New fallout today from the gift that keeps on giving, the Office of Personnel Management (OPM) hack. The news reports on this have focused on the standard PII elements along with the salacious possibilities associated with the disclosure information that is collected for security clearance applications.
An angle that has not been widely covered is the initial disclosure that 1.1 million fingerprints were also hacked. Today it is being reported that OPM has increased that number to 5.6 million fingerprints.
The nearly universal response to suggestions that people could be at risk is that the fingerprints are encrypted. Fair point, they are.
According to OPM, “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” The office acknowledged, however, that future technologies could take advantage of this information.
The government also said salt and fat were bad, and healthcare costs would go down.
Coincidentally, the NSA put out an advisory last month on Suite B elliptic curve cryptography that is widely used in the government, and is suitable for general national security use. Unlike Suite A, Suite B is widely used and available as a public standard.
According to the NSA, Suite B cryptography is not capable of withstanding advances in quantum computing.
Until this new suite (to replace Suite B) is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms. For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.
Well, this is reassuring… but let’s get back to the issue of fingerprint biometrics. The problem goes to the very nature of the biometric attribute itself, it is literally something about you and it is immutable. When someone hacks your fingerprints they have them forever. Forever.
I do have a horse in this race, having recently joined a speech biometrics company. Active speech verification has vulnerabilities, clearly, but one advantage over competing biometric technologies. In the event of a data breach that gives hackers the voice model data, an organization can simply force a re-enrollment for the participants and the integrity of the system is maintained. It’s the equivalent of forcing a password reset for your voice.
No system is without some vulnerability, but a system that does not provide for a reset capability is one that I have serious reservations about. With Apple TouchID and the upcoming Android M release with fingerprint support, fingerprint technology is mainstreaming. We are entering a period where fingerprint biometric data volume will explode and become an attractive target for hackers.
We’re building a speech verification and authentication service for developers who want to build speech biometrics into their apps using simple and reliable APIs. Sign up for news and launch updates, as well as early access, at knurld.io.