Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday August 14 2019, @03:01PM   Printer-friendly
from the Hello-Mr.-Yakamoto,-welcome-back-to-the-Gap dept.

It has been coming for some time, but now the major breach of a biometric database has actually been reported—facial recognition records, fingerprints, log data and personal information has all been found on "a publicly accessible database." The damage is not yet clear, but the report claims that actual fingerprints and facial recognition records for millions of people have been exposed.

The issue with biometric data being stored in this way is that, unlike usernames and passwords, it cannot be changed. Once it’s compromised, it’s compromised. And for that reason this breach report will sound all kinds of alarms.

The report published by security researches Noam Rotem and Ran Loca at Vpnmentor relates to Suprema, a company describing itself as a "global Powerhouse in biometrics, security and identity solutions," with a product range that "includes biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules."

The news of the breach was first published by Wednesday’s Guardian newspaper in the U.K., which highlighted the use of Suprema solutions by the "Metropolitan Police, defence contractors and banks." The breach, though, is international, with Suprema's Biostar 2 biometric identity SDK integrated into the AEOS access control system "used by 5,700 organisations in 83 countries, including governments, banks and the police."

[...] Almost 28 million records across more than 23 gigabytes of data—records that include "fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff."

Highly sensitive data was left unencrypted, including (most alarmingly of all) usernames and passwords. "We were able to find plain-text passwords of administrator accounts,” Rotem told the Guardian. "The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility." The researchers were even "able to change data and add new users."

[...] The final interesting take away from this story doesn’t relate to any of the specifics, it’s a much more general point. We are currently giving away biometric information to multiple platforms and providers. Our phones, our banks, our immigration services, to name but a few. Every time we do this, our risk increases. At some point the realization will hit that we need some kind of unified platform where we limit the numbers of parties who actually hold such data, with others accessing those trusted holders on an “as a service” basis.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Runaway1956 on Wednesday August 14 2019, @03:04PM (4 children)

    by Runaway1956 (2926) Subscriber Badge on Wednesday August 14 2019, @03:04PM (#880246) Journal

    How many citizens remain, who have NOT been exposed?

    • (Score: 2) by EvilSS on Wednesday August 14 2019, @03:21PM (2 children)

      by EvilSS (1456) Subscriber Badge on Wednesday August 14 2019, @03:21PM (#880263)
      Not sure. How many people have been born in the past hour?
      • (Score: 2, Touché) by fustakrakich on Wednesday August 14 2019, @04:07PM (1 child)

        by fustakrakich (6150) on Wednesday August 14 2019, @04:07PM (#880290) Journal

        Ah, but the data begins at conception!

        --
        La politica e i criminali sono la stessa cosa..
        • (Score: 2) by EvilSS on Wednesday August 14 2019, @05:11PM

          by EvilSS (1456) Subscriber Badge on Wednesday August 14 2019, @05:11PM (#880350)
          True, but that data is still tied to the parents. Got to have a birth certificate as the foundation to build the child's data on. No name, no index key.
    • (Score: 1, Informative) by Anonymous Coward on Thursday August 15 2019, @01:21PM

      by Anonymous Coward on Thursday August 15 2019, @01:21PM (#880557)

      https://fossbytes.com/aadhaar-hack-personal-data-indians-sale-rs-500/ [fossbytes.com]

      In India? Next to no one. All easily hacked.

  • (Score: 3, Insightful) by acid andy on Wednesday August 14 2019, @03:24PM (4 children)

    by acid andy (1683) on Wednesday August 14 2019, @03:24PM (#880265) Homepage Journal

    OK, OK, hear me out.

    A fair few more of these and maybe your average Joe will start to get that this sort of tech is somewhere between embarrassingly useless and hideously evil.

    --
    If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
    • (Score: 2) by PiMuNu on Wednesday August 14 2019, @03:49PM

      by PiMuNu (3823) on Wednesday August 14 2019, @03:49PM (#880277)

      But it looks cool in movies! How can you possibly decry it?

    • (Score: 0) by Anonymous Coward on Wednesday August 14 2019, @04:54PM (1 child)

      by Anonymous Coward on Wednesday August 14 2019, @04:54PM (#880333)

      Won't matter, the data has already been gathered and the average Joe can't get new prints or a new face (easily and cheaply).

      • (Score: 2) by acid andy on Wednesday August 14 2019, @09:57PM

        by acid andy (1683) on Wednesday August 14 2019, @09:57PM (#880552) Homepage Journal

        To take this to its logical conclusion, it makes you wonder how things like democratic elections, for instance, could be fairly run, in a society where a citizen's genuine identity is always 100% indistinguishable from any number of fakes. I suppose that's when the case will be made for compulsory implants containing symmetric keys. Or they'll just abolish any pretense of democracy altogether.

        --
        If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
    • (Score: 2) by fyngyrz on Wednesday August 14 2019, @06:23PM

      by fyngyrz (6567) on Wednesday August 14 2019, @06:23PM (#880422) Journal

      A fair few more of these and maybe your average Joe will start to get that this sort of tech is somewhere between embarrassingly useless and hideously evil.

      I enjoy your optimism. Seriously.

      However, the reality of what (at least US) citizens have put up with, and even proactively chosen WRT their laws and their leadership, leads me to think that optimism is all it is.

      --
      Dinosaurs had no pizza.
      How did that work out?

  • (Score: 0) by Anonymous Coward on Wednesday August 14 2019, @05:19PM (1 child)

    by Anonymous Coward on Wednesday August 14 2019, @05:19PM (#880359)

    1) mandate forceful data collection (example: immigration ports)
    2) liberate data
    3) alter data
    4) ...
    5) PROFIT!

    • (Score: 0) by Anonymous Coward on Friday August 16 2019, @12:20AM

      by Anonymous Coward on Friday August 16 2019, @12:20AM (#880791)

      They tried this with the ehealth system in Australia. The blowback was excessive.
      They did it in India. The thefts are epic.
      Can you trust anyone with your data?

  • (Score: 2) by HiThere on Wednesday August 14 2019, @09:30PM (1 child)

    by HiThere (866) Subscriber Badge on Wednesday August 14 2019, @09:30PM (#880543) Journal

    You CAN change biometric data. It's not as easy as changing a password, because it requires a global change of everyone's data, but it can be done. Just change the algorithm that selects which features to recognize. (Changing the hash might be enough, but let's be thorough.) The problem is it requires a system-wide change.

    I'm not really objecting to the idea that it's unreasonable to change biometric data, but to the phraseology that's usually used. It's not impossible. It's impossible for an individual to do so, which extensive medical assistance, but the system can be changed.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
    • (Score: 0) by Anonymous Coward on Wednesday August 14 2019, @09:34PM

      by Anonymous Coward on Wednesday August 14 2019, @09:34PM (#880544)

      Yep, you change your hashes while I 3D print 10 new fingerprints out of the 28million I just downloaded, and I will meet you my local bank in an hour ..

(1)