What nobody is talking about – The unique security challenges of face and voice recognition technologies

Can your face ID be hacked? Or your voice? Or fingerprint? These features – unique to everyone – are increasingly being used to verify a person’s identity when accessing confidential information on smart devices and apps. And the ease and speed with which these technologies work has made them a popular and indispensable feature for the owners of these devices.

Measurements of these unique human features (or ‘biometrics’) are digitally recorded and matched to the person trying to access the device. But if these measurements – whether facial features, voice or fingerprints – exist as digital records they can be stolen.

This is the unique security challenge of face, voice, fingerprint and other biometric technologies. If these intimate biometric measurements are stolen, they cannot be changed or replaced like a password or a PIN.

Biometric technologies in use today

From the moment you turn-off your smartphone’s alarm in the morning, your world is surrounded by devices and applications which can use biometrics to verify your identity. One of the first things many people do is to unlock their phones with fingerprint or facial recognition technologies, before checking emails or news headlines. 

And if you work in Sydney and regularly get your coffee from Bahista Café opposite Hyde Park, the barista knows your name and order before you reach the coffee machine. This is because an iPad scanned your face on approach, and matched it to your name and regular order in their customer database. If you decide to pay for your coffee with your iPhone’s ‘smart wallet’ app, you can verify payment with either fingerprint or facial recognition. 

When boarding a Qantas domestic flight, you can use a digital boarding pass stored in the Qantas app, which can be unlocked with your fingerprint. In the future your face might be your boarding pass. Last year Qantas trialed facial recognition for boarding international flights. Australian passports already use biometrics, as they have included the digitised facial image and personal details of passport holders since 2005. 

In addition to fingerprint and facial recognition, voice recognition technologies have also been introduced. Customers of the National Australia Bank with Amazon’s Alexa home assistants can check account balances and transaction details using only their voice to give instructions. This follows ANZ introducing voice recognition for payments over $1,000 made via its Grow app in 2017.

Significantly, apart from Australia’s biometric passports, most of the other uses of these technologies noted above have appeared only in the last six years.

Privacy concerns

The increasing ubiquity of these biometric technologies, and the consequential collection and use of ever more personal identity credentials has led to significant public concern and debate. Much of this debate has focused on the surveillance and privacy aspects of the technologies, and less on their security.

Large-scale systems such as China’s video surveillance ‘social credit’ system have gained attention. In Australia there has been ongoing discussion about the ‘Capability’ system which proposes to pool Australia’s government photo databases for law enforcement purposes. These include the passports and drivers’ licences databases. 

Smaller-scale systems have also attracted attention. In Melbourne, an automated attendance-marking system used in some schools has had restrictions placed on its use by that state’s Education Minister.

Security concerns

Identity information is already amongst the most vulnerable to cyber security breaches. In February, the Office of the Australian Information Commissioner (OAIC) reported that it received 262 notifications of data breaches between October and December 2018, up from 245 the previous quarter.

Breaches of identity information accounted for 94 incidents or 36 per cent of the total. Other forms of information that were vulnerable to cyber breaches included contact information (85 per cent) and tax file numbers (18 per cent).

Should biometric data be stolen, it can be combined with other forms of stolen information to access an individual’s financial or health information. The scope for damage to that person’s financial position, health, and privacy is enormous.

‘Deepfakes’ and the future of biometric hacking

Further cause for concern is the rapid development of ‘deepfake’ technologies that allow for near-perfect video or voice impersonations to be made of real people. All that would be required to make these technologies work would be stolen biometric credentials, photographs, videos or voice recordings.

Facing the future

Should the increasingly large amounts of biometric data already being collected be inadequately secured, its potential theft and use in cyber attacks poses significant risks for businesses large and small. However, unlike past attacks, simply resetting the passwords of customers will not resolve the problem.

If you run a business that is considering using biometrics, or if your business works with other organisations that do, a thorough review of the security practices surrounding their use is essential.

Trusted Impact can help prioritise the risks to your business and identify the vulnerabilities which may be present in your or partner businesses. We can help you build a blueprint for action and to move forward. In the digital age, a security breach is inevitable - becoming a headline doesn’t need to be. Contact us today.

See also

Is another company’s poor cyber security putting your business and reputation at risk?

‘Security Thinking’ vital to fighting cyber breaches