Of all the personal data that cybercriminals can steal, your biometric information is the most unsettling. Purloined passwords, credit cards and even Social Security numbers can be changed to guard against identify theft and fraud. Fingerprints, however, cannot. At least, not permanently. Perhaps the only silver lining to the U.S. Office of Personnel Management’s announcement last week that criminals had stolen 5.6 million fingerprint files, up from the 1.1 million files originally reported missing, is that it would be extremely difficult to use such biometric data to commit fraud or theft.
Movies and television shows often concoct identity-theft plots involving fingerprints discretely lifted from, say, a drinking glass and transferred to latex gloves. Misuse of stolen digital fingerprint files is hardly that straightforward and would involve cracking encryption codes, reverse-engineering data files and several other complicated procedures that are probably not worth the effort. The raid on OPM’s computers—which impacts 21.5 million current, former and prospective federal workers—included a treasure trove of addresses, dates of birth and other personal information that would be much easier to exploit.
The fingerprint theft was more likely meant as a psychological blow to the government and its employees, says Kayvan Alikhani, senior director of technology at security firm RSA. Given the highly personal nature of a biometric data, which in other settings can include such characteristics as DNA or patterns in one’s iris, retina or palm veins, “by the time you could convince users that it’s not that bad, your reputation is already damaged.”
Commercial fingerprint-based security systems used by businesses and government agencies create digital maps of the ridges and valleys that make each person’s fingertips unique. Most systems generate these maps by scanning high-resolution images of a person’s hand and using software algorithms to encode this map data into a file that can be used to identify that person. [A simple diagram of the fingerprint scanning and encoding process can be found here.] A properly configured system will delete the images after use and encrypt the files containing these encoded fingerprint maps, Alikhani says.
Consumer tech versions of fingerprint readers—such as Apple’s iPhone Touch ID—are a bit different. Rather than taking digital images, they measure a fingertip’s electrical current, or capacitance, to capture a fingerprint image. Hackers have already proven they can defeat Touch ID and break into an iPhone. But they’ve done this by painstakingly copying physical fingerprints and applying them to the sensor. The iPhone’s digital fingerprint records are encrypted and stored exclusively on the phone itself. Apple says it does not keep copies of those files on the network. That means a thief would need to already have access to an iPhone in order to steal the fingerprint file.
The OPM fingerprint data, however, was stolen from the agency’s networks and computers as opposed to the fingerprint readers themselves. The agency last week issued a statement reassuring the public that the stolen fingerprint data is of limited use to criminal at this time, although the agency didn’t rule out future problems as “technology evolves.” Alikhani took this statement to mean the data was most likely encrypted. “In order for you to get back to the original fingerprint, you would have to break the encryption used when storing one’s fingerprint template,” he says. Assuming a criminal has the processing power and time to do that, he or she would then have to reverse engineer the algorithm used to encode the fingerprint data. In the unlikely event a criminal put this much effort into the scheme, that reverse-engineered data could then be reassembled into the original fingerprint image.
“There has been work in the labs to take encrypted, templated biometric information and reverse engineer it,” Alikhani says. But the process is complex and requires knowledge of the technology used to create the biometric profile. Even if someone were able to do all of this, that person would still need to create a physical copy of the fingerprint—perhaps 3-D printed and glued to a latex glove—to fool the actual fingerprint scanner guarding entry to a particular facility or computer. This might work, but only in the unlikely scenario there are no other security measures in place.
The U.S. Customs and Border Protection agency’s Global Entry program, for example, allows international travelers to skip long lines at airport immigration by scanning their passports, face and fingerprints at a kiosk. If a traveler answers some questions and these identifying features match those already on file, the kiosk prints a receipt that the traveler can show to a Homeland Security official on the way out of the airport. If there is no match, the traveler can expect an immediate conversation with on-site police.