Question

Founded in April 1996, Antheus Tecnologia develops and distributes Automated Fingerprint Identification Systems (AFIS), automated fingerprinting, and other systems such as iris recognition devices. Antheus Tecnologia also claims that it is the first Brazilian company to be certified by the US Federal Bureau of Investigation (FBI) and develops biometric solutions for domestic and overseas clients. In March 2020, the security research team at SafetyDetectives discovered a significant data leak in addition to other security flaws (such as lack of password protection) relating to fingerprint data on an Antheus log server in Brazil. The research team discovered almost 2.3 million data points in total and estimated that 76,000 unique fingerprints were found on the database. Approximately 16 gigabytes of data were found on the Elasticsearch server including highly sensitive information related to identification and biometric details. The Antheus server investigated by the security team is an identity server, which means it gives users access to the system or the ability to register as a new user. It also had fingerprint information in at least two “indices” from a total of 91. The Antheus server stored server and API access logs but also contained fingerprint data comprising of Ridge Bifurcation and Ridge ending – essential components for identifying and verifying fingerprints. In addition to fingerprint information, there were also instances of biometric data vulnerabilities, such as face recognition data being accessible and retrievable from the database. In parallel to the biometric data breach, Antheus Tecnologia also had another related vulnerability which was noticed during the investigation. The company provides services to a national Civil Identification System in Brazil used to issue driving licenses although the access portal used for on-boarding new users was also not secure because of the lack of password protection. Furthermore, user data, administrator login information, several employee email addresses and phone numbers were also found. According to the SafetyDetectives research team, the practice of allowing access to server data in such a way is rather unusual. This methodology generally leaves the server MN502 - Overview of Network Security - Final Assessment Trimester 2, 2020 Page 8 of 15 exposed, but this could have been done purposefully. If so, it’s a rather strange option to take when it comes to ensuring security. SafetyDetectives security team found two indices, potentially referring to two different companies using the Antheus server to store personal information including fingerprint data. Moreover, the investigation team found data logs relating to precise fingerprint scans that could be reconstructed from the index numbers stored on the Antheus server. Moreover, it could be possible to recreate (or reverse-engineer) a biometric image map for a particular fingerprint from strings of data found on the server. According to the research finding of the SafetyDetectives security team, nefarious users can access the Antheus server and after extracting the available data, could use the data stream of ones and zeros to recreate the full biometric image of someone’s fingerprint.

Answer 1

Biometrics are physical or behavioral human characteristics to that can be used to digitally identify a person to grant access to systems, devices or data.

Examples of these biometric identifiers are fingerprints, facial patterns, voice or typing cadence. Each of these identifiers is considered unique to the individual, and they may be used in combination to ensure greater accuracy of identification.

Because biometrics can provide a reasonable level of confidence in authenticating a person with less friction for the user, it has the potential to dramatically improve enterprise security. Computers and devices can unlock automatically when they detect the fingerprints of an approved user. Server room doors can swing open when they recognize the faces of trusted system administrators. Help desk systems might automatically pull up all relevant information when they recognize an employee's voice on the support line.

According to a recent Ping Identity survey, 92 percent of enterprises rank biometric authentication as an "effective" or "very effective" to secure identity data stored on premises, and 86 percent say it is effective for protecting data stored in a public cloud. Another survey, released last year by Spiceworks, reports that 62 percent of companies are already using biometric authentication, and another 24 percent plan to deploy it within the next two years.

However, companies need to be careful about how they roll out their biometric authentication systems to avoid infringing on employee or customer privacy or improperly exposing sensitive information. After all, while it's easy to issue a new password when the old one has been compromised, you can't issue someone a new eyeball.

According to the Spiceworks survey, 48 percent cite the risks of stolen biometric data as a top security risk with the technology. Other barriers to adoption include costs, cited by 67 percent of respondents, followed by reliability concerns at 59 percent.

For companies specifically using biometrics to secure IT infrastructure in cloud, SaaS, on-prem and hybrid environments, adoption rates are even lower, according to the Ping Identity survey. Only 28 percent of companies use biometrics on premises, and even fewer, 22 percent, use it for cloud applications.

What are the privacy risks of biometric authentication?
Some users might not want companies collecting data about, say, the time of day and the locations where they typically use their phones. If this information gets out, it could potentially be used by stalkers or, in the case of celebrities, by tabloid journalists. Some users might not want their family members or spouses to know where they are all the time.

The information could also be abused by repressive government regimes or criminal prosecutors overstepping boundaries. Foreign powers might use the information in an attempt to influence public opinion. Unethical marketers and advertisers might do likewise. Last year, a fitness app was discovered to be collecting information about user locations and exposing it in a way that revealed the location of secret U.S. military bases and patrol routes.

Any of these situations could potentially lead to significant public embarrassment for the company that collected the data, regulatory fines, or class-action lawsuits. If DNA scans become widespread, they give rise to a whole new area of privacy concerns such including exposure of medical conditions and family relationships.

How secure is biometric authentication data?
The security of the biometric authentication data is vitally important, even more than the security of passwords, since passwords can be easily changed if they are exposed. A fingerprint or retinal scan, however, is immutable. The release of this or other biometric information could put users at permanent risk and create significant legal exposure for the company that loses the data.

"In the event of a breach, it creates a Herculean challenge because physical attributions such as fingerprints cannot be replaced," says data security expert Kon Leong, CEO and co-founder at San Jose-based ZL Technologies. "Biometric data in the hands of a corrupt entity, perhaps a government, carries very frightening but real implications as well. "

At the end of the day, every company is responsible for its own security decisions. You can't outsource compliance, but you can reduce the cost of compliance, and the possible repercussions of a leak, by picking the right vendor. If a small or mid-sized company uses, say, Google’s or Apple's authentication technology and there's a security breach with Google or Apple, it's likely Google or Apple will get the blame.

In addition, companies that don’t keep credentials on file have some legal protections. For example, many retailers can avoid substantial compliance costs by keeping their systems "out of scope.” Payment information is encrypted right at the payment terminal and goes straight through to a payment processor. Raw payment card data never touches the company servers, reducing both compliance implications and potential security risks.

If a company needs to collect authentication information and keep it on its own servers, best-practice security measures should be applied. That includes encryption both for data at rest and data in transit. New technologies are available for runtime encryption, which keeps the data in encrypted form even while it is being used.

Encryption is not an absolute guarantee of security, of course, if the applications or users that are authorized to access the data are themselves compromised. However, there are a couple of ways that companies can avoid keeping even encrypted authentication data on their servers.

Local or device-based authentication

The most common example of a local authentication mechanism is the hardware security module in a smartphone. User information — such as a fingerprint scan, facial image or a voice print — is stored inside the module. When authentication is required, biometric information is collected by the fingerprint reader, camera or microphone and sent to the module where it's compared to the original. The module tells the phone whether or not the new information is a match to what it already had stored.