Computing Applications

Cybercriminals Eye Biometrics

The threat of biometric compromise is real. Breaches of biometric data are happening, and criminal hackers often leverage biometrics in followup attacks.

Biometric markers such as fingerprints, the irises of one's eyes, and individual's entire faces are increasingly popular for proving identity. If criminals can steal such biometric data, they can pose as users, potentially accessing your Intellectual Property, customer data, and financial assets.

"While criminal hackers can offer the stolen biometric data for sale online for huge sums, the goal is targeting specific networks to bring them down," says Jake Moore, global security adviser for ESET UK, an anti-malware company. Cybercriminals sell the data on the Dark Web, an uncharted part of the Internet where buyers and sellers reach sites via encrypted channels using TOR browsers.

Organizations go to the trouble of adding biometrics to other authentication factors such as the one-time passcodes (OTPs) that arrive on your smartphone because the data they protect is precious. A successful biometric hack combined with other compromised authentication factors almost certainly equate to massive losses for an enterprise.

"With persistent attacks comes continual entry," says Moore. Though cybercriminals often have to work to hack biometrics successfully, once they are in the system, significant disruption is likely; without the proper security procedures and continuity plans in place, it can take a long time for organizations to return to business as usual, Moore says.

You should store biometric data using encryption for data at rest, and transmit it using encryption for data in transit to mitigate the risk of compromise. Never use biometrics as your only factor of authentication.  

"As the world moves toward digitization and people and organizations widely adopt biometric systems, the risk of data breaches leaking sensitive biometric data to malicious hackers increases," says Marios Savvides, director of the CyLab Biometrics Center of Carnegie Mellon University's Security and Privacy Institute. "The criminals can then create exploits and replay attacks for the biometric data, which they can use to break into the system," Savvides concludes.

Cybercriminals utilize replay attacks, in which a video of the person with the biometric markers is replayed on an iPad in front of the biometric scanner, says Savvides. "Replay attacks can happen for any biometrics system, whether it's a system to access your computer, bank account, or critical infrastructure," Savvides says.

It is easy to understand common threats to biometric data. "Protecting biometric data is difficult. Organizations find it challenging to secure face, voice, and fingerprint data from criminal hackers who collect it at coffee shops using high-resolution cameras and high sample rate audio recorders in the smartphones in their pocket," explains Brett Seals, a senior industrial cybersecurity consultant for 1898 & co, a business consulting and services company.

The Samsung Galaxy S22 Ultra camera phone offers 108 megapixels (MP) resolution according to Digital Camera World, which is higher than what is available with most professional cameras. That's more than enough for cybercriminals who take videos of highly placed executives for replay to facial recognition systems.

Biometric Hacks On Record

The threat of biometric compromise is real. Breaches of biometric data are happening, and criminal hackers often leverage biometrics in followup attacks.

Criminal hackers are robbing biometric data records at scale. In September 2020, an Iranian cybercriminal was selling 72,000 records purportedly from Iran's Ministry of Cooperatives, Labor and Social Welfare, according to Intel471, a cyberthreat intelligence company. The cybercriminal offered screenshots as proof of some of the records containing biometric data.

"In the OPM hack, cybercriminals compromised 5.6 million fingerprints, mine included. Every person who ever applied for security clearance with the U.S. government through 2014 has compromised fingerprints," says Seals. The U.S. Office of Personnel Management (OPM) uncovered the March 2015 fingerprint data exfiltration in April of that year, according to CSOonline.

Cybercriminals are using stolen biometrics and AI simulations to commit financial fraud. Criminal hackers created simulated videos from stolen high-definition photos, fooling a Chinese government facial recognition system. The hackers gained access to Chinese state tax records, then used those records to issue fake tax invoices worth US$76 million, according to a 2021 South China Morning Post report.

Future Outlook, Remedies

Biometric-based authentication is here to stay. "We desperately need biometrics, but once an attacker compromises them, we cannot replace them as we do with passwords. Criminals will continually attack biometrics and their inevitable vulnerabilities," says Moore. Vulnerabilities include easy public access to people to record their biometrics in person, and a lack of security protecting the biometric data you harvest and store for comparison.

One of the best ways to encourage organizations to secure biometric data properly is to put a price tag on their failure. According to Seals, "Because we can't change our biometrics, we should regulate its protection more than we do credit cards, health information, or any susceptible data."

For example, the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council (PCI-SSC) outlines fines of up to $500,000 per incident for credit card data breaches when sellers are not compliant with the standard, according to Security Boulevard.

Methods exist to soften risks to the data we secure with biometrics. "When we safeguard our most critical systems with biometrics, we should consider multimodal biometrics and other multifactor authentication methods to strengthen the layers of defense-in-depth. Because compromised biometrics become public and are no longer a secret, we should only use them like usernames to complement multifactor authentication (MFA)," warns Seals.


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More