In Focus: Fingerprint Economy

By  Vero Insurance

The high price of high security

How much could biometric security cost your business?

Biometrics has long been touted as the future of digital security, but small and medium-sized enterprises must carefully consider whether the benefits outweigh the risks.

Data breaches have been occurring with much greater frequency in recent years, and at considerable financial and reputational cost to businesses. And yet, cybersecurity is barely registering as a priority for many firms, especially small and medium-sized enterprises (SMEs).

In fact, research released earlier this year by Versasec found that 86 per cent of SMEs around the globe predominantly use a password system for user authentication, a simple form of security that’s particularly vulnerable to attack. Perhaps most interesting, though, is that biometrics – touted by experts as the future of cybersecurity – was only embraced by 16 per cent of respondents.

The high price of poor security

Adopting the most effective form of security is particularly important for small businesses, which are now viewed as weak targets by progressive hackers. Indeed, in the past year alone, an Information Security Breaches survey found that nearly three-quarters of surveyed SMEs reported an information breach of some kind.

Meanwhile, research group Gartner revealed Australia was the second most popular destination for ransomware cyberattacks after the United States (US), with small businesses disproportionately affected.

“The password system is broken,” says Thomas Keenan, professor at the University of Calgary, TEDx speaker and author of Technocreep. “One gets compromised and they all get compromised.”

His observation echoes that of Microsoft’s Bill Gates, who famously told a security conference in 2004 that passwords were the weakest link in the identity management chain and bound for extinction. Biometric systems were floated as a solution. Today that prediction is becoming a reality.

Introducing biometrics

Although passwords are not yet dead, a marked shift towards biometric identification is underway. A biometric technologies report from Juniper Research suggests 770 million biometric apps will be downloaded each year by 2019, with fingerprint authentication likely to be the most prevalent. Such technology has already been adopted by major corporations, and smaller businesses are likely to follow their lead.

Millions of US customers who bank with the likes of Goldman Sachs, Wells Fargo and JPMorgan Chase already log into their accounts through fingerprint scanning, while some institutions offer an additional layer of security by requiring other biometric identifiers and a password. Keenan says Air Canada’s frequent flyer program, Aeroplan, is one of the first to identify its customers by their voice intonations. “To say biometrics is the future of cybersecurity is wrong,” Keenan says. “It’s already happening now.”

And it’s not just big businesses that are embracing the trend. The Australian Federal Government recently outlined its plan to spend $18.5 million on the National Facial Biometric Matching Capability, a counterterrorism and policing initiative that will grant security authorities access to 100 million facial images from databases nationwide. The proposal, which was implemented earlier this year, elicited concern from privacy and civil liberties activists, who argued that accumulating sensitive data in such a way was intrusive.

Biometric application for SMEs

PwC report on information security revealed that 36 per cent of Australian businesses view identity management as a top security priority, followed by cloud computing (27 per cent). Biometrics may provide a solution for the former issue, but a one-size-fits-all approach should be discouraged. The most accurate products – iris and retina scanners – are the most invasive, not to mention expensive.Fingerprint scanners are more affordable and may alleviate the burden on IT departments to manage log-in issues, but are generally best suited to scenarios where single-user authentication is required, like a staff member logging in to access information.

Should SMEs opt to go down the biometric route, they should know that the risk of seeming invasive is hardly a deterrent for consumers. A OnePoll/Gigya survey found 52 per cent of consumers, if given the option, were eager to forgo passwords entirely in favour of biometric authentication. Furthermore, 80 per cent of those surveyed perceived it as being more secure.

In theory, passwords are more susceptible to malevolent activity, in part because many internet users take a lax approach to personal security, using easily guessable codes like ‘12345’ or their date of birth as a password for multiple accounts.

That said, the same characteristics that make biometrics unique and difficult to replicate make them a potent weapon in the hands of hackers. Complicating matters is the fact that biometric data can be collected without an individual’s consent. As Keenan notes in a research paper, a US company called Photon-X can conduct 3D face modelling and fingerprint scans “overtly or covertly, from a distance”.

Such activity will not only worsen the scale of a potential data breach, but also breed mistrust between consumers and businesses. The purpose of using biometric data should be clearly established in a contract; using biometrics for other purposes, such as advertising to consumers or as proof in cases of disciplinary action against employees, could further violate trust.

Fooling the system

Biometrics should not be seen as a silver bullet for weak security. Even the facial recognition technology used by the FBI, for instance, is said to have an error rate of 20 per cent. Accuracy thresholds vary wildly between companies, and can determine a business’s susceptibility to attacks. Then there are the inherent risks embedded within biometrics. Security researcher Jan Krissler, known by the alias ‘Starbug’, says almost all biometric technologies are at risk of being compromised.

At a hacking conference in 2014, Krissler re-created the fingerprints of German defence minister Ursula von der Leyen by using press release images and a photo he took of her from a three-metre distance. He notes many biometric systems would be fooled by a high-resolution spoof of an iris, and that 3D printing has also made the cloning of fingerprints a relatively simple task.

“Most biometric features give away other sensitive information, such as medical information,” says Krissler. “You can’t revoke a biometric feature if it gets stolen.”

Late last year, 5.6 million fingerprints were stolen in a cyberattack on the Office of Personnel Management in the US. While experts have said the potential for “misuse” of these identifiers is limited, they note that technological advances could exacerbate the fallout. If the release of sensitive biometric information was to intentionally or recklessly cause someone harm, a business may find itself facing civil action.

Managing risk

There are several ways businesses can manage the risk associated with biometrics and reduce their liability. They can arm themselves against a potential breach by combining biometric identification with password protection or secret questions, a process known as two-factor authentication.

Of equal importance is how sensitive biometric information is stored. Centralised databases should be avoided, as they are a treasure trove of information for hackers, and storing information in the cloud can also prove vulnerable. Both Keenan and Krissler recommend storing as little sensitive information as possible and making use of decent encryption.

SMEs already have a strong imperative to shore up their defence against cyber threats. Soon they may find themselves compelled to do so by the Australian Federal Government, which is mulling mandatory breach notification legislation that will require all businesses with an annual turnover greater than $3 million to report breaches within 30 days. Potential legislation aside, any decision regarding the implementation of biometric security should be considered carefully. For SMEs, this seemingly sensible protective solution could prove costlier than its worth.