SmartMetric says that following the recent disclosure of more than a million users’ biometric data, including actual face and fingerprint images that were exposed to hackers, it is now time for governments to look at protecting users’ biometric data from poorly protected centralized data storage systems.
sraeli security researchers Noam Rotem and Ran Locar have been running a project that scans ports looking for familiar IP blocks, and then uses these blocks to find holes in companies’ systems that could potentially lead to data breaches.
These researchers discovered a security vendor that stores biometric data including managing the physical and cyber access for 5,700 organisations in 83 countries, including governments, banks, defense installations, corporations and police departments.
The researchers found usernames and passwords on this service provider’s database were mostly not encrypted. They were able to find plain-text passwords of administrators’ accounts on the now proven vulnerable security and access control databases. Photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
“The access allowed us first of all, seeing millions of users who are using this system to access different locations and see in real time even which user enters which facility or which room in each facility. We were able to change data and add new users,” the researcher Noam Rotem said.
“This would mean that he could edit an existing user’s account and add his own fingerprint and then be able to access whatever building that user is authorized to access, or he could just add himself as a user with his photo and fingerprints,” the researchers said.
SmartMetric says, we view the storage of biometric data in a centralized data system as inherently risky. Any central database is, by its very nature, far riskier than a decentralized database of data. If, for instance, a user’s biometric data is distributed across each user’s individual devices as opposed to being stored centrally, it would require millions of successful hacks to steal these millions of biometric data points. However, centralizing all biometric data of millions of users into a central database system would only take one successful database hack for the hackers to reap millions of users’ biometric information.
“The SmartMetric biometric smartcard and credit card stores the user’s fingerprint in each individual’s card and explicitly prevents the card user’s biometric fingerprint information from ever leaving the card. The SmartMetric card itself becomes a ‘closed’ decentralized database system and the on card data file look up is done by the card itself using a standalone biometric fingerprint scanner built inside the card,” said today SmartMetric’s President & CEO, Chaya Hendrick.
The post #Privacy: Centralised storage of biometric data is unsafe, tech firm says appeared first on PrivSec Report.