Database hacks stoke demand for customer-facing biometrics

As hacking grows, biometric security gains momentum (Bizcommunity)

With hackers seemingly running rampant online and millions of users compromised, efforts for stronger online identity protection – mainly using biometrics – are gaining momentum…

It’s true. The recent hacks have focused attention on biometrics. The spotlight, however, has fallen on consumer-level biometric applications. That’s fine by us, but the recent high profile hacks haven’t been perpetrated by hackers using customer credentials to gain access to systems. That kind of hack is hugely inconvenient for individual users, but it doesn’t make the news.

Most of the big, news-making hacks involve taking huge repositories of data that can be sold wholesale to organized criminals who sell the information on to the retail crooks who perpetrate their fraud using the individual accounts.

We have argued for years that the first, best place to apply biometrics to the problem of large-scale data theft is at the database level.

From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren’t (or shouldn’t be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It’s their responsibility to keep the keys of the kingdom. Perhaps most compelling, they’re the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.

Granted, after a hack, having biometrics there to protect individual accounts should change the retail fraudster’s Return on Investment (ROI) calculations. With biometrics it should be harder for him to turn the user information into money. Still the Benjamin Franklin axiom that “an ounce of prevention is worth a pound of cure” would seem to carry the day here.

Biometrics to protect customer data

Stolen credentials, basic security lapses at core of 2012 breaches (Search Security)

A common thread could be weaved through the high profile data breaches that took place in 2012. Attackers are targeting basic security lapses and configuration errors or bypassing security systems altogether by using stolen account credentials to appear as a legitimate user on the network.

Any organization that allows access to databases full of customer usernames and passwords without biometric authentication is asking for trouble. First, the number of people who have this sort of access should be limited to as few individuals as possible and those should be the types of people who understand both why the security measures are necessary and how to use them.