Fingerprint Technology is the Next Privacy Catastrophe

OPMNew fallout today from the gift that keeps on giving, the Office of Personnel Management (OPM) hack. The news reports on this have focused on the standard PII elements along with the salacious possibilities associated with the disclosure information that is collected for security clearance applications.

 

FingerprintAn angle that has not been widely covered is the initial disclosure that 1.1 million fingerprints were also hacked. Today it is being reported that OPM has increased that number to 5.6 million fingerprints.

The nearly universal response to suggestions that people could be at risk is that the fingerprints are encrypted. Fair point, they are.

According to OPM, “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” The office acknowledged, however, that future technologies could take advantage of this information.

The government also said salt and fat were bad, and healthcare costs would go down.

Coincidentally, the NSA put out an advisory last month on Suite B elliptic curve cryptography that is widely used in the government, and is suitable for general national security use. Unlike Suite A, Suite B is widely used and available as a public standard.

According to the NSA, Suite B cryptography is not capable of withstanding advances in quantum computing.

Until this new suite (to replace Suite B) is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms. For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.

Well, this is reassuring… but let’s get back to the issue of fingerprint biometrics. The problem goes to the very nature of the biometric attribute itself, it is literally something about you and it is immutable. When someone hacks your fingerprints they have them forever. Forever.

I do have a horse in this race, having recently joined a speech biometrics company. Active speech verification has vulnerabilities, clearly, but one advantage over competing biometric technologies. In the event of a data breach that gives hackers the voice model data, an organization can simply force a re-enrollment for the participants and the integrity of the system is maintained. It’s the equivalent of forcing a password reset for your voice.

No system is without some vulnerability, but a system that does not provide for a reset capability is one that I have serious reservations about. With Apple TouchID and the upcoming Android M release with fingerprint support, fingerprint technology is mainstreaming. We are entering a period where fingerprint biometric data volume will explode and become an attractive target for hackers.

We’re building a speech verification and authentication service for developers who want to build speech biometrics into their apps using simple and reliable APIs. Sign up for news and launch updates, as well as early access, at knurld.io.

The Ashley Madison Data Dump

madisonThe hack itself is an old story; Ashley Madison was hacked and profile information stolen. What is new is that the group behind the hack, Impact Team, dumped all the data. It has now been made available by many legitimate folks who created searchable online services against the data.

As much as I could enjoy the schadenfreude in this story, I simply cannot. I’m compelled to point out that just because an email is in the database does not mean it is a legitimate account. Email is a notoriously weak verified identifier, and while many websites have a sign-up flow for email verification, many don’t do anything to purge unverified emails. My thesis is that even unverified emails harvested in the sign-up flow have value for marketing purposes and, therefore, remain in the company’s database.

My email, jnolan@gmail.com, has been used by far too many “jnolans” to count. Often signing up for mundane services like car buying sites, but also for things that would certainly make my wife ask questions, like BlackPeopleFinder.com and an unrelated service for making arrangements with dominatrixes for a variety of, well, services.

The amount of crap I get from websites I have never visited is simple extraordinary. My oldest son has a gmail address that is first name only and I purge over a thousand emails from his account each month, and he’s only used it a few times for sending schoolwork.

2013101108The Impact Team has shrewdly wrapped themselves in a veil of moral righteousness to conceal a criminal act. While they aren’t stoning adulterers in the town square – or beheading them in a stadium – they are stealing personal information and using that in a form of extortion.

I find the entire affair, no pun intended, reprehensible and while AshleyMadison is itself objectionable, they are also a victim (of stupidity first and foremost). Despite complete awareness of the risks to the company and their customers, they did not employ best practices to secure their data. In addition to that, they had a sign-up flow and password recovery process that made it exceptionally easy to determine whether or not an email was in their user database. The flawed password recovery feature allowed for an entirely different line of attack employing social engineering to hijack individual accounts.

I won’t shed any tears if they shut down, which they likely will because recovering now is all but impossible, but I won’t celebrate the fact that a group of hackers brought their demise. To do so would welcome a global online sharia law where only those services that pass a moral test can exist.

PS- yeah, I searched for my email in the database! Who wouldn’t?