It is frustrating to warn against something, being attacked as a too pessimistic person, and then see the fulfilment of the negative scenario step by step. For example mass application of biometry for personal authentication.
Real security experts have expressed their reservations for a long time. Some of them are talking about incoming security collapse during private discussions. All of them recommend caution. However, their voice cannot beat hundreds of biometry technology providers, most of them supported by PR agencies. Media and conferences are full of optimistic texts. Most of them do not mention any risks, less so ask how to confront them. Time to time, we can see a small remark about the need for unspecified „perfect securing.“
In the meantime, another milestone to forthcoming disastrous was passed. A few days ago, it happened in Taiwan. E-gates with automated fingerprint readers are installed at their airports. Data about all passengers are stored in a central database. It was recently disclosed that China People Army, the most enemy power for Taiwan, can access this database. Nobody knows exactly what data, or perhaps knows and doesn´t tell. The worst alternative, which is not unrealistic, says that all data about all passengers are compromised.
A backup plan should be activated at such moment. If we learn that the enemy knows fingerprints and can copy them, it is time for the following actions:
- Compromised biometry feature is not used anymore.
- Alternative authentication solution is activated immediately.
- Users are informed about the situation, so they stop using fingerprints in other authentication systems such as company entrance.
However, it seems that there is no backup plan in Taiwan. Consequently, an unpleasant question is raised. What other countries, places and systems are also unprepared? Do you think that similar attack cannot happen elsewhere? Are data encrypted? The same was believed in Taiwan. The same was also believed about U.S. government infrastructure, but yet hackers got access to fingerprints of more than 5 million government employees in 2015.
How should the backup plan look? Banking sector can inspire border security in this area. Many years ago, the financial world was getting ready for potential computer failing on 1. 1. 2000. The regulators ordered banks to be prepared to migrate to paper processes, including keeping paper forms, archives and policies.
Most likely it is the right strategy. If there are reliable and well-protected credentials aside from biometry and if these credentials work even without the biometry, there is a secure backup space. In case of attack, user comfort will be impacted but personal identities will be protected onward, as well as organisations against attackers. However, if there are only very simple and vulnerable documents, the next attack against a biometric database can result in real collapse.
Optaglio offers, among others, the following.
- Consulting for building secure ID systems, including production, personalisation and issuing of personal documents.
- The strongest available technology of protection against all kinds of anti-counterfeiting and tampering attacks.
- A focused solution for protection of chips against removal.
- „Document fingerprint“ – a new feature unique to each document. It enables reliable identification and can be transferred over networks instead of sensitive personal and/or biometric data.