Let’s talk about biometrics used for security these days. The U.S. stores them for immigration purposes, sometimes they are used to access secured areas at work, and they are even stored in a database somewhere with Apple and/or Google so we can access our mobile devices. Yes, biometrics are unique to one individual being and they are difficult to copy…unless perhaps the information about them are stolen as part of a data breach.
A reported breach is what has happened recently and it affects the Suprema Biostar 2 security platform. The Guardian reported that 27.8 million records, including such data as facial recognition information was accessed by an unauthorized party on more than 1 million people.
The researchers, Noam Rotem and Ran Locar along with some from vpnMentor specifically found that fingerprint data, unencrypted usernames, passwords, facial recognition information, as well as other data was found to be accessible from a public database. There is no clarity on whether or not anyone who may have malicious intent used it while it was unsecured, but it’s unlikely that information would be easy to discover even if it were the case.
What can be done with this information? Employees who were enrolled in the security system could become victims of identity fraud. The biometric information, which was found unencrypted also, could be used to gain access to secured areas if it were to be copied. It could also lead to someone resetting the user’s passwords.
And while passwords can be easily changed, biometrics can’t. That’s where a major vulnerability using biometrics lies.
For some help in this case, users of the Biostar 2 platform should make sure to reset passwords for any and all accounts related to it. Be sure to use strong password formats. None of the “123456” or “football” nonsense should be used. They should not be words, but a combination of letters, numbers, and special characters that are not easy to guess or not easily cracked using brute force methods.
Unfortunately, there isn’t a lot that can be done about the biometric data. Just be sure to notify management if you find that your ID may have been used for unauthorized access to anything at all. Even if it’s just a hunch, it’s best to report it to make sure.
The Biostar 2 system is used around the world for securing financial institutions, government organizations, and law enforcement agencies, among many others. The security issue with the system has reportedly been fixed by Suprema, so be sure to apply any patches that may have been released. Unfortunately, we don’t know what damage was done while they were correcting it, if any.