By Marco Preuss
You are uniquely you
From your walk to your heartbeat, your body is unique – and the ID industry wants to use that. This isn’t because they’re creepy, it’s because over the last few years the world has discovered that traditional approaches to confirming identities, particularly online, don’t work anymore.
A determined attacker with sophisticated tools, or even an opportunistic, low-skilled one who’s bought some malware on the dark web, can find it worryingly easy to hack into people’s online accounts and fill a cart with credit card details and more. Especially if the victim’s password is ‘password’ or the name of their pet goldfish and they’ve used it 20 times or so in the last year alone.Connected businesses have had enough, and so have consumers. Having to create and remember ever more convoluted passwords is not the answer. It’s rather like following a nutritious but complicated diet. You know it’s good for you, but 20 minutes a day spent cleaning the juicer will eventually diminish the appeal of glowing skin and boundless energy. Strong security requires convenience and simplicity, at least for the user.
So the ID industry and the organisations that rely on accurate authentication and identification, including banks, healthcare, technology companies and government agencies such as border control have started to explore other options – many centred in, on or around our bodies.
Bodies and technology: inside or out?
There are, broadly speaking, two kinds of approaches: in the first, the technology sits outside the body and uses aspects of it that are totally unique to each individual; and in the second the technology sits on the inside: tiny microprocessors implanted under the skin.
Here we look at the first approach.
The bits of you that can confirm you are most definitely you, particularly in the digital world, include: your face, your fingerprints, your eyes, your ear, your vein pattern, your heartbeat, your gait, how you type and your voice. Technology translates this into binary data and uses that to authorise access to your online accounts, digital devices and more – or for identification, such as passports. Effortless for the user, secure and unambiguous for the organisation. No more pesky passwords. Job done.
Only, it’s not quite that simple.
The top biological identifiers
Eyes – The scanning of the iris has now largely taken over from retina scanning (using the pattern of veins in the back of the eye). Like most other biometric identifiers, the iris is unique to each individual and doesn’t change over time. However, the cost and equipment required to implement this biometric mean that it is has, to date, been used mainly by business, and for access to physical premises in particular. CERN – where the Large Hadron Collider is located – uses iris scanning to control access, for example. Having said that, the technology is now appearing on smartphones. Samsung’s Galaxy Note7, a few Lumia Windows and Fujitsu phones, as well as some iOS devices are now able to incorporate scanning. However, in 2015, a researcher known as Starbug claimed to have successfully spoofed iris recognition technology by extracting the iris data from an online picture of the German Chancellor, Angela Merkel.
Fingerprints – Probably the most well-known and widely used biometric, fingerprint recognition became popular after it was introduced into mobile phones by Apple in 2013. Within a day of the launch, Starbug announced he had successfully compromised the feature, making a dummy ‘finger’ from fingerprints found on the phone.
Hands – This can include the three-dimensional geometry of a finger or hand, as well as the pattern of veins in a hand or finger. Barclays Bank has introduced finger vein recognition for its corporate clients, and more than 80,000 biometric ATMs across Japan now identify accountholders via palm or finger vein scanning. I t has also been introduced elsewhere in the Far East and in Europe. Other parts of the face that can be used as biometric markers include the shape of the ear or a broader analysis of facial features or patterns. These are currently used by, among others, Microsoft’s Xbox ONE and Playstation 4. And while there is no indication that these markers have been compromised successfully, there is evidence that they are starting to attract the attention of cybercriminals.
Recent Kaspersky Lab research into the criminal underground uncovered at least twelve sellers offering card-skimmers capable of stealing victims’ fingerprints. And at least three are researching devices that could illegally obtain data from palm vein and iris recognition systems. The researchers also found online community discussions regarding the development of a mobile application for ‘fake face masks’. Such an app would allow an attacker to take someone’s picture from the internet and use it to fool a facial recognition system.
Heartbeat – This is a very new area. There are a number of products under development, one of which is Nymi, a wristband that can confirm your identity through the unique electrical impulses generated by your heartbeat. In August 2015, Nymi and Mastercard announced they had undertaken the first, real-life, heartbeat-authenticated mobile payment. It is too soon to assess the security vulnerability of this approach.
Voice – Voice recognition is already widely used in financial services, mainly alongside other methods of authentication. It is a sophisticated, complex process that involves analysing many parameters and patterns, including intonations, natural speech defects, word order and more, and then comparing them with each other.
The depth of analysis and the vast volume of data that needs to be processed means that the risk of voice ID being compromised by attackers is currently fairly low. But Kaspersky Lab experts believe this could change. In late 2016, Adobe announced a new voice editing technology, Voco that would allow users to create and alter voice recordings using just 20 minutes’ worth of conversation. Similar solutions already exist but they don’t make the process quite so easy. If you add to this trend the ever-growing database of voice recordings collected by new home connection devices, such as the Echo Dot, the threat of an attacker collecting enough data to recreate someone’s voice in a way that convinces authentication systems suddenly becomes a lot more realistic.
Gait, typing style and other ‘behavioural biometrics’ – These are often used in conjunction with other metrics, providing a clever additional layer of security. Gait measures posture, speed, stride length, and the movement of feet, legs and arms in motion, among other things – but currently most interest is focused on using people’s unique way of interacting with their computing devices, such as typing style and mouse movement. Kaspersky Lab is one of a number of organisations implementing such technologies.
Kaspersky Lab’s new cloud-based fraud prevention solution, for example, integrates mouse tracking and navigation to help spot fraudulent activity in online banking. Everyone has a unique way of moving the mouse across the screen. If you’re an incurable mouse-jiggler, or the kind to cut straight to the chase, the system will come to know it’s you. Should anything change, it will get worried and trigger an alert. Not just because it could be someone else using your account, but because it could be something else, such as malware. For example, if the system detects the mouse moving across the page at a constant speed, or no mouse movement at all – this is a strong indicator of automated software, such as malware, or someone using a remote administration tool (known as a RAT).
Online navigation is similarly revealing. Account holders tend to head first for the transaction pages to deal with bills and things. Malware and fraudulent users, on the other hand, are not interested in paying your electricity bill, but do want to know what your credit limits and personal details are. So that’s where they go first, tripping an alert in their rush to get there.
Canny malware authors who’ve worked this out and amble nonchalantly past your credentials after kicking their heels in the payment templates for a bit, will still be caught out as the security solution never stops monitoring.
The use of keystroke patterns as identifiers is becoming less relevant as so many online services are now accessed using mobile devices, and keypad activity is often kept to a minimum.
Then, last but not least, there are those who want to identify you using just about everything. Google’s new Abacus Project will authenticate people using a cumulative ‘trust score’, where your phone continuously monitors and recognises your location patterns, how you walk and type, as well as your facial features, and more. Our own experience suggests that multiple biometric markers will always be more secure than a single one, but this needs to be weighed against the potential loss of personal privacy.
Addressing the security risks
Biometric markers are ideal for use as identifiers because they are unique and unchanging over time. That also makes them very vulnerable. If these identifiers are compromised, the potential consequences for victims in terms of loss privacy and security are severe.
Biometric identifiers are, by their very nature, often public – anyone could be taking a picture of your ear or eye right now. And if they are the gateway to some of your most personal information, it follows that you could be revealing everything about yourself without even knowing. A nightmare scenario of a total loss of privacy.
Further, despite the fact that biometric data is already widely used for authentication and identification, the use of data about your body parts is largely unregulated. We must address all these vulnerabilities before the attackers figure out how to exploit them.
Two years ago, we, and others like us started to worry about such things. In addition to the new Kaspersky fraud prevention technologies, Kaspersky Lab also holds a patent for multi-factor biometric and contextual authentication, and we will be exploring this area further from a security technology perspective. All this builds on the theory, increasingly recognised across business and the security industry, that one metric on its own is too vulnerable. The most effective protection will combine at least two of the following: something you are (your body), something you know (your personal info) and something you have (a passcode, or similar).
Collaboration will be key: between the developers of biometric authentication and identification technologies, the security industry and the organisations who will be implementing the final products. Between us we have a responsibility to develop solutions that make life easier and safer for the innocent, and harder if not impossible for the guilty.
We can’t afford to fail. Each of us comes with just the one body. It’s possible to replace a stolen credit card or bank account number, not to mention set a new password, but how do you replace compromised retinas, ears, even fingerprints? You can’t just tick a box and, in return, receive an email with a link to create a new heartbeat.