- This is an excerpt from a story delivered exclusively to Business Insider Intelligence Banking subscribers.
- To receive the full story plus other insights each morning, click here.
The fingerprints of more than 1 million people — as well as facial recognition information, usernames and passwords, and personal information of employees — were detected by security researchers working with vpnmentor on a publicly accessible database for biometrics lock system Biostar 2, The Guardian reports.
The information was unprotected and largely unencrypted, enabling researchers to add new users with new fingerprint data, edit existing user accounts, and see data from organizations partnering with Biostar 2 in the US and Indonesia. The head of marketing at Suprema, which owns Biostar 2, said that it’s taken an in-depth evaluation of the information provided by vpnmentor and would inform customers if there was a threat.
All of the companies that work with Biostar 2 — such as banks — are fortunate that this vulnerability was discovered by researchers and not by cybercriminals. If the breach had been exploited by cybercriminals, the potential scale of problems would be massive: Biostar 2 is used at 1.5 million locations across the world by a multitude of organizations, including banks, defense contractors, and even the UK Metropolitan Police.
Further, since biometric data like fingerprints and facial recognition information is static — meaning it can’t be changed by affected consumers in the way that passwords can — once it’s been leaked, it creates a more permanent security problem than the breach of a mutable key, such as a PIN.
The severity of this issue suggests that regulating biometrics — and enforcing heavy punishments for violating those regulations — could be logical next steps for countries where biometrics usage is becoming widespread, like the US and the UK.
As banks increasingly use biometric data for authentication, the Biostar 2 vulnerability should serve as a warning to them. Biometrics have the potential to be very useful to banks: They’re quick to use, impossible for customers to forget, and can act as an extra layer of authentication.
One way to protect consumers’ biometric information is to use a hash function to convert pieces of biometric data into arbitrary values and store these values instead of the biometrics themselves. That way, even if cybercriminals breach the bank’s database, they will only have these hash codes, as opposed to true biometric data on customers.