More companies are slowly adopting biometrics, a technology sometimes seen as “the” answer to a crumbling cybersecurity regime that has fallen prey to hackers. But the collection of biometric data is raising all kinds of questions about privacy and security.
MasterCard, the latest firm to dip its toes into the waters of biometrics, is developing a pilot for a face recognition identification system. While still scant on details, the company said in an email that it “wants consumers to have a safe and simple payment authentication experience with biometric technology.”
We are giving consumers a choice to authorize the transaction with who they are [face or fingerprint], not with what they may or may not remember. Paying with MasterCard Identity Check will reduce online fraud.
When you log in to your mobile device, you snap a photo of your face. The image of your face is then converted to a value of 1s and 0s based on face measurements. The image is then destroyed. The value is stored but protected [hashed and encrypted], and cannot be used to recreate your image. The new value can be compared to the enrollment value for matching.
“Biometrics are … a series of numbers of ones and zeros that represent different measurements on your face and different ways that your face might look,” said Jennifer Lynch, a senior staff attorney with the non-profit civil liberties group, Electronic Frontier Foundation.
Theoretically, a person who accesses that data can then steal the biometric information and find a way to reconstitute the faces behind it.
Reconstituting a hacked biometric “depends on the algorithm and the type of biological attributes used,” said Symantec’s principal threat researcher Candid Wueest. He said most algorithms “only save and compare a reduced subset of features that are generated by a one-way function, making it extremely difficult to generate the original face, even if you know the algorithm.”
Many biometric systems use a fingerprint, for example, to unlock a service key. That key typically corresponds to an application. Once that fingerprint becomes publicly available, “the whole system needs to be exchanged,” he said.
Vendors are making it more difficult for hackers to fool the sensors with a printed photo or a fake finger. But Wueest said it is still possible to trick them.
“Last year, for example, we saw someone successfully reconstruct a fingerprint from a high- definition photo and use it to unlock a system,” he recalled.
There also have been attacks where photos of faces were constantly modified and rechecked against the target.
“This may generate a picture that passes the test and resembles the original,” he said. “The principal is the same as a classical brute force attack against password hash functions.”
“We will be seeing more of that in the future,” predicted Lynch, although that depends on the biometric system a vendor is using.
She said some systems are “not sophisticated enough to recognize or to distinguish a face from the photograph of a face. And so you could hack into a system with a photograph of somebody else’s face.”
Some vendors might use high-level encryption to make hacking into their system more difficult. But Lynch warned that if a single company creates a proprietary biometric algorithm for multiple clients, then hacking the source could compromise a host of databases and enable a recreation of the biometric data.
“Unfortunately,” added Wueest, “weaker implementations can allow attackers to bypass the entire process — similar to weak password authentication processes. For example, some smartphone sensors allow applications to record the original image of the fingerprint before it is processed by the algorithm, permitting re-authentication in the future.”
However, he pointed out that with biometric systems, attackers often need physical access. “This limits the scalability of an attack,” he said. “If biometrics are used to unlock an application key, then this key can be attacked just like any password, The huge advantage is that the key will be long and complex and cannot be found in a dictionary.”
Nevertheless, Lynch is concerned about the mass collection of biometric data, given the “massive databases of biometrics” collected in recent years by law enforcement agencies and government entities in the United States and other countries.
She said whenever that happens, “the biggest concern is how are those biometrics being stored and what protections are in place to prevent them from being stolen or from the systems being hacked?”
One of the key differences between password systems and biometrics is that identifiers like faces and fingerprints cannot be changed.
“With a credit card number or a social security number or a driver’s license number, that number can be changed,” said Lynch.“… But with a biometric, you cannot change your fingerprint. You can’t change your face. So if that data is stolen, then society is at a much greater risk for identity theft.”
TECHtonics asked MasterCard that question. In response, the company said it “has a longstanding commitment to building privacy and data protection” into everything it does.
In delivering a safe and convenient way to pay, we design and develop our products and services with respect for privacy. To us, data isn’t just bits and bytes, it’s personal.
When processing transactions, we only collect the card number, the merchant name and location, the date and the amount of the transaction. Except for select opt-in programs, we do not receive the cardholder’s name or other contact information.
Using biometrics to authenticate online payment transactions is consumer choice and an additional layer of security.
Despite the limitations of biometrics systems, Carnegie Mellon University’s Lorrie Faith Cranor, Director of CyLab Usable Privacy and Security Laboratory, believes the technology has a lot of promise, albeit with a tinge of skepticism.
“It is not clear to me that it will ‘solve’ the cybersecurity problem,” she said. “But it will be an increasingly useful tool.”