The use of facial recognition, iris recognition or fingerprints — referred to as Biometric authentication; is seen by many experts as the savior of security by allowing organizations to do away with passwords.
However, on Wednesday August privacy researchers discovered a large bank of unprotected biometric, password and other personal data open on the internet. The data, which belong to the BioStar 2 identity and access control platform, is used by companies around the world, some of the data is priceless to criminals.
Some of its products are used for physical access control to workrooms, data centres, hospitals, police stations, buildings and construction sites. A criminal could use a stolen photo to perform an internet image search and uncover more information about a potential victim.
Researchers were able to access over 27.8 million records, a total of 23 gigabytes of data, including:
“From a consumer perspective, high-resolution fingerprints are a dangerous data set, regardless of how the original data was intended to be used,” said Robert Capps, vice-president and authentication strategist for Vancouver-based NuData Security, a division of Mastercard. “The fact that we don’t know whether the stolen fingerprint data is full resolution or templatized, it is unclear whether the stolen biometric data will have any meaningful impact. We do know that other consumer information was made available by the vendor, and this information has the possibility of being used to access consumer accounts, including financial services accounts.