Millions of fingerprint, facial, and other biometric recognition details already on the Dark Web: Internet Scambusters #1,059
Biometrics – the technology of using facial, fingerprint, and voice recognition to confirm your identity – promises to improve our security and maybe even replace passwords.
But is it safe? And if not, what can we do to protect against a future and growing threat?
No security technology is 100 percent safe, but there’s one important thing you can do to protect yourself from this threat, as we explain in this week’s issue.
Let's get started…
Your Key Weapon Against Biometric Data Theft
Security pros keep telling us that the age of the cumbersome use of passwords is nearly over and we'll all be using fingerprints, facial, eye-iris, voice recognition, and other forms of biometrics, even DNA, in their place.
But the bad news is that scammers and hackers have developed software and theft techniques so they can use biometrics and pretend they’re you.
And the really bad news is that millions of public biometric records are already for sale on the Dark Web for as little as $5. In fact, according to a biometric specialist in Dubai, hackers who stole a billion records in India have offered access to their database for just $8.
In another famous case, in 2019, fingerprint and facial records were stolen from a security firm’s database. Almost 28 million records subsequently appeared on the Dark Web – the Internet area that’s not indexed by search engines and where criminal activities are rife.
But hold on. We don’t want to panic you – yet. Yes, biometric hacking, as the crime is called, is here, but it’s still not widespread in the public domain.
However, it’s expected to spread rapidly as the technology is increasingly adopted by businesses and government organizations, but there are two very important things you can do to protect yourself. We’ll get to that shortly.
How is Biometric Data Stolen?
The biggest haul of stolen fingerprint, voice, and facial records comes from hacking the systems that store them. It's already happened a few times, going back to 2015 when the US Office of Personnel Management was hacked, giving access to fingerprint data of 5.6 million people.
Of course, there's not a lot that we consumers can do about that sort of crime, apart from being wary about who we give this precious information to.
More worrying from a public perspective is the amount of biometric information we give away freely on social media - from high resolution photos and videos on Facebook to pictures of eye makeup that users posted on TikTok. Experts have shown that these images can be used to trick scanners.
Another worry - though it's something for the future rather than today - is that we leave our fingerprints all over the place. Just waiting to be copied. And, as many scanners only use a tiny part of a fingerprint, it's relatively easy to reproduce enough to trick our devices.
Last October, leading security software firm Trend Micro published a 75-page report on the dangers we all face through biometric hacking.
"By publicly sharing certain kinds of content on social media, we give malicious actors the opportunity to source our biometrics," the report says. "By posting our voice messages, we expose voice patterns. By posting photo and video content, we expose our faces, retina, iris, ear shape patterns, and in some cases, palms and fingerprints."
The Most Important Action You Can Take
It's important to be aware of this and to exercise extreme caution when posting images on social media sites, especially in groups, public or private, where crooks may hang out. Keep your personal stuff for your own, privacy-protected page. And remember, your personal profile photo is usually available to anyone and everyone, so use a low-resolution image.
But the number one thing you can do to safeguard yourself is to use two-factor or multi-factor authentication (2FA and MFA) on every site that allows you to.
We've written about this several times in the past in the context of password security (see How to Easily Enhance Your Password Security, for example). But it also applies to biometrics. Very simply, 2FA involves having to input an additional code or password to verify who you are. That means that someone who has you biometric data still won't be able to access your accounts and devices unless they also know the relevant code.
Other things you can do to reduce the risk of being victimized by the hackers and tricksters include:
- Thinking twice before you provide your biometrics to anyone. Why do they need it? How do they secure it? Note: This is quite different from providing fingerprint or facial images on a mobile device. This data is stored securely on the device, not on a hackable server somewhere else.
- Protecting the sources of biometric data you carry around with you, like passports, driver's licenses, and Green Cards.
- Monitoring all your accounts, credit scores, and records for evidence of unusual activity. Since biometric hacking, just like password stealing, is mainly used for identity theft, at least you'll know sooner and act faster if you regularly check these.
- Using a Dark Web monitoring service to see if your ID information, including email addresses, passwords, and biometrics, have been exposed. Some Internet security software includes this as part of or as an add-on to their services. You can check right now, for free, if your details have been compromised on the Dark Web, using security firm Aura's email scanner. Note that the provider, security firm Aura, offers a paid monitoring service but you don't need to sign up for this.
You Can't Change It
Security firms are working flat-out to counter the risks to our biometric data. This includes complex algorithms, artificial intelligence, and other checks for what's called "liveness" - that the person providing the data is alive!
So, expect to see more and more organizations using the technology for security. It's convenient to use and, at least for now, harder to spoof than guessing passwords. But it's not foolproof.
And here's the thing: Unlike passwords, you can't change your biometric data if it gets stolen. If that happens, it could affect you for the rest of your life.
This Week's Alerts
Distressing AI: The grandparent - or person in distress - scam is alive and well thanks to developments in artificial intelligence (AI). Tech site Ars Technica reports that crooks now need only a few seconds of someone's voice to create a perfect imitation. They can even inject some emotion into calls pretending to come from a friend or relative in trouble and in urgent need of money. If you get a distress call, no matter how convincing, check on the true whereabouts of the person involved.
It's Legit (Probably): The US Census Bureau is currently collecting information from 3.5 million households for its American Community Survey (ACS). But the bureau is worried that people - chosen at random - might think it's a scam. It's not, but that may not prevent scammers from picking up on the survey and trying to trick people. If you get a request and feel uncertain, ask your regional census office to confirm. Check out the interactive map of offices to find yours.
Time to conclude for today -- have a great week!