A Kaspersky Labs report indicates that using biometric data as a replacement for a password or PIN at an ATM is not only already in the process of being hacked by cybercriminals, but the potential downside of a person having their biometrics stolen is much more severe than losing a username or password.
The first test running biometric scanners on ATM started about a year ago, but Kaspersky has found for sale on the Dark Web 12 sellers of devices allegedly capable of stealing fingerprints. In addition, the research has located evidence that three other groups or individuals are working on a way to steal data from palm print and iris recognition systems.
“The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image,” said Olga Kochetova, security expert at Kaspersky Lab told SCMagazine.com in an email. “Thus, if your data is compromised once, it won't be safe to use that authentication method again.
Kochetova went on to describe the potential loss of biometric data as the type of threat the cybersecurity industry has never yet experienced.
However, the potential problems posed by depending upon biometrics for security are not stopping other industries from implementing this technology.
A collaboration between Intel, Lenovo, PayPal and Synaptics is attempting to accelerate biometric adoption through the use of the FIDO (Fast IDentity Online) Alliance standard. FIDO's mission is to develop technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
Lenovo announced on 23 September it will begin including FIDO biometric authentication in its laptops that will enable customers to use a finger swipe to authorise payments with FIDO-supported services like PayPal. The first such equipped product will be Lenovo's Yoga 910 convertible.
These computers will combine Intel's 7th generation processors, known as Kaby Lake, with the company's Software Guard Extensions along with Synaptic's Natural ID fingerprint sensor that includes TLS 1.2 encryption and that firm's Natural ID Fingerprint Solution software.