Biometric data is increasingly playing a strategic role in end-user authentication, and banking regulators in the UK are concerned just how secure it might be in light of a recent report by Kaspersky Lab.
In an investigation into underground cybercrime, Kaspersky found at least 12 sellers offering ATM skimmers capable of stealing fingerprints. Furthermore, Kaspersky identified three underground sellers researching devices that could obtain data from palm vein and iris recognition systems.
The report drew the attention of the UK's Treasury Select Committee, which oversees treasury, revenue and customs, and the Bank of England.
The committee's chief, Andrew Tryie, is asking banking regulators to look into consequences surrounding stolen biometric data. In a letter to industry and government, he said, "Banks and regulators will need to plan for what they will do if biometric details are lost and/or illegally obtained by third parties." He asked regulators if they shared his concerns, and he went on to say plans would need to be developed to deal with customers who may be victims of biometric hacks.
The main concern with biometric identifiers is that they cannot be revoked and replaced by a new identifier like in the case of a stolen password.
The concern is real in the US where 5.6 million fingerprint records were stolen during the breach of the United States Office of Personnel Management in the summer of 2015. US agencies created a working group to see how cyber attackers could use fingerprint data. This group includes the FBI, Department of Homeland Security, Department of Defense, and other members of the intelligence community.
"The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," Olga Kochetova, security expert at Kaspersky Lab, said in a release surrounding the Kaspersky investigation. "Thus, if your data is compromised once, it won't be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way."
Kaspersky Lab also reported discussions in underground communities regarding development of mobile applications that rely on placing masks over a human face. With such an app, attackers can take a person's photo posted on social media and use it to fool a facial recognition system, the report said.