Biometric exploits aren’t on the horizon; they’re in the backyard
The biggest threat to widespread use of biometrics in security is public distrust and the inability of the industry and government to address that distrust.
But that is today. Cybersecurity firm Intel 471 says that cybercriminals — precisely the people biometrics was supposed to put out of business — have already begun defeating systems. Their activity still is in its “infancy,” according to Intel 471.
A missive published by Intel 471 says that criminals “have learned to exploit vulnerabilities in facial and fingerprint recognition software.”
They have gained access to a device and then, of course, explained to their community how to defeat behavior-based anti-fraud software.
In September 2020, the company’s analysts reportedly “observed” a pair of Iranians trying to sell ID documents, some of which held biometric data.
One of the suspects claimed to have 76,000 national codes and biometric national ID cards originating in the United States and 10 other countries, including India, Brazil, Saudi Arabia, South Korea and Spain.
The other person, according to Intel 471, reportedly possessed 72,400 scanned Iranian IDs, at least some of which had biometric data.
It is also known that last fall, a team of United Kingdom scientists spotted a vulnerability in the iPhone’s express transit mode that enabled them to use a replay-and-relay attack to make contactless payments of £1,000 (US$1,350) on Visa cards linked to Apple Pay.
Biometric authorization was simply bypassed. The phone was locked and did not authorize the transaction.
Vulnerabilities also found in Android devices and in Microsoft’s Windows 10 Hello facial recognition software allowed biometric authentication to be skirted.
In a more strained example, a man claimed that he was able to bypass behavior-based anti-fraud systems and two-factor authentication by mimicking the keystrokes and mouse movements of his twin brother, according to the firm.