Question

Founded in April 1996, Antheus Tecnologia develops and distributes Automated Fingerprint Identification Systems (AFIS), automated fingerprinting, and other systems such as iris recognition devices. Antheus Tecnologia also claims that it is the first Brazilian company to be certified by the US Federal Bureau of Investigation (FBI) and develops biometric solutions for domestic and overseas clients.

In March 2020, the security research team at SafetyDetectives discovered a significant data leak in addition to other security flaws (such as lack of password protection) relating to fingerprint data on an Antheus log server in Brazil. The research team discovered almost 2.3 million data points in total and estimated that 76,000 unique fingerprints were found on the database. Approximately 16 gigabytes of data were found on the Elasticsearch server including highly sensitive information related to identification and biometric details.

The Antheus server investigated by the security team is an identity server, which means it gives users access to the system or the ability to register as a new user. It also had fingerprint information in at least two “indices” from a total of 91. The Antheus server stored server and API access logs but also contained fingerprint data comprising of Ridge Bifurcation and Ridge ending – essential components for identifying and verifying fingerprints. In addition to fingerprint information, there were also instances of biometric data vulnerabilities, such as face recognition data being accessible and retrievable from the database.

In parallel to the biometric data breach, Antheus Tecnologia also had another related vulnerability which was noticed during the investigation. The company provides services to a national Civil Identification System in Brazil used to issue driving licenses although the access portal used for on-boarding new users was also not secure because of the lack of password protection. Furthermore, user data, administrator login information, several employee email addresses and phone numbers were also found.

According to the SafetyDetectives research team, the practice of allowing access to server data in such a way is rather unusual. This methodology generally leaves the server, but this could have been done purposefully. If so, it’s a rather strange option to take when it comes to ensuring security. SafetyDetectives security team found two indices, potentially referring to two different companies using the Antheus server to store personal information including fingerprint data. Moreover, the investigation team found data logs relating to precise fingerprint scans that could be reconstructed from the index numbers stored on the Antheus server. Moreover, it could be possible to recreate (or reverse-engineer) a biometric image map for a particular fingerprint from strings of data found on the server. According to the research finding of the SafetyDetectives security team, nefarious users can access the Antheus server and after extracting the available data, could use the data stream of ones and zeros to recreate the full biometric image of someone’s fingerprint.

a) After analysing the case study, discuss the importance of biometric credentials, and report the impact of the data breach associated with biometric data.

b) Identify and discuss the vulnerability associated with fingerprint data stored on the Antheus Tecnologia server. Recommend a possible solution to patch this vulnerability.

Answer 1

a) Importance of biometric credentials:

Biometric Authentication: The automated identification or verification of individuals based on their unique physiological or behavioral characteristics such as fingerprints, gait, iris, etc. is referred to as biometric authentication. With the advancements in technology, this trend continues to grow. The increasing need to reduce instances of fraud as well as to provide secured access to physical and logical assets have made biometrics a very popular and widely used technology.

Biometrics are currently being used in:

• Law enforcement, particularly for forensic analysis and suspect identification
• Military monitoring and campaigns
• The travel industry, including passport verification and airport security
• Employee management
• Healthcare, including access to personal records
• Voter registration
• Physical access control systems for secure buildings
• Identity and access management at the enterprise level
• Financial institutions, particularly to protect financial data and prevent fraud

what makes it so sought-after?

1. unique to the user

Biometrics consists of unique features such as ridges, valleys, and minutiae points that are unique to an individual.

2. High security

Security concerns are one of the most important reasons why biometric authentication has become the need of the hour. With biometric authentication, you are able to eliminate payment fraud activities such as card skimming, chip switching, and shoulder surfing, etc.

3. Speed

PIN authentication might take a few seconds or more if you use the wrong one whereas fingerprint recognition is a seamless,near-instant process. This will save a lot of time for both the customers and businesses involved.

4. Loss-proof

Customers often mistype or forget their PINs or feel skeptical to use it, especially when they are making payments. Biometrics identification eliminates such instances as the user is only required to use their biometric as their identity.

and a lot more.

impact of the data breach associated with biometric data:

• A crime scene can be totally divertable using obtained biometric data.
• If it was sold to a terrorist group, they can easily surpass the country's border.
• One with biometric data of others have the access to the buildings, his office, his financial accounts.
• They can change the fate of politics by false votings.
• If they have government official's data, then they have the access to that particular government sector crucial information.
• Gaining access to restricted or classified information
• Committing a range of financial crimes
• Phishing attacks
• Blackmail, extortion, and ransomware
• Crimes committed under the guise of someone else etc...
• Facial recognition, retina scans, fingerprint information, and biometric data are permanent and cannot be changed. Once they are stolen, the perpetrator has a record of someone’s biometric information which enables them to commit repeated criminal offenses in the future including ID fraud.
• Lax security measures for biometric information present a persistent security risk because even if the data cannot be used today, it can be stored and used at a later date given that its value does not diminish over time.
• This could create a lot of security-related problems and these can even eradicate a country.

b) vulnerabilities associated with fingerprint data stored on the Antheus Tecnologia server:

• Instead of saving a hash of the fingerprint (that can't be reverse-engineered), they are saving people's actual fingerprints that can be copied for malicious purposes.
• As mentioned, there is a lack of password protection, one of the major security flaws.
• Face recognition data being accessible and retrievable from the database.
• data logs relating to precise fingerprint scans that could be reconstructed from the index numbers stored on the Antheus server
• It could be possible to recreate (or reverse-engineer) a biometric image map for a particular fingerprint from strings of data found on the server
• After extracting the available data, the data stream of ones and zeros are used to recreate the full biometric image of someone’s fingerprint.

Possible solutions to patch this vulnerability:

->Tokenization or Encryption -

One way is to implement encryption or hash function. Say, for example, that retina, voice, or fingerprint identification is used to recognize and authenticate employees wherever they can go within a company, but the company does not want to have the image or audio files stored on servers where hackers or malicious employees may misuse them.

Instead, the company would use a device that, say, scans a person's face or fingerprint, converts that image into a unique code, and then sends that code to the central server for authentication. Any device using the same conversion method can then recognize the employee and the raw identification data will never be available on any system.

->One simple way is passwords. It’s a common practice to store passwords by first encrypting them or “hashing” them. This is essentially a one-way version of encryption that transforms the passwords into a string of characters known as a message digest that it is almost impossible to decrypt.

This means that even if the encrypted passwords are leaked, hackers can’t obtain the passwords. Modern systems would never store passwords in their original plain text format.

->Another way to make biometric systems more secure would be to use blockchain, the system behind cryptocurrencies such as Bitcoin. With blockchain technology, you can store customer data in a distributed ledger protected by cryptography in multiple computers across the world. This means only authorized parties can access the data (or data blocks), and any attempt to modify the data will be detected by any other user subscribed to the blockchain. It’s also possible to create private distributed ledgers that only certain people can access.

->Using secure passwords and strong authentication methods across systems and devices.

->Storing biometric data in as few places as possible.

->Maximizing security for biometric storage.

->Encrypting all identification and authentication data during storage and transmission.

->Strengthening access rules for individuals who handle biometric data.

->Removing biometric identifiers from systems when no longer needed.

Finally,
Bottom Line

Biometric technology is becoming widespread due to all the exciting benefits it empowers the user with. This revolutionary technology has surpassed the concept shown in high tech movies a long time ago. Now is the future of your precious organization may it be a business or just a charity. Just enhance the security by introducing enhanced schmes.