The OPM now says that the fingerprints of 5.6 million persons were stolen in its catastrophic data breach. For the moment, at least, the loss of a Social Security number probably is more serious. But that could change.
There is no way to make it sound good. The theft by hackers of the fingerprints of as many as 5.6 million persons from the federal Office of Personnel Management is bad news. The only thing that makes it not so bad is that the loss of other information, such as Social Security numbers, could well be even more serious. At least for now. But that could change.
The fact is, biometrics do not offer perfect security in identity management and access control. As a correlation to that, the loss of a biometric factor does not necessarily doom an authentication scheme. This is a situation in which the lack of standardization can be an advantage.
The OPM dropped its latest bombshell earlier this week in a statement saying that the number of persons whose fingerprints were accessed increased fivefold from the initial estimate of 1.1 million. OPM is not saying much about what exactly was taken, which makes it hard to say how serious this is. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” press secretary Sam Schumach said in his statement. “However, this probability could change over time as technology evolves.” An interagency working group that includes the FBI, Homeland Security, the Defense Department and others will be keeping tabs on exploits using fingerprints and how to prevent them.
As everyone points out, the problem with biometrics as an authentication factor is that, unlike a password, once it is compromised it cannot be changed. This leads everyone to expect the worst. Deborah Golden, who heads Deloitte’s federal cyber risk services, says there is a “high likelihood” that such a breach could render an authentication scheme using fingerprints useless.
“As biometrics become more and more prevalent, there is more exposure,” Golden said. “It can be used in a sophisticated manner to gain access.”
But just how this could be done is not clear. Although fingerprints don’t change, the data that is used in biometric authentication does. Authentication uses an abstract of data, a template. When a user swipes a finger, the template is compared with that created when the user was registered in the system. Because the data being captured is not exactly the same each time, biometrics uses a “close enough” standard to accept or reject the user. How close is close enough can be adjusted by the system owner to increase or reduce the number of false positives and negatives.
Although we don’t know exactly what was taken from OPM, the data apparently was from background investigations, making it unlikely that it was biometric templates that were stolen. More likely it was the digital equivalent of old-fashioned ink-on-paper prints.
The data used in authentication, and its format, varies from one system to another. So having a copy of a fingerprint does not automatically mean it can be used to gain access to a biometrically protected system. The system would have to be reverse engineered and a way found to insert the phony user’s “swipe” with the counterfeit template into it.
It is possible that a phony 3D print could be created and worn, but sensors today can—and should—be able to detect this fraud.
All of this said, it is possible that stolen fingerprint files could be used to subvert identity and access management systems. But for now, the loss of SSNs and other basic information is more worrisome. These are more widely used, and more easily exploited by bad guys.
The theft of millions of fingerprints from OPM isn’t the end of the world. It’s just one more problem we shouldn’t have had to worry about.