The one thing we thought was more unique than a snowflake—our fingerprints—can now be hacked. Straight out of a science fiction movie, you can’t make this stuff up. The advent of biometric technology, which is the technical term for body measurements and calculations, has made fingerprint and facial recognition the method of the moment for single sign on, but the question of if we are really any safer as a result is up for debate. At the end of the day, are these biometric measures any better than a good old-fashioned paclock or a fireproof door?
Recently, researchers have used a neural network to generate artificial fingerprints that work as a “master key” for biometric identification systems and prove fake fingerprints can be created. Dubbed “DeepMasterPrints” by the researchers, these fradulent authorizations have imitated more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand.
Based on these insights, the researchers at New York University used a common machine learning technique, called a “generative adversarial network,” to artificially create new fingerprints that matched as many partial fingerprints as possible. This method has been compared to a “dictionary attack” against passwords, where a hacker runs a pre-generated list of common passwords against a security system.
Why Does This Matter?
Biometrics have been in development for many years. Only recently, the technology and its applications have come into mainstream use. Experian just released its predictions for cybersecurity threats in 2019, and among the top threats are—you guessed it, biometrics. Attackers will zero in on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition, and passcodes. Biometric data is considered the most secure method of authentication, but it can be stolen or altered, and sensors can be manipulated and spoofed—or simply deteriorate with too much use.
The use of fingerprints is now considered an alternative or a supplemental form of authentication to passwords and other more traditional means of accessing sensitive data. Until recently, this would not have been an option for run-of-the-mill applications, but as more and more smart phones have fingerprint readers built in, adopting fingerprints as a biometric authentication option is an increasingly economical and pragmatic one.
Many users are accustomed to the fingerprint readers on their phones and other devices to unlock them instead of having to enter a password, PIN, or unlock pattern. Because of the increasing use of this technology and fingerprints being easily accessible, there is a higher risk of fingerprint fraud being used to access private information.
How To Protect Your Prints?
For now, it is probably difficult to know if someone’s fingerprints have been stolen, as few online services are using, much less requiring, fingerprint authentication. However, this risk not as likely as recent large-scale security breaches such as the case of Equifax, one of the three major credit reporting agencies in the U.S., that announced a data breach affecting 143 million consumers. The hackers accessed Social Security numbers, birthdates, addresses, and driver’s license numbers.
According to the U.S. government, there are at least three distinct types of identity theft:
- Tax ID theft – Someone uses your Social Security number to falsely file tax returns with the IRS or your state.
- Medical ID theft – Someone steals your Medicare ID or health insurance member number. Thieves use this information to get medical services or send fake bills to your health insurer.
- Social ID theft – Someone uses your name and photos to create a fake account on social media.
There are some basic precautionary measures that one can take to prevent this type of identity threat in addition to not flashing the “peace sign” in photos on social media sites. Your prints can be gleaned from a simple picture!
- Secure your Social Security number (SSN). Don’t carry your Social Security card in your wallet. Only give out your SSN when totally necessary.
- Don’t share personal information (birthdate, Social Security number, or bank account number) just because someone asks for it.
- Collect mail every day. Place a hold on your mail when you are away from home for several days.
- Pay attention to your billing cycles. If bills or financial statements are late, contact the sender.
- Use the security features on your mobile phone.
- Update sharing and firewall settings when you’re on a public wi-fi network. Use a virtual private network, if you use public Wi-Fi.
- Review your credit card and bank account statements. Compare receipts with account statements. Watch for unauthorized transactions.
- Shred receipts, credit offers, account statements, and expired credit cards, to prevent “dumpster divers” from getting your personal information.
- Install firewalls and virus-detection software on your home computer.
- Create complex passwords that identity thieves cannot guess. Change your passwords if a company that you do business with has a breach of its databases
As we like to say here at The Threat Report, maintaining healthy cybersecurity is not just about taken measures, it’s a mindset based on good habits.