How Safe are Fingerprint and Facial Recognition Sign-ons?

Will fingerprints and other biometrics replace passwords?: Internet Scambusters #866

Is security that’s based on your fingerprint or your facial features safer than using a password?

Yes and no, say the experts.

They likely won’t make it tougher to steal your sign-on and other personal data, but it’ll be harder for crooks to use what they get on a large scale, as we explain in this week’s issue.

Let’s get started…

How Safe are Fingerprint and Facial Recognition Sign-ons?

How reliable is reading your fingerprints or facial features when it comes to computer security?

We’ve written many times about the insecurity of easy-to-guess passwords and the challenges of creating and remembering multiple, more complex words. Don’t you just hate them?

Computer security experts are now predicting the demise of letter/number/symbols combos as the first line of defense against hackers and other criminals.

Instead, we’re increasingly seeing the use of facial recognition and fingerprint reading technology – biometrics as it’s called — especially on laptops, phones and tablets, as well as some cash dispensers.

And in May this year, Microsoft’s head of security technology, Yogesh Mehta, told Forbes magazine: “The 800 million people who use Windows 10 (are) one step closer to a world without passwords.”

He was referring to the fact that the last version of Windows 10, which is being rolled out at the moment, is fully equipped to use compatible camera technology to use its Windows Hello recognition technology.

An organization called the Fast Identity Online Alliance (FIDO) has been established to set security standards for what its chief marketing officer Andrew Shikiar refers to as its “mission to move beyond the world of passwords.”

Despite all of this and the undoubted convenience of biometric identification, there are still worries about the effectiveness of this technology in protecting our security.

As long as five years ago, a group of hackers known as the Chaos Computer Club said they had captured and replicated the thumbprint of a leading German politician just by using a regular photograph.

Police forensics also demonstrate every day that it’s relatively easy to capture fingerprints off items a person has touched.

Expert’s View

British cybersecurity expert Alan Woodward told the BBC: “Biometrics that rely on static information like face recognition or fingerprints — it’s not trivial to forge them but most people have accepted that they are not a great form of security because they can be faked.”

He told the broadcaster that experts were now looking at more advanced biometrics like vein and iris recognition or the way a person moves (“gait”). Hitachi apparently has already developed a device that detects the unique pattern of veins inside a person’s finger.

Even before all of this – in 2012 – security researchers warned that flaws in some software that manages biometric identification could be flawed and open to hackers.

However, that may not be the point of this trend. One of the key aspects of biometric security is that the technology that records you fingerprint, face, veins or whatever, stores that information in complex cryptographic code.

This can be distributed across multiple locations – for example, partly on a user’s PC and partly on a corporate server.

That is to say, it might not be impossible to copy someone’s fingerprint or facial features but crooks who steal identity information in bulk by breaking into commercial databases may find it tougher to use the data they steal.

Posing the question “Are biometrics safe?” leading security firm Symantec, aka Norton, points out that the more we use this technology, the more copies of our data there will be on various commercial systems. And, as we already know, some firms take better care to protect their data than others.

And, as the firm points out, while it’s easy to change a compromised password, you can’t change your fingerprint!

What this seems to mean is that, despite Microsoft’s hope, total reliance on this technology could be some way off.

Ultimately, as another security firm, Verdium, recently commented: “No security system is entirely spoof-proof, including biometric ones.

“However, the difficulty in acquiring and using biometric data can make it so hard and time-consuming to break into that hackers will decide it’s not worth all the effort it takes.”

Let’s hope so. In the meanwhile, it’s possible that two-factor authentication, which we wrote about a while ago (see How to Easily Enhance Your Password Security), could be paired with biometrics.

This would mean that, after identifying your fingerprint or whatever, a device would then need you to input a complementary piece of information to confirm you are who you say you are.

To us, that sounds an awful lot like a password!

Alert of the Week

Most of us have an Amazon account and most of us are used to getting emails from the online retailing giant.

Put those two elements together and you have a very appealing structure for a scam.

In this case, we’re talking about an email pretending to be from the “Amazon Fraud Department” saying your account has been hacked and someone used it to spend $1,000.

The message provides a phone number and requests access to your computer to check for other fraudulent activity.

You know what happens next. If you give them access, they’ll plant malware on your PC and steal your confidential information.

Amazon never asks for access to your computer and nor should you allow it to anyone, unless you initiated a request for help from a verified technician.

Time to close today, but we’ll be back next week with another issue. See you then!