Biometric authentication is becoming increasingly common. Smart phones and computers use it, banks have started to use it (in India, Yes bank unveiled its iris scan-enabled point of sale solution; in the US, Bank of America allows fingerprint authentication to log onto its mobile banking app; in Canada, TD Bank uses voice recognition to identify users over the phone), and recently MasterCard began rolling out ‘selfie pay’ allowing users to authenticate online payments by using their face at the point of sale.
Biometric authentication refers to the validation of a user’s identity by measuring physical or behavioral characteristics. Biometric samples may include fingerprints, retinal scans, palm scans, face and voice recognition.
Unlike a password, biometric data is unique, invariable and non-repudiable allowing to uniquely and unambiguously identify its owner. It is these same characteristics that make the storage of biometric data critical. If someone steals this data, they can steal a person’s identity—and, unlike a password or physical token, the victim cannot simple replace the stolen information with new data.
Biometrics are good security, but they are not impenetrable. A recent report highlights a number of ways malicious actors may circumvent biometric authentication and suggests possible countermeasures to such attacks. Although the report’s focus is on ATMs, the attacks illustrate some pitfalls to be avoided more generally.
This is not hypothetical – in September of this year, the U.S. Office of Personnel Management revealed fingerprint data belonging to nearly 6 million individuals was compromised in a recent cyberattack. While the OPM confirmed in July that personal information including Social Security numbers, mental health records and financial histories belonging to 21.5 million current, former and prospective government employees had been stolen by hackers, the agency’s September announcement thrust biometrics into the spotlight by revising its initial estimate of stolen fingerprint data to 5.6 million from 1.1 million, after uncovering an archived record of an additional 4.5 million fingerprint sets.
The OPM has said it believes that, as of now, the ability to misuse fingerprint data is limited but said this could change over time as technology evolves. An interagency group made up of agents in the Federal Bureau of Investigation, U.S. Department of Homeland Security, and other members of the intelligence community are reviewing the ways hackers may use the fingerprint data.
The report also highlights some of the ways hackers have been able to bypass biometric security, including:
- Attacking biometric devices to intercept data as it is transmitted;
- Using of biometric data skimmers to obtain data at the point of input;
- Extracting data from EMV-cards, after stealing or obtaining the cards by other means; and
- Attacking biometric databases directly.
The advice and possible countermeasures discussed in the report include:
- Encrypting data in transit;
- Using anti-skimming devices;
- Monitoring the black market; and
- Using strong encrypted mechanisms for stored data.
Given the implications of compromising customer biometric data, organizations will want to carefully consider how biometric data is stored and who within the organization will have access to it. The fewer people with access to customer biometric data the better. Organizations should also consider whether their applications and data or both require such level of protection, and if developing mobile apps, organizations should consider maintaining biometric data securely stored at the device. These measures are not only prudent protections of biometric data, but also evidence to which a company might point in the context of litigation when arguing that it was not negligent in storing and protecting private personal information. Since there is currently no Canadian case law about biometric data, whether this kind of argument will succeed remains to be seen.
The legal implications of the use of biometric data remain uncertain. One of the many questions raised by this report is: what is a consumer’s remedy for stolen biometric data? Generally, the law attempts to put a person in the position they would have occupied but for their injury (i.e., but for their identity being stolen, or but for their data being breached, etc.). But once a person’s fingerprint is stolen, they cannot grow a new fingerprint.
Some jurisdictions have passed laws creating a statutory right of action. For instance, Illinois’ Biometric Information Privacy Act allows for a private right of action that could expose businesses to possible civil liability. Texas has statutory provisions addressing biometric data, but only the Texas attorney general can bring an action to enforce the statute and collect a civil penalty.
How the law adapts to compensate a person for this seemingly irremediable loss, in light of well-established principles of compensation under contract and tort law, will be one of many interesting developments in the near future.