- Email: [email protected]
‘1m fingerprint’ data leak raises doubts over biometric security
TECHNOLOGY
www.biometricstoday.com
ISSN 0969-4765 September 2019
biometric encryption
‘1m fingerprint’ data leak raises doubts over biometric security
T
he discovery last month of up to 1 million fingerprint records plus facial images exposed on an open database has raised fears that biometric data is as vulnerable to hackers as traditional ID data if it is not stored securely. The open fingerprint, face and other personal data – totalling over 27 million records and 23 gigabytes of data – was found by a team of ethical hackers from vpnMentor, led by Israeli privacy researchers Noam Rotem and Ran Locar, in the BioStar 2 web-based security platform supplied by South Korea-based Suprema. Rotem and Locar discovered the leak on 5 August and contacted Suprema on 7 August, which finally closed the breach on 13 August. In a 14 August blog, vpnMentor explained that BioStar 2 is used by thousands of companies worldwide to control access to secure sites and buildings, using facial recognition and fingerprint data to identify users. The app is also integrated into the AEOS access control system, which is used by organisations in 83 countries, including major multinational businesses, governments, banks and the UK Metropolitan Police. The researchers said: “The biggest concern in this leak is its size. BioStar 2’s users are spread around the world. The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.” In the blog, vpnMentor pointed out the threat created when biometric data is exposed: “Our team was able to access over 1 million fingerprint records, as well as facial recognition information. The potential for criminal activity and fraud is massive. Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.”
TODAY
biometric The blog added: “The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance and the fact that BioStar 2 is built by a security company. Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes. Criminals could use this information for varied illegal activities.” But Suprema downplayed the scale of the problem. In a media statement it said: “We were made aware that some BioStar 2 customer user data was accessed by security researchers without authorisation for a limited time. This incident relates to a limited number of BioStar 2 Cloud API users and does not affect Suprema’s other clients, users or data. The vast majority of Suprema customers do not use BioStar 2 Cloud API in their access control and time management solutions. “We launched an internal investigation and immediately closed the access point. We have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident. They have confirmed that no further access has occurred, and that the scope of potentially affected users is significantly less than recent public speculation.” A spokesperson for the Metropolitan Police also told BBC News: “No Met biometrics systems have been exposed as part of this breach based on our assessment.” However, experts across the biometrics and security industries have echoed vpnMentor’s warning about encrypting biometric data, and said the leak could undermine claims about biometric data’s greater security. Kaspersky principal security researcher David Emm said: “This incident underlines the risks associated with using biometric identifiers and raises the question of whether biometrics are a Continued on page 2...
Contents News ‘1m fingerprint’ data leak raises doubts over biometric security
1
$1bn US border control contract up for grabs 2 Top football clubs give debut to FRT
2
Android adopts biometrics over passwords
3
EU set to join global crackdown on facial recognition
3
Institute advises on how to stop spoofs
12
Swedish school caned for using facial recognition on pupils
12
Features The complexity of consent and privacy in biometrics – worldwide 5 There is growing public concern over the lack of privacy and ‘consent’ when people’s biometric data is captured. In the face of this, John Petersen of ValidSoft examines the problems biometric tech suppliers face in working with the different rules, regulations and sometimes misunderstandings of biometric technology that exist worldwide. Why face recognition accuracy varies due to race
8
The (in)accuracy of face recognition across race and gender is a major issue, both for the biometrics industry and society as a whole. In this article, Kevin Bowyer from the University of Notre Dame and Michael King from the Florida Institute of Technology outline the key results from their recent research into face recognition accuracy between African-American and Caucasian cohorts. And they show how improvements in modern face matchers, together with a better understanding of how recognition accuracy differs between demographic groups, could lead to improved operational performance.
Regulars Events Calendar
3
News in Brief
4
Product News
4
Company News
4
Comment
12
Visit us @ www.biometricstoday.com
ISSN 0969-4765/19 © 2019 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:
Visit us @
Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit eduwww.membrane-technology.com cational classroom use.
NEWS
Editorial Office: Elsevier Ltd The Boulevard Langford Lane Kidlington Oxford OX5 1GB, UK Tel: +44 1865 843239 Email: [email protected] Website: www.biometricstoday.com Publishing Director: Sarah Jenkins Editor: Tim Ring Email: [email protected] Production Support Manager: Lin Lucas Email: [email protected] Subscription Information An annual subscription to Biometric Technology Today includes 10 issues and online access for up to 5 users. Subscriptions run for 12 months, from the date payment is received. More information: www.elsevier.com/journals/institutional/biometric-technology-today/0969-4765 This newsletter and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
12985 Digitally Produced by Mayfield Press (Oxford) Ltd
2
Biometric Technology Today
...Continued from front page safe alternative to passwords. It’s my view that biometrics should be used as an alternative to usernames, not passwords. And whether it’s passwords or biometrics, providers should take steps to secure authentication data and other personal information. If data is stored in the clear, it provides a treasure trove for cyber-criminals.” Stuart Reed, a VP at security firm Nominet, said the breach was “a huge blow for the biometrics industry. If researchers at vpnMentor were able to gain access to the data from BioStar 2, then so too might hackers and the consequences of this would be vast.” Danielle VanZandt, head of global security research at Frost & Sullivan, said in a 20 August analysis: “The significant breach and vulnerabilities are enough to scare any potential end user away from biometric security measures. BioStar 2 is the first major example of how biometric access still has its own vulnerabilities that vendors and end users must be aware of before implementing any of these solutions within their organisation. “The most egregious of BioStar 2’s vulnerabilities were that its biometric database was unprotected when connected to the internet and a lack of encryption for stored fingerprints and facial recognition bases. Biometric data points, such as fingerprints and facial data, simply cannot be stored as full, unencrypted data points; current industry expertise emphasises the need to have this data saved in a hashed format, preventing the biometric from being reverse-engineered by hackers. “Since users cannot change their face or fingerprint, the onus falls on security vendors to ensure that processes similar to reverse hashing and database encryption pieces are top-tier to protect this valuable data from falling into the wrong hands.” However VanZandt added: “This will not stop the exponential growth and adoption rates of biometric solutions. Fingerprint and facial recognition remain the most in-demand biometrics out there for physical access solutions across various industries. This breach will not scare away potential end-user purchases. Rather, it will serve to inform them of the types of security protocols a vendor must have in place before a potential end user finalises any new system purchase.”
David Emm, Kaspersky: “This incident raises the question of whether biometrics are a safe alternative to passwords.”
border control
$1bn US border control contract up for grabs
T
he US Customs and Border Protection (CBP) agency is tendering for new biometric systems worth almost $1 billion as it significantly expands its use of facial recognition technology. The CBP’s Traveller Processing and Vetting Services (TPVS) project, aimed at modernising and improving the screening of people entering the US, is valued at $960 million. The new system is due to be launched in January 2020 and could extend to May 2025. The CBP, part of the US Department of Homeland Security, says the new system will be a key part of its vision to use much more biometric and facial recognition technology. It explained: “CBP’s vision of the future is to transform the way travellers are processed. The paradigm will evolve from biographic to biometric data-focused. CBP will identify travellers biometrically, as an alternative to having the traveller present their travel document. A biometric-based approach allows threats to be pushed out further beyond our borders before travellers arrive to the US. “Integration of facial recognition technologies is intended throughout all passenger applications. Additionally, CBP’s vision is to transition frontline officers from static booths, to a dynamic and agile operation allowing officers to admit or refer travellers using mobile technology with a single touchpoint.” Under the contract, the chosen vendor will have to supply, manage and enhance a full suite of TPVS applications and related specialised equipment, as well as aligning with the CBP’s modernisation initiatives, which include migrating to the cloud by 2024.” On a typical day, the CBP screens over 1 million travellers arriving at over 300 ports of entry by foot, air, privately owned vehicles, ships or boats.
facial recognition
Top football clubs give debut to FRT
L
eading Danish Superliga soccer club Brondby has kicked off its new season b y installing Panasonic facial recognition technology (FRT). It follows news that English football champions Manchester City have started a project with Texasbased Blink Identity to trial facial ID access in the club’s VIP and academy areas.
September 2019
www.biometricstoday.com
ISSN 0969-4765 September 2019
biometric encryption
‘1m fingerprint’ data leak raises doubts over biometric security
T
he discovery last month of up to 1 million fingerprint records plus facial images exposed on an open database has raised fears that biometric data is as vulnerable to hackers as traditional ID data if it is not stored securely. The open fingerprint, face and other personal data – totalling over 27 million records and 23 gigabytes of data – was found by a team of ethical hackers from vpnMentor, led by Israeli privacy researchers Noam Rotem and Ran Locar, in the BioStar 2 web-based security platform supplied by South Korea-based Suprema. Rotem and Locar discovered the leak on 5 August and contacted Suprema on 7 August, which finally closed the breach on 13 August. In a 14 August blog, vpnMentor explained that BioStar 2 is used by thousands of companies worldwide to control access to secure sites and buildings, using facial recognition and fingerprint data to identify users. The app is also integrated into the AEOS access control system, which is used by organisations in 83 countries, including major multinational businesses, governments, banks and the UK Metropolitan Police. The researchers said: “The biggest concern in this leak is its size. BioStar 2’s users are spread around the world. The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.” In the blog, vpnMentor pointed out the threat created when biometric data is exposed: “Our team was able to access over 1 million fingerprint records, as well as facial recognition information. The potential for criminal activity and fraud is massive. Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.”
TODAY
biometric The blog added: “The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance and the fact that BioStar 2 is built by a security company. Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes. Criminals could use this information for varied illegal activities.” But Suprema downplayed the scale of the problem. In a media statement it said: “We were made aware that some BioStar 2 customer user data was accessed by security researchers without authorisation for a limited time. This incident relates to a limited number of BioStar 2 Cloud API users and does not affect Suprema’s other clients, users or data. The vast majority of Suprema customers do not use BioStar 2 Cloud API in their access control and time management solutions. “We launched an internal investigation and immediately closed the access point. We have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident. They have confirmed that no further access has occurred, and that the scope of potentially affected users is significantly less than recent public speculation.” A spokesperson for the Metropolitan Police also told BBC News: “No Met biometrics systems have been exposed as part of this breach based on our assessment.” However, experts across the biometrics and security industries have echoed vpnMentor’s warning about encrypting biometric data, and said the leak could undermine claims about biometric data’s greater security. Kaspersky principal security researcher David Emm said: “This incident underlines the risks associated with using biometric identifiers and raises the question of whether biometrics are a Continued on page 2...
Contents News ‘1m fingerprint’ data leak raises doubts over biometric security
1
$1bn US border control contract up for grabs 2 Top football clubs give debut to FRT
2
Android adopts biometrics over passwords
3
EU set to join global crackdown on facial recognition
3
Institute advises on how to stop spoofs
12
Swedish school caned for using facial recognition on pupils
12
Features The complexity of consent and privacy in biometrics – worldwide 5 There is growing public concern over the lack of privacy and ‘consent’ when people’s biometric data is captured. In the face of this, John Petersen of ValidSoft examines the problems biometric tech suppliers face in working with the different rules, regulations and sometimes misunderstandings of biometric technology that exist worldwide. Why face recognition accuracy varies due to race
8
The (in)accuracy of face recognition across race and gender is a major issue, both for the biometrics industry and society as a whole. In this article, Kevin Bowyer from the University of Notre Dame and Michael King from the Florida Institute of Technology outline the key results from their recent research into face recognition accuracy between African-American and Caucasian cohorts. And they show how improvements in modern face matchers, together with a better understanding of how recognition accuracy differs between demographic groups, could lead to improved operational performance.
Regulars Events Calendar
3
News in Brief
4
Product News
4
Company News
4
Comment
12
Visit us @ www.biometricstoday.com
ISSN 0969-4765/19 © 2019 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:
Visit us @
Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit eduwww.membrane-technology.com cational classroom use.
NEWS
Editorial Office: Elsevier Ltd The Boulevard Langford Lane Kidlington Oxford OX5 1GB, UK Tel: +44 1865 843239 Email: [email protected] Website: www.biometricstoday.com Publishing Director: Sarah Jenkins Editor: Tim Ring Email: [email protected] Production Support Manager: Lin Lucas Email: [email protected] Subscription Information An annual subscription to Biometric Technology Today includes 10 issues and online access for up to 5 users. Subscriptions run for 12 months, from the date payment is received. More information: www.elsevier.com/journals/institutional/biometric-technology-today/0969-4765 This newsletter and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
12985 Digitally Produced by Mayfield Press (Oxford) Ltd
2
Biometric Technology Today
...Continued from front page safe alternative to passwords. It’s my view that biometrics should be used as an alternative to usernames, not passwords. And whether it’s passwords or biometrics, providers should take steps to secure authentication data and other personal information. If data is stored in the clear, it provides a treasure trove for cyber-criminals.” Stuart Reed, a VP at security firm Nominet, said the breach was “a huge blow for the biometrics industry. If researchers at vpnMentor were able to gain access to the data from BioStar 2, then so too might hackers and the consequences of this would be vast.” Danielle VanZandt, head of global security research at Frost & Sullivan, said in a 20 August analysis: “The significant breach and vulnerabilities are enough to scare any potential end user away from biometric security measures. BioStar 2 is the first major example of how biometric access still has its own vulnerabilities that vendors and end users must be aware of before implementing any of these solutions within their organisation. “The most egregious of BioStar 2’s vulnerabilities were that its biometric database was unprotected when connected to the internet and a lack of encryption for stored fingerprints and facial recognition bases. Biometric data points, such as fingerprints and facial data, simply cannot be stored as full, unencrypted data points; current industry expertise emphasises the need to have this data saved in a hashed format, preventing the biometric from being reverse-engineered by hackers. “Since users cannot change their face or fingerprint, the onus falls on security vendors to ensure that processes similar to reverse hashing and database encryption pieces are top-tier to protect this valuable data from falling into the wrong hands.” However VanZandt added: “This will not stop the exponential growth and adoption rates of biometric solutions. Fingerprint and facial recognition remain the most in-demand biometrics out there for physical access solutions across various industries. This breach will not scare away potential end-user purchases. Rather, it will serve to inform them of the types of security protocols a vendor must have in place before a potential end user finalises any new system purchase.”
David Emm, Kaspersky: “This incident raises the question of whether biometrics are a safe alternative to passwords.”
border control
$1bn US border control contract up for grabs
T
he US Customs and Border Protection (CBP) agency is tendering for new biometric systems worth almost $1 billion as it significantly expands its use of facial recognition technology. The CBP’s Traveller Processing and Vetting Services (TPVS) project, aimed at modernising and improving the screening of people entering the US, is valued at $960 million. The new system is due to be launched in January 2020 and could extend to May 2025. The CBP, part of the US Department of Homeland Security, says the new system will be a key part of its vision to use much more biometric and facial recognition technology. It explained: “CBP’s vision of the future is to transform the way travellers are processed. The paradigm will evolve from biographic to biometric data-focused. CBP will identify travellers biometrically, as an alternative to having the traveller present their travel document. A biometric-based approach allows threats to be pushed out further beyond our borders before travellers arrive to the US. “Integration of facial recognition technologies is intended throughout all passenger applications. Additionally, CBP’s vision is to transition frontline officers from static booths, to a dynamic and agile operation allowing officers to admit or refer travellers using mobile technology with a single touchpoint.” Under the contract, the chosen vendor will have to supply, manage and enhance a full suite of TPVS applications and related specialised equipment, as well as aligning with the CBP’s modernisation initiatives, which include migrating to the cloud by 2024.” On a typical day, the CBP screens over 1 million travellers arriving at over 300 ports of entry by foot, air, privately owned vehicles, ships or boats.
facial recognition
Top football clubs give debut to FRT
L
eading Danish Superliga soccer club Brondby has kicked off its new season b y installing Panasonic facial recognition technology (FRT). It follows news that English football champions Manchester City have started a project with Texasbased Blink Identity to trial facial ID access in the club’s VIP and academy areas.
September 2019