Passwords vs Biometrics?

Most people are of the opinion that the use of biometrics will soon take over the use of passwords as we progress technologically as a society.  For those who don’t know what I’m talking about, biometrics are some sort of unique identifier belonging to you that exist somewhere on your body e.g. A fingerprint.

If you use fingerprint identification on anything, then you know how much simpler it can make your life when accessing your information. Most of the modern smartphones and even many laptops have this capability now.  It is hard to argue that the use of biometrics is typically faster and simpler overall for the user.

A recent incident has brought some pretty large attention to the issue of biometrics.  Self-service food kiosk vendor, Avanti, has been a victim of a malware attack that, according to them, has most likely compromised customer biometric data as well as their first name, last name, credit card number, and expiration date.  This attack is also one of the largest, successful Internet of Things (IoT) attacks and according to some reports, up to 1.6 million people could be impacted.

The most major question to me arising from this incident is one of overall security involving biometrics.  While it’s true they are typically easier and faster to use, it’s not exactly like something you can easily change if it gets stolen.  If your password or even credit card data are compromised, those at least you can change.  However, if your fingerprint or other biometric data is stolen, those are not things you can change.  This question and others relating to biometric security are continuing to resurface after incidents such as these.

So, what is the solution? In my mind, we always increase security with a multi-layered approach.  In the case of logging into something like this, one might have a password and biometric data as a form of two-factor authentication. The flip side of this is that users would most likely complain that now the system is more cumbersome to use.  Yes, their data might be a little more protected, but the technology that made their life easier just got more complicated to use.

While I still believe in two-factor authentication, in the case of Avanti’s breach, the data would still be compromised.  So if you are an Avanti customer, your biometric data might be in someone else’s posession now.  I know, it is scary!

While I still think that biometrics still represent a lot of our future authentication, the question must be asked about securing that data, how it is stored, and how it is transmitted.  According to Brian Krebs and his research, some simple technological applications to the kiosks themselves could have prevented this breach easily.  The kiosks fell victim to a known Point of Sale (POS) family of malware known as PoSeidon that siphons credit card data from point-of-sale devices.  In this case, it also grabbed the biometric data too.

In my eyes, the fault lies with Avanti and their terminals, and/or the third-party vendors that distribute and maintain them.  That being said, while everyone is looking for someone to blame, the bigger question and picture here is that of you, the consumer.  How do you protect yourself? How do you avoid these problems?  Unfortunately, it is a question of your own risk management.  I write articles all the time about the best practices you should have to protect yourself, but the fact remains that when your data is in someone else’s hands, you lose control.

My advice this week, do the best very best you can and be careful!  If you are an Avanti customer, follow the advice on their public statement and start monitoring your credit and close any accounts you may have used with them, or at least have your card reissued.

As always, if you have any questions or need help with anything, we at Cyber Watchtower are here to help you in any way we can.  Please contact us and let us help you.

Stay connected.  Stay safe!

Austin Bynum
Chief Watchman
Cyber Watchtower