The Office of Personnel Management (OPM) has revealed in a statement that when hackers breached its systems earlier this year they made away with approximately 5.6 million fingerprints – a significant increase from the 1.1 million previously reported.
As is now well known, in addition to fingerprint data being stolen the Social Security numbers, addresses, employment history, and financial records of some 21.5 million current and former US government employees was also stolen.
The good news is that they believe the opportunities for criminals to exploit the fingerprint data is currently limited.
But the bad news is that chances are that won’t continue to be the case.
And, because of that, a working group of US agencies has banded together to review how the exposed information could be exploited in the future:
“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”
The fundamental problem highlighted by the theft of the fingerprint data is that whereas you change your passwords or your PIN code, you cannot change your fingerprints. What are you going to do if your fingerprint is hacked, get a new finger?
You’re stuck with your fingerprints, barring gruesome accidents, for life.
What’s more, fingerprints cannot be considered like passwords. You leave your fingerprints lying around all over the place every day – a fact that hackers attempting to breach biometric authentications systems have taken advantage of in the past.
In short, comparing fingerprints to passwords is a folly. Fingerprints are not a well-kept secret, and you don’t have different fingerprints for every account you access.
Tim Erlin, Tripwire’s director of IT security and risk strategy, summed up the issue well in a statement to ZDNet:
“One of the key challenges with biometric authentication is that it’s immutable. You can’t change your fingerprints, retinas or voice prints. When biometric credentials are compromised, it’s very hard to recover. Using multi-factor authentication can provide mitigation in these cases. The best authentication, as the old adage goes, requires something you are, something you have and something you know.”
“While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread. Most iPhones can use a fingerprint for authentication these days, and criminals always look for the most profitable targets.”
All organisations need to take great care over the biometric information they may store about their customers and employees. Even if the data cannot be easily exploited today, with the rapid rate of change there is always the potential that any breach could become a big problem tomorrow.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock