Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday August 14 2019, @03:01PM   Printer-friendly
from the Hello-Mr.-Yakamoto,-welcome-back-to-the-Gap dept.

It has been coming for some time, but now the major breach of a biometric database has actually been reported—facial recognition records, fingerprints, log data and personal information has all been found on "a publicly accessible database." The damage is not yet clear, but the report claims that actual fingerprints and facial recognition records for millions of people have been exposed.

The issue with biometric data being stored in this way is that, unlike usernames and passwords, it cannot be changed. Once it’s compromised, it’s compromised. And for that reason this breach report will sound all kinds of alarms.

The report published by security researches Noam Rotem and Ran Loca at Vpnmentor relates to Suprema, a company describing itself as a "global Powerhouse in biometrics, security and identity solutions," with a product range that "includes biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules."

The news of the breach was first published by Wednesday’s Guardian newspaper in the U.K., which highlighted the use of Suprema solutions by the "Metropolitan Police, defence contractors and banks." The breach, though, is international, with Suprema's Biostar 2 biometric identity SDK integrated into the AEOS access control system "used by 5,700 organisations in 83 countries, including governments, banks and the police."

[...] Almost 28 million records across more than 23 gigabytes of data—records that include "fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff."

Highly sensitive data was left unencrypted, including (most alarmingly of all) usernames and passwords. "We were able to find plain-text passwords of administrator accounts,” Rotem told the Guardian. "The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility." The researchers were even "able to change data and add new users."

[...] The final interesting take away from this story doesn’t relate to any of the specifics, it’s a much more general point. We are currently giving away biometric information to multiple platforms and providers. Our phones, our banks, our immigration services, to name but a few. Every time we do this, our risk increases. At some point the realization will hit that we need some kind of unified platform where we limit the numbers of parties who actually hold such data, with others accessing those trusted holders on an “as a service” basis.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday August 14 2019, @04:54PM (1 child)

    by Anonymous Coward on Wednesday August 14 2019, @04:54PM (#880333)

    Won't matter, the data has already been gathered and the average Joe can't get new prints or a new face (easily and cheaply).

  • (Score: 2) by acid andy on Wednesday August 14 2019, @09:57PM

    by acid andy (1683) on Wednesday August 14 2019, @09:57PM (#880552) Homepage Journal

    To take this to its logical conclusion, it makes you wonder how things like democratic elections, for instance, could be fairly run, in a society where a citizen's genuine identity is always 100% indistinguishable from any number of fakes. I suppose that's when the case will be made for compulsory implants containing symmetric keys. Or they'll just abolish any pretense of democracy altogether.

    --
    If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?