SecurityBrief Australia logo
Australia's leading source of cybersecurity and cyber-attack news
Story image

Interview: The dark side of biometrics - why social engineering could destroy security

By Sara Barker
Wed 14 Jun 2017
FYI, this story is more than a year old

Biometric technology may be creeping up on consumer devices, but in the private sector, it's yet to catch on - and it may be for good reason.

We spoke to Richard Cookes, One Identity's country manager for Australia and New Zealand. He shares insights about how banks and biometrics are not a good mix, how hackers can take control of data and why it all comes down to social engineering.

When it comes down to it, biometric technology such as fingerprints, voice recognition, facial recognition and iris scans, is rarely used in the privacy sector, except in situations such as scanning a fingerprint to gain access physical to doors or rooms. It is hardly ever used to access a workstation, Cookes explains.

He explains that there are two types of biometric databases: Private organisations with physical on-premise databases; and citizen databases such as those found on a smartphone or smart card. Banks in particular rely on citizen databases, relying on data stored on the customer's mobile device to authenticate identity.

What makes biometrics such a consumer-centric technology that is rarely implemented in the private sector? Cookes says there are plenty of issues surrounding biometric data, storage, maintenance and compliance with privacy policies.

"There is no government legislation to use biometric technology in the financial sector, meaning that banks and other financial organisations cannot mandate the usage of biometric technology in Australia. However, biometrics is widely used through 'Opt-in' options, such as allowing fingerprints to access a banking or credit card app. In reality, passwords are still an important option to access accounts," he says.

While law enforcement and border protection agencies are supported by legislation that allows fingerprint biometrics to be taken, banks can't force users to use fingerprints in order to access their accounts, he adds.

That may be for good reason, considering biometrics has been built for convenience, not security. Cookes says biometrics has flaws not necessarily in the technology, but how the companies use biometrics. These applications can make the technology vulnerable.

"What access do these companies give people once they are authenticated? Is there another layer of security used to authorise a transaction once someone has been authenticated? These are the questions organisations need to ask themselves when installing biometric technology."

"Banks have no control if a person allows another person to borrow their phone and register another fingerprint to the phone. The fact remains, gaining access to view account details is one thing, it is not unusual to send a onetime password by SMS or generate a password through another app to authorise a transaction," he explains.

Out of all biometric technologies, Cookes says that alongside getting fingerprints from glass or facial recognition from pictures, voice recognition is the easiest to hack. It's not the voice but what the voice is saying.

"For example, an unknown caller might ask close ended questions such as “can you hear me” prompting the receiver to answer, 'yes' or 'no'. These recordings can then be played back in order to artificially authenticate voice biometric devices."

In the UK, a journalist's bank account was hacked by his non-identical twin brother after just eight attempts. This poses questions about how financial organisations should approach security, and whether it's the best solution. According to Cookes, anything could be outwitted.

He says the fact that they were twins is a fluke. Voice recognition technology authenticated a person who was not the actual user. In some cases, banks don't even realise an authentication procedure has gone through that uses biometrics.

"However, if a transaction meets a threshold of say over $500, it needs to be authorised as well, which might use an alternative mechanism which must also be defeated or be more difficult to artificially reproduce. This makes financial organisations less concerned with authentication and more worried about the social engineering of what people can do once they are authenticated."

"This could be gathering enough information from Facebook or other social media channels, to pose as someone and change passwords or where SMS messages might be sent. If a bank misses the fact that someone fraudulently accessed an account too late, there is no way for the bank to get that money back."

While private biometric databases are privy to the security infrastructure set in place, citizen databases are particularly vulnerable. 80% of all biometrics are linked to mobiles, Cookes says.

"The key question to think about is how secure are people’s mobile devices and who has access to those personal mobile devices? Anyone who has let a stranger hold an unlocked phone is putting themselves at risk of being breached. With the mobile device unlocked, hackers can quickly add their biometrics to the list of authenticated fingerprints."

He stresses that it's the social engineering part of biometrics that is most dangerous. Improvements must focus on how to reduce it.

"The desire for increased expediency and luxury is also a driving factor behind needing better security. Names, birthdays, pets’ names are all information that can be used in fooling the social engineering behind biometrics," he says.

If no efforts are made to reduce social engineering, errors will occur and a ripple effect will happen, which means it will take a long time to detect and fix the problems. This will have effects on financial and identity theft implications.

"What it really comes down to is a choice between giving up security for convenience or giving up convenience for security. The question organisations need to think about is how far they are willing to risk security for the convenience of quick access to information," he concludes.

One Identity encompasses identity management, privileged access management (PAM), self-service password management and UNIX AD bridging product portfolio. 

Related stories
Top stories
Story image
Tech job moves
Tech job moves - Adatree, Brother, Databricks, Nutanix & Rubrik
We round up all job appointments from May 20-26, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Cybersecurity
4/10 Australian SMEs fallen victim to cyber-attacks since pandemic
Almost four out of teb SMEs in Australia have fallen victim to cyber-attacks since the pandemic began, according to a new study.
Story image
Transport
Third-party automotive apps bear significant privacy risks
Mobile applications for connected cars provide various features to make life easier for motorists, but they can also be a source of risk.
Story image
Malware
Fortinet introduces self-learning AI in latest offering
Fortinet is introducing self-learning AI capabilities in its new network detection and response offering, FortiNDR.
Story image
Employment
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Ponemon Institute
Email revealed to be riskiest channel for data loss
More than half (60%) of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Story image
Ransomware
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
Training
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Story image
Cybersecurity
Accenture - a collective security approach a driving factor for cyber resilience
With the approaching Davos World Economic Forum upon us, it is even more imperative to discuss the impact of cybersecurity on business operations leading into the future.
Story image
Cybersecurity
What every CISO must answer to enable a best-in-class security operations program
It has been widely reported recently that South Australian government employees have been the victims of a cyberattack.
Story image
Ransomware
APAC organisations fail to disclose ransomware breaches
85% of organisations in APAC were breached by ransomware at least once in the past five years, but only 28% publicly disclosed the incident.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
Cybersecurity
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Story image
Training
Infosec unveils role-guided cybersecurity training roadmaps
Infosec Skills Roles maps hands-on training and certifications to the 12 most in-demand cybersecurity roles to maximise training efficiency.
Story image
Ransomware
Employees on the frontline of cyber defense - report
In the first quarter of 2022, employees found themselves more than ever at the frontline of cyber defense, according to a new report from Kroll. 
Story image
Cybersecurity
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Managed service provider
Barracuda MSP Day 2022 highlights MSP opportunities
Barracuda Networks has released a report showing global services-related MSP revenue is set to increase by more than a third in 2022 compared to 2021.
Story image
Check Point
Check Point and CCTV expert join forces to boost protection
The partnership will involve Check Point Quantum IoT Protect Nano Agent being embedded in Provision-ISR’s CCTV cameras for on-device runtime protection.
Story image
Phishing
MailGuard warns of new scam targeting Telstra customers
Telstra customers in Australia are being warned of a new scam involving "Unsuccessful Payment" messages.
Story image
Identity and Access Management
The post-pandemic workforce requires secure IAM capabilities
HID Global discusses what identity and access management means for organisations in today's convoluted digital world.
Story image
Migration
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
VPN
The most common online scams in Australia
No one is safe from online scammers, and many of these scammers have capitalised on the pandemic, using this confusing time to attack more people than ever.
Story image
Microsoft
Global cybersecurity insurance market worth $11.5b this year
Future Market Insights finds the cybersecurity insurance market is expected to reach USD$11.5 billion in 2022, growing to $61.2 billion in 10 years.
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
Malware
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
Cybersecurity
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
Remote Working
Australia’s remote workers face connectivity and security issues
SOTI's new report finds better video conferencing technology and improved security measures are top concerns for remote workers in Australia.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
BYOD / Bring Your Own Device
How zero trust can lead the battle against ransomware
SecOps teams champion a zero trust strategy to support the fight against the escalating risk of cybercrime and help monitor threat actors across a network.
Story image
ChildFund
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
Artificial Intelligence
Gartner reveals top three tech trends for banks this year
Gartner says generative artificial intelligence, autonomic systems and privacy-enhancing computation are gaining traction in banking and investment services.
Story image
Surveillance
i-PRO releases smallest AI-based surveillance camera on the market
The new i-PRO mini network camera is now available, with a pocket-sized form factor and full AI analytics functionality.
Story image
Phishing
WhatsApp and QR codes the next scam threat - report
KnowBe4 has warned it expects to see an increase in QR Codes and the WhatsApp chat platform being used for phishing and other scams. 
Story image
Ransomware
APAC ranks third-highest region targeted by ransomware
Asia Pacific has ranked the third-highest region globally to be targeted by ransomware, according to cybersecurity firm Group-IB.
Story image
Kubernetes
Sysdig unveils new Kubernetes troubleshooting and cloud innovations
Sysdig has introduced two new innovations that look to help bolster cloud services and simplify Kubernetes troubleshooting.
Story image
Cybersecurity
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
Microsoft
Elevation of Privilege the top 2021 Microsoft vulnerability
BeyondTrust has released its 2022 Microsoft Vulnerabilities Report, finding that Elevation of Privilege is the top vulnerability category for the second consecutive year.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Cybersecurity
Asia Pacific plagued by sophisticated bad bots - report
The three most common bot attacks were account takeover, content or price scraping, and scalping to obtain limited-availability items.
Story image
Data Protection
Information management capabilities to meet privacy requirements
Organisations with customers or operations across more than one country face a spate of new and proposed privacy and data protection laws.
Story image
Phishing
Vishing attacks reach all time high - Agari and PhishLabs
"Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022."