The security of biometrical data: you might be able to change your password, but you can’t change who you are

Última actualización: April 16th, 2020 - 06:19 pm

In May 2019, a security company in the United Kingdom was victim of a massive data leak, that included biometrical information of more than a million customers. In other words, fingerprints, names, passwords and facial recognition details all these citizens were publicly exposed.

Even though this kind of attacks or information losses happen more frequently than we know because of migration to the cloud, failures within configuration or human mistakes, this incident is different because, besides personal information, their biometrical factors were revealed.

When we talk about the dimension of the incident, we’re talking about 27.8 million of different registries that constitute at least 23 gigabytes of information. But what does this mean when we talk about factors we can’t change, such as our own voice?

When we talk about passwords or codes created by users, the protection after the attack is relatively simple: it’s enough to modify the access keys of the platform or portal affected to guarantee security again. However, this doesn’t happen with biometrical data, and that’s why both the company and the users must take more precautions.

The theft of biometrical data and its implications for users

While it might be uncomfortable that an unknown person owns biometrical information of somebody else, users can remain calm because, in general, this information has to be validated with the person at the moment: a selfie, the scan of the fingerprint, voice recognition. Biometrical data, isolated, doesn’t always has practical use.

On the other hand, this information is also compared with the normal behavior of the individual. In other words, even if the criminal has biometrical data, if the information doesn’t match the usual behavior of the customer, they won’t be able to make transactions such as, for example, if someone tries to use a voice recording from an unusual device or from a location the customer doesn’t visit frequently. You can change your passwords, but you can’t change what you are.

Measures that companies must take to protect their customers’ biometrical data:

  • Add cybersecurity solutions to the business that allow to take preventive measures instead to react to an attack.
  • Develop solutions that incorporate cybersecurity measures from their very conception, with a proper balance between UI and UX.
  • Use ethical hacking methodologies to identify failures and permeability factors so that the company can solve them before criminals find them and use them against the company
  • Implement fraud and behavior analysis solutions that include customizable parameters to identify abnormal behaviors and prevent fraud before it happens
  • Adopt solutions with second or third authentication factors to strengthen accesses and reduce the hacking risk.

Around the world, more and more countries implement biometrical technology to verify the individuals are who they say they are, to discover the identity of unknown people or compare people against a list, for example. Since 2018, in Argentina, biometrics are used to digitalize the driving license and allow people to make all kind of procedures remotely. Biometrics are becoming an accessible, convenient and trustworthy alternative, so the implementation of biometrics at every level of the social ecosystem shouldn’t surprise us—to digitalize an ID, maintain public order, control physical accesses or borders. The potential and the multiple possibilities of implementation are huge, and time has come for companies and institutions start to consider them in order to safeguard their customers’ digital identity.

Déjanos tu comentario