Skip to content ↓ | Skip to navigation ↓

The Office of Personnel Management (OPM) has revealed in a statement that when hackers breached its systems earlier this year they made away with approximately 5.6 million fingerprints – a significant increase from the 1.1 million previously reported.

As is now well known, in addition to fingerprint data being stolen the Social Security numbers, addresses, employment history, and financial records of some 21.5 million current and former US government employees was also stolen.

The good news is that they believe the opportunities for criminals to exploit the fingerprint data is currently limited.

But the bad news is that chances are that won’t continue to be the case.

And, because of that, a working group of US agencies has banded together to review how the exposed information could be exploited in the future:

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”

The fundamental problem highlighted by the theft of the fingerprint data is that whereas you change your passwords or your PIN code, you cannot change your fingerprints. What are you going to do if your fingerprint is hacked, get a new finger?

You’re stuck with your fingerprints, barring gruesome accidents, for life.

What’s more, fingerprints cannot be considered like passwords. You leave your fingerprints lying around all over the place every day – a fact that hackers attempting to breach biometric authentications systems have taken advantage of in the past.

In short, comparing fingerprints to passwords is a folly. Fingerprints are not a well-kept secret, and you don’t have different fingerprints for every account you access.

Tim Erlin, Tripwire’s director of IT security and risk strategy, summed up the issue well in a statement to ZDNet:

“One of the key challenges with biometric authentication is that it’s immutable. You can’t change your fingerprints, retinas or voice prints. When biometric credentials are compromised, it’s very hard to recover. Using multi-factor authentication can provide mitigation in these cases. The best authentication, as the old adage goes, requires something you are, something you have and something you know.”

“While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread. Most iPhones can use a fingerprint for authentication these days, and criminals always look for the most profitable targets.”

All organisations need to take great care over the biometric information they may store about their customers and employees. Even if the data cannot be easily exploited today, with the rapid rate of change there is always the potential that any breach could become a big problem tomorrow.

Further reading:

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock

Tripwire University
  • Finger

    In breaking news, the US Government had decided to chop off users fingers that have been compromised.

    You will be able to recognise current and former government employees as they will sport bandaged hands for the next few weeks, and smooth plastic fingers with raised bumps that have been fitted as replacements.

    In a surprisingly swift move, all US government employee numbers have been reallocated to prevent re-use of compromised numbers by cyber-criminals, and those replacement fingers have been molded with their respective new employee numbers encoded with Braille bumps.

    Apple, Google and Samsung have announced their cell phone fingerprint sensors have been modified to recognise Braille. Updates to system software will be released within weeks. Microsoft will update windows in their usual monthly Tuesday update, except for Windows 10 users, which will receive theirs next Monday.

    To prevent further compromises, future government employees will have their fingers removed and replaced by plastic prosthesis and every employee each year will have new Braille numbers allocated and remolded on their plastic fingers.

    As spokesperson said "We are determined to stamp out privacy breaches. We believe employees and their families will be extremely comfortable with the protections we have decide to implement. It will protect our dedicated and devoted employees and stop fraud. The use of Braille brings us into the twenty first century and prevents our enemies such as China, Russia and Korea from being able to duplicate our Braille system as it is only in 10 point US English which they don't use."

    IBM have announced a Selectric golf-ball replacement for their typewriters that will replace type with Braille. Retrofit involves the simple replacement of the golf-ball, as the Braille letters are in the same position as their English counterparts, but in mirror writing. Turning the page over and running your finger along the page will make the pages easily readable by the optically challenged community, This will make Tempest-rated typewriters, still in widespread us in overseas embassies, spy proof and tamper resistant.

    In related industry news, Type-Quick is releasing their 'plastic finger' version in time for Halloween.