Someone out there is trying to steal your DNA data and assume control over your biometrics. Can anything be done?
Author: Morey Haber, CTO, BeyondTrust
What do people today consider “sensitive” data?
The definition of Personally Identifiable Information (PII) often includes your name, email addresses, usernames, passwords, birthdate, address, social security number, credit card information, medical history, etc.
The sensitive data we are failing to adequately address is the linkage of our physical, carbon-based human bodies to all the biometric data being stored by IoT devices and services in the cloud.
If you think this sounds farfetched, ask yourself if you or any of your loved ones participated in an ancestry DNA kit or received a new notebook, mobile device, or smartwatch that stores health or login data via fingerprints or facial recognition—I am willing to bet, that either you or someone close to you has.
Compromised biometric data poses unique risks
Typically, you have one single identity. You cannot change your fingerprints, voice, face, eyes, EKG, or even veins in your arm.
When information technology uses biometric data for either authorization or authentication (and yes, they are different), it needs to compare the results with a stored profile of your biometric data. The storage is electronic.
While extraordinary safeguards can be placed on the storage and encryption of biometric data, the biggest problem with it is not the storage or authentication technology used, rather it is the static nature of biometric data itself.
If a password is compromised, you can change it, putting a stop to password re-use attacks that rely on the compromised password. However, if biometric data is compromised, you cannot change it. Your eyes, face, or fingerprints are permanently linked to your identity (excluding bio-hacking which is a topic for another day).
Any future hacks that solely rely on compromised biometric data can be an easy target for threat actors.
Biometrics alone should never be used to authenticate or authorize action or commit a transaction. Biometrics should be paired with a password or, better yet, a two-factor or multi-factor authentication solution for a higher degree of confidence.
Assessing how your biometric data is being used and accessed
Some vendors emphasize security for biometric data (Apple Secure Enclave), while others treat biometric data with little safe regard. If you think my latter claim is questionable, consider VTech’s My Friend Cayla doll and the ramification for sales, collection of voice fingerprints, and the mischievous potential for a threat actor against you or your children.
Just consider all the new technology that may now possess your biometric data:
Opening up a dialogue about biometric data
Now is the time to begin sensitive discussions on biometric data. When you purchase a device, use a new technology, or consider how you are interacting with a new service, ask yourself, and potentially the vendor (especially, if the technology is used for work), the following:
Securing biometric data
For organizations that have already embraced biometrics in their environments, there are a few mitigation strategies that can help secure the information: