing websites and email attacks.
Other attack vectors include infected removable media (8 percent) and network folders (6.1 percent.
Malware wasn’t the only danger seen in the quarter. In its analysis, researchers noted that all too often, biometric data is not stored with the types of iron-clad protections one should expect for such high-value information. For instance, researchers said that they often observed biometric databases deployed on application servers shared with other systems, rather than dedicated computers.
“In other words, if attackers compromise, say, a mail server or a database used by the website of an organization that has a biometric authentication system, chances are that they will also find the biometric database on the same server,” according to report.
The consequences of a compromise can be significant, given the potential for biometric forgery, and a lack of options in the event one’s biometric profile is stolen.
“Many human biometric characteristics can be forged (falsified) by malicious actors, and copying digitized biometric data may be even easier than copying physical biometrics,” the analysis pointed out. “[And] biometric data, once compromised, is compromised for good: users cannot change their stolen fingerprints the way they do stolen passwords. What’s more, biometric data may turn out to be compromised for all applications at the same time. An individual will therefore potentially be affected for the rest of his or her life.”
Biometric data theft and exposure is not a theoretical concern. For instance, in August, Suprema’s BioStar 2 biometric security smart lock platform suffered an incident arising from a publicly accessible database – among other confidential data, it contained about 1 million fingerprint records, as well as facial recognition information.
There’s also of course the Office of Personnel Management breach in 2015, where the information stolen in a cyberattack included nearly six million fingerprints of people associated with the U.S. government.
In all, researchers said that more oversight and user awareness is critical going forward, as biometric authentication continues to roll out.
“We believe that the existing situation with the security of biometric data is critical and needs to be brought to the attention of industry and government regulators and the community of information security experts, as well as the general public,” Kaspersky researchers concluded. “After all, anyone can be at risk in this case, regardless of their occupation, professional background and skills.”