Using your body as your password
Your face, your voice, your veins and your eyeballs may not make your accounts more secure, as some claim
That pesky snooze alarm, going off again. To turn it off—and wake up—you have to hold your phone to your face and mimic the emotion you see listed on the screen. Your face—smiling, angry, sad—will turn off the alarm for good.
Your face is now a key, unlocking your bank account, buying a sweater online, getting access to your files. Facial recognition and other forms of biometric identification are booming, a multimillion dollar business expected to double in the next three years, according to TrendForce.
But there is a risk to using your face, voice, eyes, and hands as your password.
Once it is stolen, if it is stolen, can you get yourself back?
Better than a password?
Passwords can be hacked, and may be hard to remember.
The founder of Alibaba reminded his audience of that when he demonstrated Alipay’s selfie payment plan, where you hold up your phone and snap your own picture to buy something online.
“Online payments are always a big headache. You forget your password…you worry about security,” said Alibaba’s Jack Ma, according to CNBC.
You might be able to buy more, without the hiccup of scrambling for your password, but are you more secure with a biometric payment or biometric ID?
Some say yes.
“Face is much, much more secure than just user name and password,” Rick Swenson of USAA said in American Banker.
USAA allows its customers to log on to their mobile banking app with a “selfie,” where you hold up your phone and blink at the specified time. It also offers voice recognition access to your account.
“If I’m at a Spurs game, and I take out my mobile phone and try to use voice recognition, it’s not going to work because I have 100 people around me screaming and yelling at the same time,” Swenson said in American Banker. “What will work at a Spurs game is my face.”
Stealing your face
Using your body parts for passwords is risky, say cybersecurity experts.
“I’m not a fan of biometrics for authentication,” said Monta Elkins with FoxGuard Solutions.
“An important principle of authentication, or ‘passwords,’ is that they are easy to change when they become compromised,” he told Archer News. “That’s one reason the Social Security numbers make such bad passwords to access your records, money, etc. They are hard to change if someone else discovers them. Now try changing your fingerprint or iris pattern.”
The bad guys are already trying to steal your identity. Biometrics could take it even further, said Brandon Dunlap with Black and Veatch.
“How long until they spoof that?” asked Dunlap. “So, now they’re not spoofing your identity. They’re actually spoofing YOU.”
“Cannot be hacked”
Salespeople for biometric technology may tell you that there is no need to worry.
“Many people fear that biometrics can be compromised, too. Once gone, they are lost forever, but this is simply not true.” said Steve Cook in Biometric Update last week. Cook is a sales director for Daon, the company that developed the biometric technology with USAA.
“Biometric data, if encrypted properly, cannot be hacked. It is just useless data to any fraudster!” he continued.
And yet, biometric data has already been hacked, more than once.
In one case, two researchers with FireEye said that they found a way to “remotely harvest fingerprints in a large scale” last year, according to ZDNet.
They said some phone companies did not fully protect the device’s fingerprint sensor.
“In this attack, victims’ fingerprint data directly fall into attacker’s hand,” researcher Yulong Zhang told ZDNet. “For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things.”
A new target
Biometrics will become a target for fraud in 2016, IBM Security has predicted.
Part of the problem—storing the information about your body.
“Until now that information has been on our face or on our thumb,” said Dunlap. “Now, it’s on a database. Now, we’re trusting somebody else with that data.”
More than five million people trusted the U.S. Office of Personnel Management with their fingerprints for background checks and security clearance, but the database was raided last year.
Apps using biometrics may present similar issues.
“All these systems rely on some sort of backend trust broker to do the authentication. So the system is only as secure as the app owner’s ability to secure the backend,” cyber intelligence analyst Ron Fabela said to Archer News.
In other words, the old ghosts that haunted passwords can also haunt biometrics.
“While it is tempting to believe that biometric authentication is inherently more impenetrable than legacy password systems, the assumption only holds true if the new systems are actually implemented in a more secure fashion,” wrote Marc Goodman, in his book Future Crimes: Everything is connected, Everyone is Vulnerable and What We Can Do About It, as excerpted in Slate.
“Otherwise,” Goodman said, “It’s just old wine in a new bottle.”
Some companies are using biometrics as part of a two-factor ID system, where you have to have more than just your face or voice to get in to your account.
USAA uses device identification as well as face or voice recognition, according to American Banker. When one of their customer tries to access their account, their phone sends an encrypted token to the company.
“So for a fraudster to successfully impersonate a member with a photo or video (or trying to mimic their voice), they would also have to steal the member’s mobile device,” American Banker reported.
Daon’s Cook said some security features are using “liveness” functionality as well, where you have to do face or eye movements in real time, or say random numbers or phrases, in addition to the device detection token.
“Fraudsters can’t be bothered to take on these challenges if it is too much hassle and will likely go for more easy targets such as using sites with your user name and passwords,” Cook said.
Can’t be bothered?
Hackers have already started looking at biometrics, experts say.
“It’s a fun challenge, for sure, and one that is already being taken on,” said Fabela.
Technology writer Dan Moren described his low-tech face hack in Popular Science. He shot a video of himself, blinking, and held it up to the screen. He said his bank app let him in.
“Perhaps using facial recognition for security or buying things on the Internet isn’t the best plan. After all, your face is the one part of you that’s most easy to find,” he wrote.
“…Don’t rely on something that’s quite so public,” he added. “A nice, strong password is harder to crack, and it has the benefit of being changeable if it does get compromised–unlike your face.”
Citi is considering using iris-scanning ATM’s, DropBox is using iris recognition, ZTE is working on scanning veins in the whites of your eyes, MasterCard is looking at heartbeat identification, and MedicFP is using Fujitsu technology to scan the veins in your palm, reports say.
Researchers have already made progress in hacking at least some of those body parts.
A researcher was able to bypass iris recognition with pictures from the Internet, Forbes reported.
Jan Krissler found large, high-resolution images online, printed them out, and was able to bypass biometric authentication, according to the report.
Voice recognition is at risk, too, said IBM Security, because attackers can steal your voice print.
“To guard its authenticity, security researchers and developers will have to consider mobile malware that can intercept calls, record voices and exfiltrate voice samples to an attacker,” IBM Security said. “The possibility that voice patterns can be stolen means that we cannot trust voice biometrics as the sole authenticator of the genuine customer.”
Millennial want biometrics, according to some companies.
In a survey of 1,000 millennials by Mitek, more than 60% prefer fingerprints for mobile devices, and almost one third would accept facial recognition technology, reported American Banker.
“People, and millennials in particular, are tired of passwords and PINS and desirous of high-level security,” Mitek CEO James DeBello said in the article. “When it comes to things like taking a selfie to authenticate yourself, and incorporating optics in other ways, milennials expect that. They are demanding it.”
For some companies, it can mean making or saving money.
The Indian mobile wallet company Paytm said it is looking at selfie payments to increase security and stop fraud, reported the India Times.
Fraud has been rising, and the India-based digital payment company TranServ said mobile wallet fraud hit more than 3% of value in the fall, more than 15 times the level of commerce, according to the India Times.
Some companies want biometrics to speed up transactions, Fabela said.
“Visa and Mastercard are not pushing touchless pay systems because of the security features, but because it reduces the time to pay by X milliseconds and therefore decreases the duration of a transaction,” he said.
Demanding better security
There are better ways to authenticate, some experts say, without putting your body into the ether.
Fabela likes some of the options offered by companies like Blizzard and Google, where they may send you a code on your phone that you must also enter to access your account. For some accounts, you can also get a physical fob for your key chain that will allow you to get in, along with your traditional password.
Dunlap likes authentication that looks at factors like the devices you use and your physical location. For example, if you buy groceries in Portland, Oregon at 6:00 pm, could you then buy gas in Barbados at 7:00 pm?
Combine traditional authentication with IP geo-addressing and machine type, so that the attacker would have to have one of three or four machines you log into most frequently, and it needs to be within a certain time window, and at the geographic reach needs to be in a time frame where you can actually get there,” he said.
“Then you actually have a strong authentication model that does not put your bio data at risk and does not jeopardize your true identity,” he said.
Remember that face recognition wake-up call? Maybe this is one, too.