Biometric data security: Is encryption enough?

Biometric data security: Is encryption enough?

Biometric identification isn’t a new concept. Authorities have been using fingerprints to keep tabs on society’s rule breakers for more than 100 years. However, it’s only within the past 3 years that biometrics, such as fingerprint readers on smartphones, have encroached consumer’s daily lives.

Technologies such as fingerprint readers on laptops and smartphones are increasing in popularity. The major drawcard is the convenience of tapping your finger to unlock your device, rather than remembering and typing a password.

But with convenience comes a cost. And that cost is security. In March, more than 55 million voters in the Philippines were found to be at risk after an entire electoral database from the Philippines' Commission on Elections (Comelec), was leaked online. The leaked details included fingerprints and passport numbers, names and expiry dates. According to analysts, the hackers managed to penetrate the database that had a reportedly strong encryption.

With this attack in mind, how safe is our biometric data? What are the companies and government bodies that have access to our biometric data doing to keep it secure? It’s a question many people are asking.

In this article we take a closer look at biometrics. How they’re being used. And if they can ever really be considered a safe option in our interconnected global society.

What is biometrics identification?

Biometric identification is a technology that identifies you or authenticates your identity. For identification, this could be running an image of your face against a database of images. For authentication, your fingerprint might be used to confirm a match to unlock your phone, laptop or even your Paypal app on your smartphone.

Ears, eyes, fingerprints, face topology and voice patterns are only some of the unique human attributes that can be used for biometric authentication. And this unique information needs to be stored in a database.

Just last month, it was revealed that the FBI has access to multiple face recognition databases. It’s understood the multiple databases have more than 400 million images of people, most of whom are law abiding citizens.

And Facebook, with more than 1.19 billion users, has the biggest photo database in the world. There are an estimated 300 million photos uploaded daily. Facebook developed biometric identification software Deepface for the platform a few years ago. It’s more than 97% accurate - about the same percentage of accuracy our brains have. And while Facebook isn’t scanning your face to grant access to the platform - there’s a big question surrounding how the company is keeping user’s facial biometrics safely out of the hands of hackers.

There are certain advantages and disadvantages to using biometrics to authenticate users. Let’s have a look at that now.

What are the advantages of using biometrics authentication?

Security and convenience
Biometrics provide a greater assurance that a person is actually who they’re claiming to be. As fingerprints, ears and voice patterns are unique, they’re harder to forge in sophisticated systems. The stronger authentication method makes biometrics a stand-out option to companies or government bodies with highly sensitive data, such as the Australian Tax Office.

The ATO discussed their biometric systems at CeBIT 2016. One of the most prominent tools used by the ATO’s customer service team is voice recognition software. It was introduced in 2014 and is able to identify ATO customers within seconds - technically no passwords or codes are needed from the user. However, the team still ask questions to the caller and this is because in the testing phase, users found it confronting that the system already knew who they were without supplying information.

What are the disadvantages of using biometrics?

Data security
Biometrics are phenomenal tool for authentication because no two people will have the same fingerprint. However the biggest disadvantage with biometrics is the safety of biometric identifiers. The problem isn’t about the safety of authenticating the user, the problem is keeping the biometric data safe.

By biometric data security we refer to the security of the information that makes you unique - the record of your fingerprint, or the image of your ear, your face, or your voice pattern. These biometric identifiers need to be kept safe - if they’re leaked anyone could use this information to access a user's information. You can’t get a new fingerprint, new voice or new ear as quickly as you can change a compromised password. And what’s more concerning is earlier this year, a small wad of Playdoh was used to break into an Apple iPhone’s fingerprint authenticator. This shows that if someone’s fingerprint got into the wrong hands, how easily it could be imprinted and used to access private data.

How can we keep the biometric identifier data secure?

Keeping user’s biometric data safe needs to be a paramount priority for any company and organisation using this data. GE Capital Americas Incident Response & Data Management Senior Team Leader, Mary Chaney, told CSO Online that the security around this data must be planned out and access limited appropriately. “In addition, these ‘super’ highly privileged access users must also be monitored and subjected to even higher level of security,” she says.

Some say the level of encryption just isn’t there yet. But security organisations are working on technology to securely turn biometric data into a cryptographic key. In 2015 Fujitsu announced it has developed a technology that randomises numbers to convert biometric data into a cryptographic key for use in encryption and decryption. Specifically they worked with palm identification. said this makes it possible to simply and securely manage an individual's confidential data using biometric data, while preventing the unconverted biometric data from passing through a network. Fujitsu’s technology isn’t due to be commercialised until 2017. Many companies are working on better ways to keep the data safe, but much like the case with Fujitsu, there’s still a long way to go. The good news is they’re looking into developing code to work with other biometrics, such as fingerprints.


Final thoughts

Whether you’re fond of biometrics being used to identify and/or authenticate a user or not, the popularity of the technology will continue to grow. What’s important is prioritising how to keep a user’s biometric identifiers safe from hackers and avoid a situation similar to that in the Philippines. Security companies are working hard to develop stronger encryption and decryptions, but as of today, companies and organisation need to take exceptional care when dealing with this type of data.  

Stay up to date with the latest in IT by downloading the CeBIT CIO Summary Report 2016. You’ll get all of the greatest insights from the experts at CeBIT 2016.

CeBIT Australia CIO Summary Report

What are your thoughts on biometric data security? Do you think companies need to do more to protect our biometric data? And if so, what do you think they should be doing? Tell us in the comments below.