New studies show that biometric authentication usage is on the rise, but some researchers warn against its adoption without proper fraud protocols.
The 2019 Global Biometrics Market report, published November 26, predicts the global biometrics market to grow at a compound annual growth rate (CAGR) of 16.3 by the end of 2025. With Europe’s second payment services directive (PSD2) landscape cracking down on customer authentication, financial services are ripe for biometric implementation.
“The growth is definitely way too fast,” said Lisa Taylor, cybersecurity researcher at vpnMentor of the rise of biometrics, in an email.
“And cybersecurity research might not be focusing on this right now – since there is not existing exploitation of this data. But, as we know, hackers are hard workers, and if they know there's an opportunity (and a way) to exploit data for ill-intentioned purposes, they'll work hard on finding it.
“So there will definitely be a gap between the technology advancement (and its usage) and the security attached to it.”
A biometrics breach occurred in August with Biostar 2, the biometrics system used by Suprema, a security company employed by several banks. The breach exposed the fingerprints of over one million people.
“When it comes to biometric data, cybercriminals might have more opportunities with each leaked or hacked database, if not today then in the near future. Biostar 2 is a prime example of such threats,” said Taylor.
Researchers from vpnMentor were able to scan Biostar 2’s services to access over 27.8 million records, including fingerprint data, face photos of users, unencrypted usernames and passwords, and personal details of staff.
Despite such issues, cybersecurity firms continue to invest in biometrics.
“I don’t believe that the growth in biometric use is taking place too rapidly, however organisations implementing these technologies need to continue to use a layered approach that combines multiple types of data points to be able to identify potential breaches,” said Dave Excell, founder of Featurespace, an adaptive behavioural analytics firm that focusses on financial crime.
“Biometrics only provides another piece of the puzzle, rather than being a wholesale replacement of all other fraud prevention strategies.”
The implementation of PSD2 makes biometrics more relevant than ever. One of PSD2’s main functions, secure customer authentication (SCA), requires two out of three authenticating components: something the customer knows (such as a password), something a customer has (such as a phone), and something a customer is (such as a fingerprint).
According to Taylor, biometric data itself is not a risk to customers: Rather, the data’s attachment to an identity is the cause of concern.
“One potential way to protect [financial institutions’] customers would be to not attribute the biometrical data to an actual person, but to a number assigned to a person – the number being unidentifiable for outside sources, including the biometric device provider,” said Taylor.
“Then only biometrics would leak, but with no name exploitation would be not as dangerous. We're leaving on a daily basis our fingerprints everywhere, and there's no risk about that. The moment they are linked to us is when people could try and misuse them, potentially in the future.”