Biometric and wearable data theft

Sam Peters at ISMS.online describes a phenomenon that is emerging as a major security-threat

 

Security technology has improved significantly in recent years, with protective solutions such as multi-factor authentication and biometric security, which are key to personal and professional digital protection, now commonplace. However, just as security continues to evolve, so too do the methods that threat actors use as they seek to overcome and exploit those very same systems.

 

Today, biometric data is increasingly in the sights of criminals as they strive to steal and use extremely personal data and devices against targets.

 

From imprinting a fingerprint from someone’s glass to pointing a stolen phone at the owner’s face for facial recognition, security measures on daily devices can be bypassed in a variety of relatively basic ways, enabling attackers to wreak untold havoc against an individual.

 

Similarly, wearable devices such as smartwatches and fitness trackers are also prime targets because of the intricate financial, health, and location data that they contain. Not only are these attractive because of their ability to now double as ’tap-to-pay’ payment tools. Equally, by analysing wearable usage patterns, criminals may be able to use key data against their victims.

 

Think about a high-net-worth individual. If a criminal can steal their wearable data and see that they attend a fitness class every Tuesday between 6:30 pm and 7:30 pm, they’ll know the perfect time to break into their car or property.

 

With that said, it’s not just individuals at risk of compromise. Organisations are also at risk of biometric data theft – attacks that can have significant consequences.

 

This is nothing new. Back in April 2015, for example, the United States Office of Personnel Management (OPM) was subject to a breach in which threat actors stole the fingerprint data of more than 5.6 million US government workers.

 

Such breaches are particularly problematic; biometric data can’t be altered, unlike passwords. However, in the case of the OPM incident, there is some good news in the fact that security technology has changed how it interacts with biometric data.

 

When it was discovered that you could print a photo of someone’s face to overcome facial recognition security, additional measures, such as infrared scanners that look for heat signatures and liveness detection, were added to improve the technology’s effectiveness. Similar improvements have been made across other biometric security systems over time.

 

In this sense, biometric data stolen 10 years ago may not be sufficient to exploit modern systems. However, that is not to say that stolen biometric data doesn’t present significant problems. Today, there are other threats to consider.

 

Biometric data and deepfake threats

The advent of AI in a threat context is particularly relevant, with stolen biometric data potentially capable of enabling threat actors to create even more convincing deepfakes.

 

Significant concerns have been voiced here. The latest Global Identity Fraud Report by AU10TIX reveals that while selfies have traditionally been considered a reliable method for biometric authentication measures—such as know-your-customer (KYC) procedures, which allow banks and financial institutions to confirm the identity of organisations and individuals they do business with—deepfakes could make such measures redundant.

 

The threats are immense. Back in 2020, one threat actor managed to steal $35 million by using AI to replicate a company director’s voice and deceive a bank manager. Similarly, in January 2024, a finance employee at British engineering firm Arup fell victim to a $25 million scam after a video call with a ’deepfake chief financial officer’.

 

Deepfakes are no longer a theoretical threat but a present-day reality that enterprises must confront. Data from our 2024 State of Information Security Report shows that nearly a third (32%) of UK businesses reported experiencing a deepfake security incident in the past year, making it the country’s second most common type of information security breach.

 

Biometric and wearable data could potentially help threat actors create even more convincing deepfakes and hone their spear phishing attempts, so protecting it is absolutely critical.

 

Everyone should play their part

So, what can be done to safeguard individuals and businesses alike from this type of threat?

 

First, individuals themselves should be cognisant of their devices’ security, working to create multiple layers of defences that might include the use of facial recognition and strong, regularly updated pins/passwords alongside fingerprint security.

 

As part of this, consumers and businesses alike should consider the security capabilities provided by device manufacturers, opting to go with those that have made device protection a priority and have robust syncing and authentication systems.

 

Manufacturers should also align with key principles of GDPR, such as data minimisation practices, which ensure that they only collect and hold the data needed to deliver an effective service.

 

In instances where that data is needed, pseudonymisation should be adopted to disaggregate biometric data from the individual. As a result, even if a threat actor does successfully steal the fingerprint data of thousands of individuals, they won’t know who each fingerprint belongs to, rendering that data almost redundant.

 

Encrypting data at rest and in transit is also important for the same reason—if that data is compromised, it’s much harder for threat actors to exploit it.

 

Additionally, we’re increasingly seeing regulators play a growing role in ensuring that the right protections are in place. Take the EU AI Act, for example—while the legislation remains relatively new, the act seeks to prohibit "the use of ’real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement."

 

Meanwhile, under the HIPAA Security Rule (2009) in the US, organisations must safeguard Protected Health Information (PHI), with wearables and smart devices increasingly being used to collect PHI. And, in 2021, Facebook was forced to pay $650m for violating Illinois privacy law, allegedly using photo face-tagging and other biometric data without the permission of its users.

 

Actions if biometric data is stolen

It is important that regulators, manufacturers, and users (both corporations and consumers alike) continue to take the necessary measures to protect key biometric and wearable data, with threat actors likely to ramp up such attacks in 2025.

 

From a technology point of view, we’re going to see more AI-powered hacking this year, with increasingly capable devices also becoming attractive to threat actors to use against victims.

 

But what would happen if someone should get their hands on this data and these devices?

 

The key is not to panic. Yes, it may be that your fingerprint data is compromised, yet with a multi-layered security strategy, those other layers, such as multi-factor authentication, should do their job in preventing access to key devices, accounts, and systems.

 

For businesses subject to major attacks, it is vital to follow the correct compliance procedures, report any breaches to the relevant supervisory body, such as the ICO, and take action and implement pre-planned incident management crisis response protocols.

 

Beyond that, it is again a case of accepting that part of your authentication process can’t be trusted fully, which should in turn trigger a risk assessment. You might decide that the asset you’re protecting is not that important, and you’re willing to take the risk, or that additional layers of protection need to be implemented to compensate for this potential compromise.

 

For guidance on what to do, it is worthwhile looking to proven standards that can help you adopt best practices. ISO 27001, for example, can help organisations find reputable suppliers and manage their approaches to authentication.

 

These standards already document such crucial steps, making them a strong first port of call for helping enterprises combat the risks associated with biometric and wearable data theft.

 

---

 

Sam Peters is Chief Product Officer at ISMS.online

 

Main image courtesy of iStockPhoto.com and Sitthiphong