This is an excerpt from a story delivered exclusively to Business Insider Intelligence Banking subscribers. To receive the full story plus other insights each morning, click here.
The fingerprints of more than 1 million people — as well as facial recognition information, usernames and passwords, and personal information of employees — were detected by security researchers working with vpnmentor on a publicly accessible database for biometrics lock system Biostar 2, The Guardian reports.
The information was unprotected and largely unencrypted, enabling researchers to add new users with new fingerprint data, edit existing user accounts, and see data from organizations partnering with Biostar 2 in the US and Indonesia. The head of marketing at Suprema, which owns Biostar 2, said that it’s taken an in-depth evaluation of the information provided by vpnmentor and would inform customers if there was a threat.
All of the companies that work with Biostar 2 — such as banks — are fortunate that this vulnerability was discovered by researchers and not by cybercriminals. If the breach had been exploited by cybercriminals, the potential scale of problems would be massive: Biostar 2 is used at 1.5 million locations across the world by a multitude of organizations, including banks, defense contractors, and even the UK Metropolitan Police.
Further, since biometric data like fingerprints and facial recognition information is static — meaning it can’t be changed by affected consumers in the way that passwords can — once it’s been leaked, it creates a more permanent security problem than the breach of a mutable key, such as a PIN.
The severity of this issue suggests that regulating biometrics — and enforcing heavy punishments for violating those regulations — could be logical next steps for countries where biometrics usage is becoming widespread, like the US and the UK.
As banks increasingly use biometric data for authentication, the Biostar 2 vulnerability should serve as a warning to them. Biometrics have the potential to be very useful to banks: They’re quick to use, impossible for customers to forget, and can act as an extra layer of authentication.
Whether they use biometrics to enable consumers to sign into their mobile banking app or in ATMs to offer an additional authentication method — such as by using Diebold Nixdorf’s new line of terminals that scan fingerprints — banks need to take every possible precaution when it comes to this sensitive data.
One way to protect consumers’ biometric information is to use a hash function to convert pieces of biometric data into arbitrary values and store these values instead of the biometrics themselves. That way, even if cybercriminals breach the bank’s database, they will only have these hash codes, as opposed to true biometric data on customers.
Interested in getting the full story? Here are two ways to get access:
- Subscribe to a Premium pass to Business Insider Intelligence and gain immediate access to the Banking Briefing, plus more than 250 other expertly researched reports. As an added bonus, you’ll also gain access to all future reports and daily newsletters to ensure you stay ahead of the curve and benefit personally and professionally. >> Learn More Now
- Current subscribers can read the full briefing here.
- Small US banks are merging to pursue greater scale and cost efficiencies
- Despite India’s surging UPI, market leader Paytm could be ceding share to competitors
- SaaS fintech ScaleFactor has secured $60 million to move towards becoming a one-stop shop for financial services