Data Breach Dissection, Part 2: Biometric Validation


In my previous blog, I looked into the inadequacy of passwords as the last line of defense for administrator portals. With greater awareness of the real-life data breaches that occurred due to compromised administrator passwords, we will now consider some mitigating steps for compliance, risk, and technology executives to apply to protect the keys to the kingdom.

Not only an issue for SMBs

Many of the points below may seem obvious to a sophisticated organization leader. This person may infer that this guidance is targeted to small and medium businesses (SMBs), which do not have the resources (time, money and/or personnel) to consider some small steps that can be followed to protect their organization.

However, this is not just an SMB problem. Consider the impact of supply chain attacks as an attack vector and the effect they have on all organizations. According to the Identity Theft Resource Center (ITRC) 2023 Data Breach Report, the number of supply chain attacks that have impacted organizations since 2018 has increased an absurd 2,600%, with the number of victims in 2023 at over 54 million.

The vulnerability of supply chains

Supply chain attacks—also known as third-party vendor attacks—are typically attacks that fall into one of the primary root causes of a compromise, most often a cyberattack such as a phishing-related attack, ransomware or malware. Their uniqueness is that the target is not data owned by the breached organization but rather the information of the business’ customers, clients or other vendors in a supply chain.

According to the ITRC report: “Rather than attack a single large organization (such as a large multinational corporation with a well-resourced cybersecurity program), criminals will attack a smaller vendor with less security protections that supports the same large multinational company along with many other businesses. A supply chain attack can come in the form of breaching a single organization and stealing information from multiple companies or using flaws in a single product or service used by multiple companies to access the personal information stored in their databases.”

Larger organizations are just as exposed to this threat as are the SMBs—casting blame downstream will not change the outcome. They should be insisting that their supply chain vendors are implementing critical security fixes, and double-checking that their own castles are equally protected. 

So what can companies do, as one key step, to protect against the domino effect of the likes of a supply chain attack?

Biometric solutions

Biometric authentication stands at the forefront of modern cybersecurity, offering a credible solution to combat data breaches and enhance digital security. The strength of biometrics as an authentication method has support from many credible authorities, including the European Banking Association, FIDO Alliance, and Australian Government

Understanding the various types of available biometric authentication methods available is crucial for organizations striving to fortify their digital defenses. So we will now explore the four different biometric realms of facial recognition, fingerprint scanning, iris scanning, and voice matching, dissecting their security strengths, ease of use, and potential privacy implications:

Facial matching: Facial matching technology has emerged as a frontrunner in biometric authentication, leveraging unique facial features for identity verification. When developed and applied properly, the technology’s accuracy and resistance to forgery and impersonation makes it a formidable contender in the security landscape. 

Moreover, the seamless integration of facial matching systems into diverse devices and applications enhances user experience. While privacy advocates raise challenges regarding data storage vulnerabilities, adopters of facial matching must adopt robust privacy measures including timely redaction, data minimization in sync with defined purposes, and purging of personal data.

Fingerprint scanning: Fingerprint scanning, a time-tested biometric authentication method, offers unparalleled security benefits owing to the uniqueness and complexity of fingerprints. Its widespread adoption across mobile devices and physical access control systems speaks volumes about its ease of use and reliability. 

Nonetheless, the risk of unauthorized access to fingerprint databases necessitates stringent privacy protocols to safeguard sensitive biometric data. In addition, accuracy is not as high as facial matching systems (applied correctly) plus capture can be more erratic (for example, due to humidity).

Iris scanning: Iris scanning, renowned for its accuracy and resistance to tampering, epitomizes high-security biometric authentication. Its deployment in environments demanding utmost protection underscores its efficacy in identity verification. 

Despite its security prowess, user experience can be challenging with lighting and camera quality a hindrance, and delay, to capture. Plus the same privacy concerns, such as data protection and consent, warrant careful scrutiny.

Voice recognition: Voice recognition technology is a seamless integration into everyday devices, which amplifies user convenience and accessibility. Challenges include its inaccuracy related to other biometric modalities plus more ease of AI/ML solutions to impersonate and dupe voice recognition systems. 

Liveness detection is also a factor to verify that the sample is not from a recording. Data security remains a concern too, necessitating stringent privacy safeguards to mitigate risks as highlighted above.

Adaptability is a must

Biometric authentication, as the front door lock to an organization’s internal domain, is a key consideration for senior level compliance, risk, and technology officers, and requires an assessment of security, ease of use, and privacy implications. The choice of approach is heightened when balancing the frequency of administrator breaches, the types of attacks (such as supply chain attacks), and the number of victims whose personal data may be compromised. 

Cybersecurity is an ongoing process—this is not the first rodeo for the impostors of the world—and not a one-time fix. We have the benefit to learn from past incidents and to adapt strategy to the evolving breach landscape, with the goal to protect your organization’s valuable data effectively and to ensure the trust of your stakeholders—including investors, employees and clients.

Read part 3, which delves into face matching solutions.

About the post:
Images are generative AI-created. Prompt: Various faces seeing, speaking, touching, Picasso cubist style. Tool: Midjourney.

About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse Americas. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security