:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/YUK3AYXHGFB3PFCUMDR4ZHAUAQ.jpg "Biometric systems: comfortable and easy to use, but also vulnerable and dangerous for their users | TECHNOLOGY")
Biometric identification systems, such as the eye or fingerprint scanner, are of increasing interest to users and companies that opt for these alternative access formats to passwords, due to the benefits they present, such as agility and convenience when logging in. an account or platform; Although sharing this information also has its risk, because fraudulent activities can be committed with it.
These are security tools that are either part of devices manufactured for this purpose – as is the case of the Orb used by the Worldcoin company – or are integrated into electronic products for daily use, such as tablets or smartphones – the fingerprint or facial recognition sensor.
With these technological solutions, users have the opportunity to get rid of passwords and identify themselves with one or more personal and physical attributes, which are understood to be unique, such as a fingerprint or eye, using a retina or iris scanner. .
The use of biometric security is growing around the world, thanks to its implementation in mobile phones, both in the iOS and Android ecosystem. Mainly, these are the fingerprint reader (TouchID, if we are talking about iPhone) and facial recognition (FaceID in Apple’s system).
Samsung was also a pioneer in introducing the iris scanner in its mobile devices, capable of reading both the shape and pattern of this part of the eye to allow them to unlock computer equipment or perform certain functions.
There are also firms that have even developed more atypical recognition systems, which go beyond fingerprint, facial or eye recognition. This is the case of Fujitsu, which a few years ago launched PalmSecure ID Access PSN900, an access solution through reading the veins of the palm of the hand.
Advantages and risks
Biometric data are unique and immutable, which generates greater security for people who use them daily, who choose them to speed up access to mobile applications or financial services, among other use cases.
That is one of the great advantages of these systems, which do not require users to remember numerical passwords, patterns or PIN numbers to access a mobile phone or other electronic device. In addition, they give fewer errors and false positives than traditional passwords.
The fact that biometric information is non-transferable and cannot be modified also has its drawbacks. In the event that a biometric credential is stolen, the affected person assumes the risk that other people may impersonate him or her, for example, with data from his or her iris or fingerprint. This is because once a biometric record reaches the internet and is made public, it is not possible to completely delete it.
The collection of biometric information is stored in local databases – depending on the device from which the data was collected – or in the cloud which, despite having encryption systems, can be ‘hacked’ and compromised due to vulnerabilities. and security flaws.
This process involves a sensor to collect the input data; a computer system that processes and stores them; and a ‘software’ that acts as an intermediary and compares the biometric entry with what is stored in its database, to determine that both records match.
Responsibility for biometric information
Given the growing adoption of biometrics, the companies responsible for these systems are obliged to offer a series of guarantees in the collection, processing and protection of user data. Also, that they provide them with the option to exercise their right to oppose the processing of personal data, in addition to requesting its deletion.
This is determined by the General Data Protection Regulation (GDPR), which states that these people must contact the person responsible for the processing of this information – in this case, the firm that manages this data – to request its removal from their databases.
In Spain, the state control authority responsible for ensuring compliance with data protection regulations is the Spanish Data Protection Agency (AEPD).
A recent case in this matter is that of Worldcoin. At the beginning of March, the AEPD ordered the urgent cessation of the collection and processing of personal information of this biometric cryptocurrency project with iris recognition created by the company Tools for Humanity and founded in 2019 by the leader of OpenAI, Sam Altman.
Worldcoin scans the irises of volunteers – of legal age, according to its policies – in exchange for financial compensation. More specifically, a cryptocurrency belonging to this service. The AEPD ordered the responsible company to pause this initiative until the type of treatment that Worldcoin does with the data of these people is clarified, and after receiving complaints for “insufficient information, the capture of data from minors or that the withdrawal of the consent”.
As a result of this, Worldcoin recalled that it has a form where users can request the deletion of their personal data, as well as information about their iris, although it is not possible to completely delete user data. This is because the device used for eye scanning, Orb, temporarily saves the scanned image of each iris to convert it into a unique code made up of letters and numbers, called the ‘iris code’.
Once a user’s profile has been created, Worldcoin removes their iris image, but keeps the so-called Unique Iris Code. This is a mathematical representation of the eye called ‘Singularity Proof’ that allows Worldcoin to identify each person within its network of users and which cannot be deleted despite having requested the removal of the data. whose
The storage of this ‘Proof of Uniqueness’ is justified by a legitimate interest to defend “against fraudulent users who attempt to register illegally more than once.”
Real risks
With the rollout of these biometric identification systems globally, companies like cryptocurrency exchange Kraken have demonstrated how easy it is for malicious actors to copy a person’s fingerprint and use it to unlock and access their personal information.
Once the victim leaves their fingerprint printed on an object, be it a key or a screen, a negative can be made of it, creating a 3D structure and a mold with the fingerprint, which can be placed on a panel to unlock the screen. or a button.
The hacker collective Chaos Computer Club also discovered a few years ago that it was easy to circumvent Samsung’s iris scanning system – more specifically, the Galaxy S8 model – using a simple system that only required a photograph of the smartphone’s owner. ‘and a contact lens.
Additionally, at the 2018 Black Hat (US) cybersecurity event, two Salesforce researchers demonstrated that voice authentication for account access was also insecure, using machine learning models and text-to-speech modules from free access.