Interview: The dark side of biometrics - why social engineering could destroy security
FYI, this story is more than a year old
Biometric technology may be creeping up on consumer devices, but in the private sector, it's yet to catch on - and it may be for good reason.
We spoke to Richard Cookes, One Identity's country manager for Australia and New Zealand. He shares insights about how banks and biometrics are not a good mix, how hackers can take control of data and why it all comes down to social engineering.
When it comes down to it, biometric technology such as fingerprints, voice recognition, facial recognition and iris scans, is rarely used in the privacy sector, except in situations such as scanning a fingerprint to gain access physical to doors or rooms. It is hardly ever used to access a workstation, Cookes explains.
He explains that there are two types of biometric databases: Private organisations with physical on-premise databases; and citizen databases such as those found on a smartphone or smart card. Banks in particular rely on citizen databases, relying on data stored on the customer's mobile device to authenticate identity.
What makes biometrics such a consumer-centric technology that is rarely implemented in the private sector? Cookes says there are plenty of issues surrounding biometric data, storage, maintenance and compliance with privacy policies.
"There is no government legislation to use biometric technology in the financial sector, meaning that banks and other financial organisations cannot mandate the usage of biometric technology in Australia. However, biometrics is widely used through 'Opt-in' options, such as allowing fingerprints to access a banking or credit card app. In reality, passwords are still an important option to access accounts," he says.
While law enforcement and border protection agencies are supported by legislation that allows fingerprint biometrics to be taken, banks can't force users to use fingerprints in order to access their accounts, he adds.
That may be for good reason, considering biometrics has been built for convenience, not security. Cookes says biometrics has flaws not necessarily in the technology, but how the companies use biometrics. These applications can make the technology vulnerable.
"What access do these companies give people once they are authenticated? Is there another layer of security used to authorise a transaction once someone has been authenticated? These are the questions organisations need to ask themselves when installing biometric technology."
"Banks have no control if a person allows another person to borrow their phone and register another fingerprint to the phone. The fact remains, gaining access to view account details is one thing, it is not unusual to send a onetime password by SMS or generate a password through another app to authorise a transaction," he explains.
Out of all biometric technologies, Cookes says that alongside getting fingerprints from glass or facial recognition from pictures, voice recognition is the easiest to hack. It's not the voice but what the voice is saying.
"For example, an unknown caller might ask close ended questions such as “can you hear me” prompting the receiver to answer, 'yes' or 'no'. These recordings can then be played back in order to artificially authenticate voice biometric devices."
In the UK, a journalist's bank account was hacked by his non-identical twin brother after just eight attempts. This poses questions about how financial organisations should approach security, and whether it's the best solution. According to Cookes, anything could be outwitted.
He says the fact that they were twins is a fluke. Voice recognition technology authenticated a person who was not the actual user. In some cases, banks don't even realise an authentication procedure has gone through that uses biometrics.
"However, if a transaction meets a threshold of say over $500, it needs to be authorised as well, which might use an alternative mechanism which must also be defeated or be more difficult to artificially reproduce. This makes financial organisations less concerned with authentication and more worried about the social engineering of what people can do once they are authenticated."
"This could be gathering enough information from Facebook or other social media channels, to pose as someone and change passwords or where SMS messages might be sent. If a bank misses the fact that someone fraudulently accessed an account too late, there is no way for the bank to get that money back."
While private biometric databases are privy to the security infrastructure set in place, citizen databases are particularly vulnerable. 80% of all biometrics are linked to mobiles, Cookes says.
"The key question to think about is how secure are people’s mobile devices and who has access to those personal mobile devices? Anyone who has let a stranger hold an unlocked phone is putting themselves at risk of being breached. With the mobile device unlocked, hackers can quickly add their biometrics to the list of authenticated fingerprints."
He stresses that it's the social engineering part of biometrics that is most dangerous. Improvements must focus on how to reduce it.
"The desire for increased expediency and luxury is also a driving factor behind needing better security. Names, birthdays, pets’ names are all information that can be used in fooling the social engineering behind biometrics," he says.
If no efforts are made to reduce social engineering, errors will occur and a ripple effect will happen, which means it will take a long time to detect and fix the problems. This will have effects on financial and identity theft implications.
"What it really comes down to is a choice between giving up security for convenience or giving up convenience for security. The question organisations need to think about is how far they are willing to risk security for the convenience of quick access to information," he concludes.
One Identity encompasses identity management, privileged access management (PAM), self-service password management and UNIX AD bridging product portfolio.