Tag Archive for: biometric

Navigating Biometric Data Security Risks in the Digital Age

/in


COMMENTARY

Although it wasn’t called biometrics at the time, a rudimentary form of the technology emerged in 1901 when Scotland Yard adopted fingerprint classification to identify criminal suspects. Biometrics has come a long way in the more than 120 years since then.

Public and private sector organizations now use it to identify and authenticate individuals to grant access to computer systems, such as laptops and tablets, and enterprise applications such as human resources or customer relationship management systems. Apple adopted biometrics to unlock the iPhone in 2013, and today face ID is a common feature on mobile phones. The Mastercard Biometric Card combines chip technology with fingerprints to verify the cardholder’s identity for in-store purchases. Healthcare organizations also use biometrics to verify individuals to determine access to medical care. This is particularly useful if the patient can’t produce other forms of identification.

With biometric devices part of the growing body of data-bearing devices deployed across multiple sectors, including government agencies and the military, organizations looking to use this technology must make sure their data security solutions protect what may be a new goldmine for hackers.

DoD Details Biometrics Data Risks

The US government is now fully aware of the potential danger of biometrics data breaches: The Inspector General (IG) of the US Department of Defense (DoD) released a report in November 2023 revealing significant gaps in security and management of biometric data within the DoD. These gaps may pose risks to personnel and potentially threaten clandestine operations. According to the IG’s report, the DoD’s use of biometric data has been extensive, particularly in areas of conflict where accurately identifying individuals is critical for security operations. The report found many of the DoD’s biometric collection devices lacked data encryption capabilities and a clear policy for destroying or sanitizing biometric data.

While commercial enterprises don’t face the same challenges as the DoD, the threat of biometrics data breaches to business operations are also a serious concern. Some of the top threats to private sector…

Source…

Sneaky Chameleon Banking Malware Defeats Biometric Security On Android, Steals PINs

/in


Security researchers first spotted the Chameleon Android malware this past spring. This pervasive banking trojan has now evolved to become something much more dangerous. Through a series of fake system dialogs, the malware attempts to use the Android system Accessibility service, whic effectively gives Chameleon the keys to the kingdom, allowing it to modify security settings to steal passcodes and raid your personal data. 

When Chameleon first popped up, it posed as crypto, banking, and government apps. Now, the malware uses the Zombinder service, which attaches malicious apps to legitimate ones. The user believes they’ve installed a particular app, and it appears to work normally, but the malware comes along for the ride. The creators of Zombinder claim the sidecar virus is undetectable by Google Protect security and Chameleon is using this platform to pose as Google Chrome.

The other new twist for Chameleon is the way it tries to gain deeper access to the system. Android’s Accessibility service allows trusted apps to emulate buttons, control the screen, or disable features to help disabled individuals use their phones more efficiently. However, the capabilities granted through Accessibility can also be used to compromise the device, so Google has clamped down on how devs can use these APIs. Apps can’t just flip the Accessibility switch on their own. It’s a multistep process, so the updated Chameleon malware has added an HTML pop-over that guides the user through the steps. Because the malware is hiding behind a legitimate app (in this case Chrome), the user might not know anything is amiss.

When Chameleon has Accessibility control, it will disable the biometric unlock method. As soon as the user unlocks their device with a PIN or password, the malware records it for later use. The malware can then wake up at any time and unlock the device to upload stolen personal information and login data.

Chameleon has also gained support for Android’s AlarmManager API, which gives apps the ability to wake up in the…

Source…

Genesis HealthCare System Builds on its Investment in BIO-key Biometric Authentication Security as it Migrates to Epic Hyperdrive

/in


BIO-key International, Inc.

BIO-key International, Inc.

ZANESVILLE, Ohio and HOLMDEL, N.J., Dec. 14, 2023 (GLOBE NEWSWIRE) — BIO-key® International, Inc. (NASDAQ: BKYI), an innovative provider of workforce and customer Identity and Access Management (IAM) featuring passwordless, phoneless and token-less Identity-Bound Biometric (IBB) authentication solutions, announced that its longstanding customer Genesis HealthCare System, the largest healthcare provider in its six-county region of Ohio, will add BIO-key’s PortalGuard IAM platform to support its existing BIO-key biometric authentication investment as it migrates to Epic Systems’ Hyperdrive end-user application interface. Genesis HealthCare has a network of more than 300 physicians and 4,000 employees across 27 locations.

PortalGuard’s standards-based integration with Hyperdrive allows Genesis HealthCare System to continue enjoying the security and streamlined biometric authentication user experience that BIO-key provides without re-enrolling employees or adopting more cumbersome and expensive multi-factor authentication solutions.

Named by Computerworld as one of the 100 Best Places to Work in IT every year since 2017, Genesis Healthcare utilizes BIO-key biometric software and hardware to secure and streamline its users’ login experience for Epic. By deploying PortalGuard IAM, it is able to maintain a consistent user experience and simplify the Hyperdrive migration. PortalGuard fully supports Hyperdrive’s modern authentication approach through its SAML Identity Provider (IdP) capabilities. PortalGuard provides seventeen authentication factor options, including WEB-key fingerprint authentication, the same core BIO-key biometric authentication platform regularly used by thousands of Genesis HealthCare employees. Additionally, users can now use PortalGuard for biometric authentication in other hospital applications through its support for standard IdP integration options like SAML, OAUTH, and OpenID Connect.

“Epic is a mission-critical application for many of BIO-key’s hospital customers, and implementing PortalGuard SAML SSO allows Genesis to maintain streamlined workflows and ensure secure access to patient information with IBB,” said Mark…

Source…

Novel face swaps emerge as a major threat to biometric security

/in


Digital identities are rapidly becoming more widely used as organizations’ and governments’ digital transformation projects mature and users demand more remote accessibility for everything, from creating a bank account to applying for government services, according to iProov.

face swaps

To support this transformation, many organizations have adopted biometric face verification, as it is widely recognized as offering the most user-friendly, secure, and inclusive authentication technology solution.

Yet, as biometric face verification gains traction and becomes more widely adopted, threat actors are targeting all systems with sophisticated online attacks. To achieve both user friendliness and security, organizations need to evaluate their biometric solutions for resilience in the face of these complex attacks.

Digital injection attacks are evolving

Digital injection attacks – where a malicious actor bypasses a camera feed to trick a system with synthetic imagery and video recordings – occurred five times more frequently than persistent presentation attacks (i.e., showing a photo or mask to a system) on web in 2022.

This is due to both the ease with which they can be automated and the rise in access to malware tools. More than three-quarters of malware available on the dark web is available for under $10 USD, and with the rise of malware-as-a-service and plug-and-play kits, just 2-3% of threat actors today are advanced coders.

Mobile platforms were also identified as increasingly vulnerable, with attacks now using software called emulators, which mimic the behavior of mobile devices. The report warns organizations against relying on device data for security, with a massive 149% increase in threat actors targeting mobile platforms in the second half of the year compared to the first.

“Our analysis shows that the online threat landscape is always rapidly evolving,” said Andrew Newell, Chief Scientific Officer at iProov. “The 149% increase in attacks using emulators posing as mobile devices is a good example of how attack vectors arrive and scale very quickly. We have seen a rapid proliferation of low-cost, easy-to-use tools that has allowed threat actors to…

Source…