Freely subscribe to our NEWSLETTER

“Physical biometrics work best when the person being authenticated has physically presented themselves to the authenticating party, which is why fingerprint and iris scanners work well in a border control setting - they are hard-wired, monitored and nearly impossible to spoof. However in a non face-to-face interaction, using a single biometric data point to authenticate a user is no different than adding a second, static password. In a way, in certain scenarios, they could be worse: a stolen or leaked password can be reset, your finger or iris print cannot.

High-quality reproductions of a fingerprint (a static image) or a recorded heartbeat (a set, basic pattern) can be captured and reused, and can be stolen en masse, like the 5.6 million fingerprints stolen from the Office of Personnel Management last year. Even low-tech methods can produce results, like the infamous gummy bear hack for fingerprint scanners. There is also a very real threat of fraudsters going after individuals in person, to garner physical biometrics for nefarious activities - such fears are steering away risk-adverse companies. The sheer breadth of damage that can be done with just one piece of personal, biometric information highlights the sophistication of today’s hacker and shows what security teams must now deal with.
If ANY border service agency was breached, and we have to be clear that there is no indication that it has been a breach, there is a risk. By combining the information stolen from such a breach and other breaches, cyber criminals have the potential to piece together very comprehensive user identities. One frightening example is the “Facebook of Everything” that China’s intelligence service is compiling from the personal data stolen over several high-profile U.S. cyber breaches including OPM. Their stated goal is to compile it into a massive Facebook-like network to build a profile of everyone — with more details than Facebook.

In other words, they’ve now got a full database of information that could be used for multiple fraudulent and nefarious purposes into generations to come. They are able to use the stolen information and fingerprints to create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more damaging fraud can take place. As an example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. This is true for the millions of stolen fingerprints as well, especially with the increased adoption of touch/fingerprint-based authentication for mobile banking and payment apps. Unlike passwords, fingerprints can’t be changed, last a lifetime, and are usually associated with critical identities.

Identity protection services or credit monitoring aren’t enough when it comes to biometric identity theft. Fingerprints cannot be changed. Spoofing fingerprints is no longer something from a sci-fi movie. It is happening and will increase more as cheaper tools make their way onto the dark web, and even WikiHow has a step-by-step guide.

Fortunately, user behavioural biometrics (BB) can provide the extra layers of protection even after hacks have occurred. Online fraud detection solutions using BB can stop fraudsters in their tracks by identifying suspicious activity, in a completely passive and non-intrusive way. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. Even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at behavioural events, biometrics, device, geography and other layers to determine the real actor behind the device or fingerprint. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.”