Biometric security is fast becoming the preferred way to safeguard companies and individuals from hackers intent on fraud and identity theft. Fingerprint readers, iris scans and facial recognition have become mainstream, led by technology companies such as Apple.
This technology delivers significant advantages in the fight against cyber crime, but there are risks. I’ve identified the two main issues which individuals and organisations need to be aware of to protect themselves and the digital information they hold:
- Individuals must understand that fingerprint or facial recognition can be ‘hacked’ as cyber criminals look to either steal or ‘spoof’ biometric data.
- Organisations, for example hospitals which hold patient medical history, blood samples or DNA profiles, must understand the security implications of a data breach, and their potential liability.
Biometric spoofing: The growing hacker threat
Spoofing is the practice of ‘fooling’ a biometric security system using fake or copied biometric information. For example, a fingerprint can be stolen, copied and moulded onto an artificial silicon finger. This can be used to unlock a mobile device or payment system, allowing hackers access to the user’s bank account. Facial recognition systems, often used to secure smartphones or tablets, have been known to be vulnerable to simply being shown a photograph of the owner, thus unlocking the device.
Companies are enhancing technology all the time to stay one step ahead of the hackers, but users leave fingerprints and DNA, such as saliva on a coffee cup, everywhere they go, opening up myriad opportunities for theft. Today, if you have your credit card stolen, you simply have a new one set up and the old one cancelled. But how do you replace a fingerprint or DNA sample that’s been stolen and reproduced?
To stay one step ahead of cyber criminals, technology companies need to provide answers to the key security questions posed by biometric security systems, such as how to securely store this information, prevent spoofing and most importantly, verify the authenticity of the user.
The data breach risk of storing personal medical records and DNA
IT vulnerabilities in the Healthcare Technology and Life Science industry provide cyber criminals with huge opportunities to steal confidential patient medical records, clinical trial results and sensitive intellectual property, for example relating to drug development.
This information is more valuable to hackers than credit card details stolen via online phishing methods because it can be used for medical insurance fraud, identity theft and in the case of drug development, for sale on the black market to counterfeit drug traffickers, an industry worth an estimated $75 billion annually.
The secure storage of this information will be a critical element of security planning within this industry in the years to come as the potential for ‘bio-crime’ grows.
So, with biometric security now mainstream, there are clear risks to individuals around identity theft and financial crime, should their fingerprints or DNA profile be stolen and reproduced for spoofing or medical fraud.
Healthcare and Life Science organisations in particular need to understand just why the personalised medical information they hold is so valuable to cyber criminals and take steps to ensure they understand the security required to prevent a data breach.
Scott Sayce, AVP – Head of Cyber, Technology and Life Science at CNA Hardy
I head up CNA Hardy’s Cyber, Technology and Life Science underwriting team and have specialised in cyber and technology for over a decade. Follow me on LinkedIn or Twitter to keep up with the latest insights from CNA Hardy.
Previous posts:
Cyber security: Introducing The 4 Bs essential for business protection
Cyber security: Are you in control of your critical business systems?
Cyber security: Medical devices open to hack-attack
Any content, views, opinions and/or responses are solely the personal views, opinions and responsibility of myself and do not necessarily reflect the opinions of my employer CNA Hardy. Neither I nor my employer CNA Hardy warrant the accuracy, completeness or usefulness of the information available on this LinkedIn page. Nothing contained in or provided through this LinkedIn page is intended to constitute advice. Any reliance you place on such information is strictly at your own risk. I may include links to other web pages, but these links are not an endorsement of those pages.