Using your biometric data, such as your fingerprint, to login and authenticate your identity may not be as secure as you think.
This is according to NordVPN, whose researchers claim to have found 81,000 stolen fingerprints across dark web forums. The VPN provider also added that since users can't change their fingerprints - as they can a compromised password - they are at risk of being permanently compromised.
While acknowledging that biometrics are generally a very safe method of authentication, Adrianus Warmenhoven, a cybersecurity expert at NordVPN, said that, "all recorded data is hackable... biometric information a valuable target for cybercriminals, and hacking of this type of data becomes a popular way of identity theft."
Up for grabs
NordVPN identified 20 different types of biometric data that can be used, with the most popular being fingerprints, face, and voice. It further claims that all are vulnerable to compromise in different ways.
With regards to fingerprints, one common method of theft is to place something called a skimmer on ATMs or other fingerprint scanning machines. This collects fingerprints and duplicates them for cybercriminals to use to breach victims' accounts.
NordVPN notes that using skimmers are an old-fashioned way to steal fingerprints, and that now deepfake technology is making the theft of biometric data even easier for threat actors to pull off.
It says that by taking a target's photos and videos from their social media profiles, the technology can create fake versions of their face, voice and even their fingerprints to fool authentication processes.
Warmenhoven explains that, "while we are the owners of our own faces and voices, we are not the only ones with access to them. Over the years of being active social media users, people left so much biometric data that with the current capabilities of artificial intelligence to create deepfakes, it becomes a weapon against our privacy."
Biometric data stored on a smart device is usually quite secure as it is encrypted. However, if malicious apps are granted access to this data, then unscrupulous developers can steal it.
Even in the case of safe and reliable apps, if a user's biometric data ends up being stored in the app vendor's cloud or servers, then this is again vulnerable to breach from threat actors. During the transmission of the biometric data between the device and servers, a threat actor could intercept the data.
Therefore, Warmenhoven recommends that users think carefully before opting in to a new app's request to access their biometric data. He also advises to use Two-factor authentication (2FA) or multi-factor authentication (MFA) where possible, along with strong passwords, and to use a VPN to prevent criminals from intercepting data in transmission.
- Theses are the best password manager options to keep your credentials safe.