t cht lk
TECH TALK
“
WE NEED
TO BEGIN
DISCUSSING
WHAT WE WILL
ALLOW TO BE
STORED ABOUT
OUR IDENTITY
AND WHAT IS
JUST TOO RISKY.
Compromised biometric data poses
unique risks
To understand the sensitivity of biometric
data and why it should be a part of your
conversations, consider the potential risk. You
are a person. Typically, you have one single
identity. One could argue that even if you
are a spy or have a criminal alias, you still
only have one identity since, regardless of
your aliases or the names you impersonate,
you only have one set of biometric data.
You cannot change your fingerprints, voice,
face, eyes, EKG or even veins in your arm.
When Information Technology uses biometric
data for either authorisation or authentication
(and yes, they are different), it needs to
compare the results with a stored profile of
your biometric data. The storage is electronic.
While extraordinary safeguards can be
placed on the storage and encryption of
biometric data, at some point it needs
to be reassembled (at least in parts) to
compare to assessed input. If the storage
is flawed by design, has vulnerabilities, or
the host system is misconfigured, we have
a potential exposure of the most sensitive
biometric data.
However, the biggest problem with biometric
data is not the storage or authentication
technology used, rather it is the static nature
of biometric data itself. If a password is
compromised, you can change it, putting a
78
INTELLIGENTCIO
stop to password re-use attacks that rely on
the compromised password.
However, if biometric data is compromised,
you cannot change it. Your eyes, face or
fingerprints are permanently linked to your
identity (excluding bio-hacking which is a
topic for another day). Any future hacks that
solely rely on compromised biometric data
can be an easy target for threat actors.
Biometrics alone should never be used to
authenticate or authorise action or commit
a transaction. Biometrics should be paired
with a password or, better yet, a two-factor
or multi-factor authentication solution for a
higher degree of confidence.
Assessing how your biometric data is
being used and accessed
Some vendors emphasise security for
biometric data (Apple Secure Enclave),
while others treat biometric data with little
safe regard. If you think my latter claim is
questionable, consider VTech’s ‘My Friend
Cayla’ doll and the ramification for sales,
collection of voice fingerprints and the
mischievous potential for a threat actor
against you or your children.
The storage of biometric data is quickly
increasing, but the implications are just
beginning to be understood and well-
grasped. We need to begin discussing
what we will allow to be stored about our
identity and what is just too risky. And, most
importantly, by whom.
Just consider all the new technology that
may now possess your biometric data:
• Personal assistants: Devices from
Amazon, Google and Apple all process
voice recognition commands and can be
programmed to understand individual
www.intelligentcio.com