As a kid, I was a big fan of “Peanuts,” the legendary comic strip by Charles Schulz. Linus was, and still is, my favorite Peanuts character. Linus always had the thoughtful answer and the confidence to tell his friends the truth, despite the silly security blanket. Schulz said, “Linus, my serious side, is the house intellectual, bright, well-informed — which, I suppose, may contribute to his feelings of insecurity.”
As an adult with a serious professional interest in security, I am surprised as to why bright, well-informed data and cybersecurity professionals don’t feel more insecure about the efficacy of biometric information as a security device. Is it because biometrics are today’s security blanket?
The Myth of Biometric “Security Blankets”
I have been a contrarian about biometrics for some time. As I blogged last year:
To protect against consumer financial fraud, there’s a lot of buzz now about using biometric information — fingerprints, iris and facial recognition, and other unique physical characteristics — to authenticate payment card transactions…
Like encryption, however, biometrics are not a silver bullet to stop hackers. As a defense mechanism, biometric authentication is actually worse because it can create a false sense of security. But once that information is corrupted or stolen by hackers, how do you prove who you really are? This excellent article in Scientific American captures the high-level privacy and cybersecurity implications that should be central to any discussion of biometrics:
“… [O]nce your face, iris or DNA profile becomes a digital file, that file will be difficult to protect. As the recent NSA revelations have made clear, the boundary between commercial and government data is porous at best. Biometric identifiers could also be stolen. It’s easy to replace a swiped credit card, but good luck changing the patterns on your iris.”
Since I posted that blog a year ago, Apple released Face ID as the mechanism to unlock its new iPhone X. Almost as quickly, stories began to appear about how Face ID could be effectively fooled by twins, kids and dudes with beards (almost).
Facial Recognition Imparts a False Sense of Security
The most serious and obvious argument against biometrics is this: They are really no more secure than any other form of authentication.
Whether it’s your face, fingerprint, iris or even your heartbeat, biometric data is imminently hackable. If stolen, the cybercriminal isn’t going to make his or herself look like you. They’re going to associate their digitized face, fingerprint, iris or heartbeat with your account.
This is what makes biometrics more risky than other forms of authentication comes after a compromise has occurred; once your biometrics are corrupted, how do you prove you’re really you?
In the wake of the first big biometric hack earlier this year, of India’s Aadhaar, the world’s largest biometric identification system, the general public is becoming increasingly aware that fingerprints are as easy to steal as passwords. And for the criminal fraudster or hacker looking to gain improper access to information or systems, associating their biometrics with your credentials is really no more difficult than changing your password, or any number of other tried-and-true account takeover tactics that have been around for years.
The scary difference is the misplaced faith that people are putting in biometrics. Like a security blanket, this technology makes people feel good but provides no substantive improvement in protection. I view biometrics as a trending fashion in security, not a credible long-term contender for materially improving security outcomes. What difficulty might consumers face (no pun intended) in reestablishing their own physical provenance when the inevitable hack takes place?
Stay Safe, Stay Vigilant
As I said in my biometrics blog last year, when it comes to ever-more resourceful and clever hackers, there is no single technology that can stop criminals in their tracks. As with other applications of security technology, the best defense for your financial life is constant vigilance, such as monitoring of activity on all of your cards and accounts, and setting up alerts with your bank’s mobile app and credit bureaus. If your bank offers card freeze technology, learn to use it so it’s available when you need it.
All defenses can be compromised, and when that happens, enterprises need to know about it, quickly. FICO® Cybersecurity Solutions deliver exactly that, allowing organizations to anticipate risks, identify emerging cyber threats, quantify cyber exposure, and fight cyber crime in real time.