Will recent data breaches spur new forms of authentication?

David Ellis, QSA CISSP
By: David Ellis
The payments industry is always on the lookout for new options to secure payments, both electronically and in person. Proven by recent credential-stealing attackers, passwords aren’t durable, and even though EMV is a great step, it’s no long-term solution.

The use of biometrics, although seemingly futuristic, is an avenue the industry appears to be actively pursuing. A biometric is any way to identify a person via their unique and individual body characteristics, and then compare that data to a pre-established data set in order to prove or disprove an identity match. The use of biometrics (vs. knowledge-based identifiers like passwords) provides a powerful and distinct link between a user and their identity.

Simply put, when compared to today’s authentication methods, biometrics more accurately associates a specific individual to a device or system, and may be considered more secure.

biometrics Biometric variants

There are many ways biometrics are implemented in security settings, although some may be more realistic or practical than others. Examples include:
  • Fingerprint scanning: This is the most common biometric option in use today. But fingerprint scanning has some weaknesses.  If a smartphone is successfully hacked, the hacker could obtain the owner’s fingerprint when they log in, using the fingerprint scanner. (Gummy Bears have even reportedly been used to fool a fingerprint scanner.)
  • Iris/retina scanning: Iris scanners examine eye features such as color, patterns, and how they’re shaped around the pupil. Retinal scanning looks at the pattern of blood vessels in a retina.
  • Facial imaging: Scanning technology takes a picture and analyzes the distinctive peaks and valleys on an individual’s face. (Facial recognition technology is how Facebook can correctly guess the people in your uploaded pictures.)
  • Vein patterns: Humans have unique blood vessel configurations, and by scanning the back of a hand, often by using infrared light, the unique vascular pattern becomes visible for comparison.
  • Finger/hand geometry: This type of scan analyzes human finger length, and how digits are positioned on the hand.
  • Implants: An RFID implant under the skin, or a swallowed RFID-enabled decomposable pill could act as a temporary biometric identifier.
  • Voice recognition: This method digitalizes the voiceprint of a person, and then compares the user’s voice to that voiceprint.
  • DNA matching: DNA sampling is pretty intrusive (requiring a blood sample, cheek swab, or skin scraping), but it’s one of the oldest methods of biometric identification.
  • Ear recognition: This method measures the tubular structures of the ear canal.
  • Gait recognition: The way you walk can be used to identify you, but it’s one of the least accurate biometric measures. Your gait is affected by your clothes, the walking surface  and your emotional state.
  • Odor recognition: Chemical patterns in your unique body odor can identify you 85% of the time, and are apparently unaffected by daily activities. (Let’s hope the body odor capture and analysis is an automated process.  Volunteers might be few.)  
Obviously, some of these options, such as odor recognition and implants, will probably never be used for payments identification, but it's interesting just knowing they exist.

Biometrics security issues

As James Bond-y as it sounds, biometric identification isn’t without its flaws.
Here are a few reasons why using biometric identification in the payments industry should be approached with caution.
Technology isn’t foolproof
Researchers discovered iPhone’s first fingerprint readers could be fooled by using a fake finger. That issue has since been resolved, but the underlying problem remains. Biometric technology isn’t a silver bullet. The increased use of biometrics also means more sophisticated attacks against biometric technology, courtesy of the hacker underworld.

Digital copy security
In order to function, biometrics technology must have a pre-recorded digital template of an individual’s specific biometric. My question is, where is this template stored and how is it secured? If the digital version of this biometric identifier isn’t protected, attackers could hack into the digital version and use it as hackers currently use stolen (conventional) administrative credentials. They could also add their own biometric template features to the master list of approved persons.

To be fair, cracking biometric technology isn’t an attack against the low-hanging fruit. It requires a heightened level of sophistication that puts it out of reach for most cybercriminals, but it’s not impossible. The most likely scenario where hackers could successfully attack biometric security would be stealing stored credentials.

Biometrics Are Permanent
Similar to Social Security Numbers, once a fingerprint has been supplied as an identifying factor, it can’t merely be reissued (like a compromised credit card) in the event it is compromised or misused.

I like what Ryan Wilk, anti-fraud expert at NuData Security, says about this topic.

“You only have 10 [biometric] passwords - if you're lucky to have all of your fingers - and you only have 20 passwords, if you count all of your toes. It's one of the risks of using active biometrics: you run out of options if they start to get breached."

Today’s realistic biometric payments solutions

payment data securityApplied Digital Solutions tried to get Americans to embrace chip implants in 2003. A bit ahead of their time, but it’s obvious the biometric trend will continue on into the future. What other futuristic biometrics uses does the future hold for the payments industry?
  • PayTangoIdentifies payees by their index and middle finger. No credit card required.
  • Zwipe: Plastic credit card embedded with a fingerprint reader for NFC authentication.
  • Paypal: Plans for heartbeat recognition, wearable tattoos, and glucose level detectors as unique identifiers.
  • Samsung Iris on the Move: Iris recognition technology exclusively for the Samsung Galaxy.
  • Biyo: Combines palm vein data with data from three fingerprints.
  • Quixter: Reads palm vein patterns and finalizes authentication with the last four digits of a phone number.
  • Alipay Smile Pay: Analyzes selfies through facial recognition technology.

How to effectively use biometrics

Most security professionals agree the authentication technology currently used to identify individuals must undergo an overhaul to keep up with cybercriminals. Knowledge-based authentication, such as passwords, passphrases, and the like, are subject to sophisticated password cracking utilities that are adept at breaking even reasonably complex passwords.  Additionally, passwords and passphrases as security measures are only as reliable as the technology that protects them. The use of biometrics could add an effective layer of security to outdated knowledge authenticators.

As Alan Woodward, cybersecurity advisor to Europol, said,

“Just having the biometric per se is not good enough. They have to show that they're actively attached to a human being who's alive."

I agree with Alan. Biometrics shouldn’t be used in place of passwords, but as an additional layer of a multi-factor authentication-based security strategy.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.