Fingerprint hacking - could this become a concern?

Cybersecurity, hacking, black hat activities. It's been all over the news lately and many large organisations – such as the credit firm Equifax, and Uber – have been affected heavily including their large customer base. The end result? Often huge financial losses for the company and identity messes and possibly even financial injury for many of the customers who's records were affected and used inappropriately. We can do a better job of risk planning and hope to avoid or more readily mitigate – rather than just react – to such illicit activity when it happens. And we should. But the bottom line is that hackers are always going to find a way, and they are always one step ahead of us - we often just don't know it yet and aren't expecting it. It happens with deadly terrorist attacks and it happens with hacker attacks just the same.

But now here is a concept that I hadn't really considered before... something I hadn’t previously considered and probably why I should stay away from digital security conferences and reading related documents - the hacking of fingerprint databases. Passwords, credit cards and even identities can be fixed or changed or re-issued. But fingerprints are for a lifetime. You can’t change those. You can remove them…ouch. But you can’t get new ones. And guess what? Fingerprint authentication as a security measure is growing. it’s not just a futuristic “Mission: Impossible” gimmick anymore. It’s on your laptop and your smartphone and your tablet.

The good news is – the usage right now is small and it’s on your personal device. It’s being authenticated on your device, not across the internet. The bad news is – usage is growing and devices can be hacked. And there are central uses that are part of cyber security:

• Banking
• Mobile devices
• Building security

What does this mean to project managers and IT professionals? I’m not sure because it had not struck me till now. But while attending the annual Black Hat conference in Las Vegas there was a briefing about it titled, “Fingerprints on Mobile Devices: Abusing and Leaking”, by Yulong Zhang & Tao Wei. I guess you might say it opened my eyes a bit. Not to the usage, but to the potential long term security threat if a fingerprint database is breached. This wouldn’t be like Equifax or Target or Wells Fargo getting their account number databases hacked. This would be a bigger issue. My fingerprints are on file for previous FBI security clearances as well as adoption background checks and gaming/hospitality sheriff cards.

Now, rest assured, someone stealing a database from your bank or government agency that has your fingerprint in it probably isn’t going to harm you too much – if at all. At least not now because what would they do with it? Frame you in a big art theft jewelery heist? That only happens in something like a James Bond movie right now. But as the uses for fingerprint authentication grow – and I’m not sure what those would be (use your imagination) - it could cause problems for the general using public.

Summary / call for feedback

As we think of this in terms of projects and IT security, we will need to be aware of the potential for this type of hack if fingerprint security is part of our project solution access or login measure. If not, don’t worry. But the future changes. When I was a COBOL developer in the 80’s no one was concerned about two-digit year codes and what that might mean when the clocks turned from 1999 to 2000. And we were only 15 years away from that near disaster at the time. Talk about being short-sighted for some measly disk space!

How about our readers? What’s your take on this? Have you worked a project where ID access / authentication was fingerprint-based? If you haven’t yet, and you manage projects much longer with any type of security tied to it, you’re going to run across fingerprint authentication sooner or later.