The benefits of using biometrics data as part of a wider security program are clear. Passwords can be difficult to remember, especially when you have to mentally retain multiple passwords for a growing number of digital accounts. But you’ll never forget your fingerprints or your voice. Logging in with something you are, rather than something you know, has distinct benefits for the end-user.
But that doesn’t mean that all biometric authentication measures are totally secure. In fact, many biometrics technologies are easier to hack than you think. Think your irises, fingerprints and human subtleties are unique and incorruptible? Think again.
Hackers have managed to use graphite powder, etching machines and wood glue to create fingerprint replicas good enough to fool scanners. Normally this would require access to something the target had touched, but not for much longer. Tsutomu Matsumoto, a researcher from Yokohama National University, managed to create a graphite mold from a picture of a latent fingerprint on a wine glass. It fooled scanners 80% of the time.
The Chaos Computer Club, a hacking collective based in Berlin, managed to deceive iris-scanning technology using a dummy eye created from a photo print-out. A high-resolution image of an iris was wrapped around a contact lens to simulate the curvature of the eye. Meaning that anyone with a good quality Twitter profile picture could be hacked.
Researchers from the University of North Carolina created a system that builds digital models of people’s faces based on photos from Facebook. The models are then rendered in 3D and then displayed using VR technology that simulates the motion and depth cues that facial recognition look for. The animation was convincing enough to bypass four out of the five systems tested.
Criminals have been known to cold call targets and take voice samples from the call for hacking purposes. Either these samples are fed into a voice synthesizer that can then be used to generate phrases that were never originally said. Or hackers can try to get their victims to say the security phrases that would give them access to their accounts.
Even though DNA analysis is not widely-used as a security measure, it’s interesting to know that it could potentially be used for nefarious reasons. Scientists at the University of Washington encoded malware into a genetic molecule that was then used to take control of the computer used to analyze it. While we are perhaps a long way off from DNA hacking becoming commonplace, it is a stark reminder that fraudsters are always coming up with new techniques.
The fact that many of these biometrics technologies can be hacked is troubling. Especially because, while you can reset a password or a PIN code, you cannot reset your retinas. Once biometric data is in the possession of hackers, there is always a risk it could be used to compromise personal or professional accounts.
One possible way to prevent such attacks is to move towards using behavioral biometrics such as gait recognition, keystroke dynamics or mouse movement analysis. These behaviors can be continuously monitored and verified without disturbing users, unlike physiological biometrics technology, which requires intrusive one-off authentication.
Read our blog on why behavior matters for further information.
Whichever biometrics technology is used, it is crucial that it forms a part of a multi-factor security infrastructure. Utilizing several verification measures in unison will give the largest possible chance to avoid hackers gaining access to sensitive information.
For more information about the pros and cons of various biometrics technologies, download our free whitepaper.
With 2017 now done and dusted, it’s time to think ...
Like many years before it, 2017 has seen a large ...
When a child goes near something hot, a parent will ...
“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”
– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser