Tuesday, March 10, 2015

Database hacks stoke demand for customer-facing biometrics

As hacking grows, biometric security gains momentum (Bizcommunity)
With hackers seemingly running rampant online and millions of users compromised, efforts for stronger online identity protection - mainly using biometrics - are gaining momentum...
It's true. The recent hacks have focused attention on biometrics. The spotlight, however, has fallen on consumer-level biometric applications. That's fine by us, but the recent high profile hacks haven't been perpetrated by hackers using customer credentials to gain access to systems. That kind of hack is hugely inconvenient for individual users, but it doesn't make the news.

Most of the big, news-making hacks involve taking huge repositories of data that can be sold wholesale to organized criminals who sell the information on to the retail crooks who perpetrate their fraud using the individual accounts.

We have argued for years that the first, best place to apply biometrics to the problem of large-scale data theft is at the database level.
From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren't (or shouldn't be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It's their responsibility to keep the keys of the kingdom. Perhaps most compelling, they're the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.
Granted, after a hack, having biometrics there to protect individual accounts should change the retail fraudster's Return on Investment (ROI) calculations. With biometrics it should be harder for him to turn the user information into money. Still the Benjamin Franklin axiom that “an ounce of prevention is worth a pound of cure” would seem to carry the day here.