The benefits of integrating biometrics data into your security program are clear. First, passwords can be difficult to remember, especially when a user must maintain multiple passwords for a growing number of digital accounts. But it’s hard for most users to forget their fingerprints or voice. There are distinct security advantages to using something that’s a part of the user, rather than something they have to recall from memory.
But that doesn’t mean that all biometric authentication measures are totally secure. In fact, many biometric technologies are easier to hack than you think. Do you think your irises, fingerprints and human subtleties are unique and incorruptible? Think again. Here are five examples to raise your paranoia level.
After increasing your concern level, I will discuss how behavioral analytics, including looking at things such as keystroke dynamics, can help to alleviate those concerns. But first, here’s how some creative hackers have elevated their game to overcome traditional biometric techniques:
Hackers have managed to use graphite powder, etching machines and wood glue to create fingerprint replicas good enough to fool scanners. Normally, this would require access to something the target had touched, but not for much longer. Tsutomu Matsumoto, a researcher from Yokohama National University, managed to create a graphite mold from a picture of a latent fingerprint on a wine glass1. It fooled scanners 80 percent of the time.
The Chaos Computer Club2, a hacking collective based in Berlin, managed to deceive iris-scanning technology using a dummy eye created from a photo print. A high-resolution image of an iris was wrapped around a contact lens to simulate the curvature of the eye. Meaning that anyone with a good quality Twitter profile picture could be hacked.
Researchers from the University of North Carolina created a system that builds digital models of people’s faces based on photos from Facebook3. The models are then rendered in 3D and then displayed using VR technology that simulates the motion and depth cues that facial recognition look for. The animation was convincing enough to bypass four out of the five systems tested.
Criminals have been known to cold call targets and take voice samples from the call for hacking purposes. Either these samples are fed into a voice synthesizer that can then be used to generate phrases that were never originally said. Or hackers can try to get their victims to say the security phrases that would give them access to their accounts.
Even though DNA analysis is not widely used as a security measure, it’s interesting to know that it could potentially be used for nefarious reasons. Scientists at the University of Washington encoded malware into a genetic molecule4 that was then used to take control of the computer used to analyze it. While we are perhaps a long way off from DNA hacking becoming commonplace, it is a stark reminder that fraudsters are always coming up with new techniques.
The fact that many of these biometrics technologies can be hacked is troubling. Especially because, while you can reset a password or a PIN code, you cannot reset your retinas. Once biometric data is in the possession of hackers, there is always a risk it could be used to compromise personal or professional accounts.
One possible way to prevent such attacks is to move towards using behavioral biometrics, such as gait recognition, keystroke dynamics or mouse movement analysis. Each user has an idiosyncratic pattern of behavior, even when performing identical actions, such as typing or moving a mouse. The algorithms built into a few next-gen security software (e.g. One Identity’s) can analyze these behavioral characteristics.
It’s obvious that a hacker looking for sensitive data behaves differently in the IT system than the hacked user does - the hacker comes from another geolocation, has different typing speed, moves the mouse differently, executes unusual commands, etc. The unusual behavior patterns deviate from the hacked user’s profile that is detected by One Identity Safeguard - it raises an instant alert for the security team and help them investigate the incident with in-depth forensic data, video-like session playback and analytical dashboards.
Keystroke dynamics and mouse movement analysis help identify breaches and serve as a continuous, biometric authentication. These behaviors can be continuously monitored and verified without disturbing users, unlike physiological biometrics technology, which requires intrusive one-off authentication.
Whichever biometrics technology is used; it is crucial that it forms a part of a multi-factor authentication infrastructure. Utilizing more verification measures in unison will give the largest possible chance to avoid hackers gaining access to sensitive information.
For more information about the pros and cons of various biometrics technologies, download our free whitepaper.
KuppingerCole Executive Review