How To Secure Your Customers’ Personal Data In The Age Of Biometric

Amazon is reportedly testing a hand-scanning payment technology for escalating checkout process at its Whole Foods outlets. Such a system will have the capability to complete a payment in less than 300 milliseconds. Eliminating the need for a card or even touching the POS, the hand-scan system leverages biometric information for payment authentication.

In China, WeChat has recently launched a payment device that allows customers to pay using their facial identity. This new POS device, called “Frog Pro”, was launched at Chongqing Smart China Expo two weeks back. With a promise of making payments safe, fast, and convenient, Frog Pro is rolled out by WeChat to upgrade its offline payments.

With the technological advancements in AI, voice recognition, facial recognition, depth geometry, and computer vision, the perils of identity theft reach new heights.

The consumers today are standing at the crossroads with safety on one side and convenience on the other. In order to enjoy hassle-free and quick transactions, they are required to divulge sensitive personal information to the facilitators. The alarming rate at which cybersecurity attacks are increasing in breadth as well as depth, data sharing has become a highly risky affair.

While biometric technology is associated with immutable physiological characteristics of customers, the theft of biometric data poses equally serious threat. As per a ForgeRock report, in the 342 data breaches of 2018, 97% of the attacks were intended for Personally Identifiable Information (PII) of customers. Data records of over 2.8 billion customers were exposed in these breaches, costing an estimate total of $654 billion.

Biometric authentication is not a novel security method. Statista reported that over 75% of consumers have used some sort of biometric technology, ranging from fingerprint scanning and facial recognition to signature dynamics and hand geometry. In fact, fingerprint scanning has been one of the most widespread use of biometric for authentication and verification. The latest smartphones including iPhones and Android phones use technologies such as facial recognition and fingerprint scanning to grant access to the user. By the end of 2019, it is expected that 100% of all new smartphone shipments will feature biometric technology.

As of now, biometric is the most secure form of authentication available. In terms of safety level, it towers over first-factor authentication of physical identity cards and second-factor authentication of knowledge about a life event. However, being extremely safe unfortunately does not translate into being unbreachable. The pros of a biometric authentication system are definitely heavier than the cons. Consequently, the biometric security market is growing at a CAGR of 18% and is expected to have a worth of $32 billion by 2023. About 92% of the enterprises rank biometric authentication as an “effective” or “very effective” way to secure identity data stored on premises, reported a Ping Identity Survey.

Amidst the glory and acclamation for being impenetrable, the news of Biostar 2 data breach broke out. The breach compromised biometric information including fingerprints, facial recognition records, and authentication credentials among other personal details of over 1 million users. This attack cleared the false sense of security that comes along the usage of biometric authentication.

In most cases, unless the biometric identity links back to a person, the independent data is of no use to the hackers or data thieves. Even then, any hole the security system will cause a two-way blow – on reputation of businesses storing the data and on the security status of the customers whose data is stolen. In order to ensure that businesses deliver convenience to the customers without compromising their safety, they need to follow these best practices:

1. Encrypt the data

When a vulnerability in Facebook’s security system revealed hundreds and thousands of passwords lying in plain sight, the focus was centered on the criticality of encrypting the stored data. However, it is easy to change a password in case of a breach. How will the customers change their biometric after theft? Thus, it becomes all the more important to do everything to prevent biometric theft. If the stored biometric information is encrypted, an attack will not cause any significant damages.

2. Establish governance

Before storing any personal, sensitive information of customers, it is necessary to have a written code of conduct or governance policy in place. Such a policy should dictate the terms regarding the storage, access, usage, and distribution of biometric data. Unnecessary, additional information should not be gathered. The information collected should not be stored beyond the point of use. It should, under no circumstances, be distributed or shared without proper authorization and permission of the customers.

3. Secure the system

Creating a secure system is the first step to safeguard biometric PII of customers. The interconnected web of IoT devices exposes any enterprise to a plethora of threats and cyber vulnerabilities. The security plan should be comprehensive, taking into consideration all the physical, electronic, and digital aspects, wherever the biometric information is stored. From mobile devices, computers, laptops to servers and software, everything should be closely monitored. A periodic password-change policy should be incorporated into the security plan.

4. Be prepared

Although securing the systems proactively is part of being prepared. Yet, if a breach does happen, have a response strategy ready to minimize the losses. Form a risk assessment plan that constantly supervises the system for any holes and gaps in security and alerts the concerned authorities in real-time in case of a breach. Train the employees and educate them regarding compliance protocol for maximum security.

In Conclusion

Drew Bates, Head of Product Marketing at SAP Innovation Lab, says, “Sure, there are valid concerns about intrusion and privacy regulations, but follow the rules (such as full disclosure, opt-in and appropriately handled personal data storage) and the results will be a transparent system which only succeeds if it provides value to the individuals concerned.”

One can never be too cautious when it comes to cybersecurity. It is advisable to deploy all the possible measures. The most important thing is to monitor the security system on a regular basis. By keeping a check on the vulnerabilities and security gaps, enterprises can very easily prevent any data breaches.

Cigniti possesses rich expertise in Security Testing of enterprise applications, catering to diversified business needs. We have immense experience in serving clients across different industry verticals and organization sizes. We offer end-to-end security testing services including Network Penetration Testing, SCADA Network Vulnerability Assessment and Penetration Testing, Web Application Penetration Testing, Wireless Network Assessment and Penetration Testing. Connect with us and get your security issues resolved.