Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic. It measures features such as face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. With the aid of Biometric authentication, the unique biological characteristics of individuals used to verify identity for secure access to electronic systems.
With the power of Biometrics technology today, fingerprint, which is a unique physical attribute of human body, is used to effortlessly identify and verify that a person is who he claims to be. And today, this technology has become the common biometric solution in the market.
However, latest research in the use of these security, and identity technologies has revealed something worthy of note about Biometrics: Cyber-criminals can now steal fingerprints.
An investigation into underground cybercrime by Kaspersky Lab researchers concluded that there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints. In addition, at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems.
While many financial organizations consider biometric-based solutions to be one of the most promising additions to current authentication methods, cybercriminals see biometrics as a new opportunity to steal sensitive information.
Just recently, Mastercard announced the roll out of Identity Check Mobile, a new payment technology application that uses biometrics like fingerprints or facial recognition to verify a cardholder’s identity, in order to simplify online shopping.
Already, there are existing identity verification methods which have been used to take shoppers away from a retailer’s website or mobile app where they are often required to remember and enter a password. This Biometric method has been considered to be more secured than the password which can be guessed by criminals. Also, because of the time it takes to log on to sites and input passwords, as well as the fear of having their transactions declined if they enter their password incorrectly, many online shoppers prefer to use the biometric identity verification method.
Banks and other financial organizations are already on the verge of introducing the biometric ATM authentication system, where ATM Card users may not have to enter any PIN number or password to perform any transaction.
Kaspersky Lab, an international network security company, investigated how cybercriminals could exploit new biometric ATM authentication technologies planned by banks. According to Kaspersky Lab experts, the first wave of biometric skimmers was observed in “presale testing” in September 2015. The evidence collected reveals that during the initial testing, developers discovered several bugs; however, the main problem was the use of GSM modules for biometric data transfer – they were too slow to transfer the large volume of data obtained. As a result, new versions of skimmers will use different, faster data transfer technologies.
Olga Kochetova, security expert with Kaspersky Lab explains the seriousness of biometric compromise: “The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus, if your data is compromised once, it won’t be safe to use that authentication method again.”
“Biometric data is also recorded in modern passports – called e-passports – and visas. So, if an attacker steals an e-passport, they don’t just possess the document, but also that person’s biometric data. They have stolen a person’s identity,” Kochetova adds.
Over the years, fraudsters have focused on ATMs in hunting financial data. Then there used to be the primitive skimmers, where homemade devices are attached to an ATM, capable of stealing information from the card’s magnetic strip and pin-code with help of a fake ATM pin pad or a web camera. Over time, the design of such devices was improved to make them less visible.
With the implementation of clone chip-and-pin payment cards, cybercriminals devices evolved into so-called ‘shimmers.’ These are largely the same, but these devices are able to gather information from the card’s chip, giving sufficient information to conduct an online relay attack. The banking industry is responding with new authentication solutions, including some that are based on biometrics. And now even the biometrics seems not to be safe with this latest discovery.
The use of tools capable of compromising biometric data is not the only potential cyber-threat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, blackbox attacks and network attacks to seize data that can later be used to steal money from banks and its customers.
The network security company also reveals that there are signs of ongoing discussions in underground communities regarding the development of mobile applications based on placing masks over a human face. With such an app, attackers can take a person’s photo posted on social media and use it to fool a facial recognition system.
This therefore is a call on cyber-security experts to come up with measures to counter the activities of these criminals and help ensure the security of citizens’ identity and financial accounts.
is a Lagos-Nigerian based ICT Journalist and a Guest Blogger for Nexxy Tech. you can connect with him on twitter @Tach_Kafoi and Facebook.