Could bugs like Heartbleed pose issues for biometric authentication?

Heartbleed and Biometric SecurityCould a future bug, with similar implications to that of Heartbleed cause major concern to the future use of biometric security? Following the critical Heartbleed vulnerability in OpenSSL, and reading countless articles online (see below for a few) an interesting conundrum came to my mind.

As we now know, there are three requirements to overcome the effects of the Heartbleed bug on any one server or service:

  1. Patch the affected software on the affected server
  2. Revoke and re-issue the SSL certificates (essentially the private keys used to encrypt traffic between two points such as the end user’s browser and a bank’s web server for example)
  3. Change your password for the affected service/application in case it had been compromised

 

The conundrum focuses on a problem with step 3 and the use of biometric security measures such as fingerprints, retina scans and potentially new vein-scanning technologies. While these technologies are not heavily in use by consumers today they are becoming more commonplace, many users of the new Apple iPhone 5s (myself included) use a fingerprint to speed up unlocking the lock screen and the potential uses are already on the rise as this technology becomes more mainstream.

Taking a high level look at this, from a pure sequence of events (as opposed to analysing how or where the biometric data is stored and/or transferred and how it may or may not be encrypted), I provide the following hypothetical scenario to consider. In 12 months time lets say you can use your fingerprint or a retina scan to get cash out at an ATM, or to identify yourself to your bank and other providers using your smart phone. The technology is in use for a period of time and after a while a bug with similar consequences as Heartbleed happens to be discovered. At that time there may be no clear evidence of whether the bug has been exploited or not, however this actually becomes irrelevant. Taking a worst case scenario, lets say despite the best efforts of the companies, the multiple layers of encryption and all the other security measures that one of the many supporting components of the authentication process has a bug which has, or could potentially cause your biometric details to be exposed, copied or intercepted.

As our primary form of authenticating ourselves today is using a password, we can simply change our passwords which invalidates the potentially compromised user credentials. As I am sure you can now surmise if we were using biometric authentication, we could not simply change our retinas or fingerprints, these stay with us for life. I will admit this is taking the extreme end of a worst case scenario, with any high level security solution, you would expect several layers of protection, but it definitely poses an interesting question of what can be done to invalidate and then re-issue a biometric credential.

Unfortunately I don’t have an answer, I do hope that this might promote some discussion or at least get the idea in the back of a few peoples minds. If anyone has any thoughts or ideas please let me know as I am genuinely curious as to the answer to the riddle. In the mean time, perhaps it is best for us to all strongly consider who we want to hand over our biometric “prints” to… if they are ever compromised you can’t simply change them.

 

Articles that prompted my thinking:

Insurance for your data, why is it so often overlooked?

A hard drive surrounded by flames ©Depositphotos/Klanneke
©Depositphotos/Klanneke

Data is in our lives, our smartphones, our computers, our internet services and just about anywhere and everywhere you can imagine. Yet something a lot of people do not consider is an “insurance policy” for their data. Before I continue, take a moment to note down your current thoughts on computer backups. After you have read this article, have a look back and see if your views have changed. If they have (or haven’t), leave comment and let us know.

People buy insurance for their car to cover if someone crashes into them, they buy insurance for their house in case they are burgled or something else untoward happens. Yet one thing that so many people neglect to do is invest in insurance for their data.

Take a moment to ask yourself the following questions:

  1. What data might you lose if your laptop or computer at home was stolen or your computer suddenly failed irrecoverably? Think photos, financial records, emails, contact information, work, data from your studies, the list really does go on.
  2. How would you feel if you accidentally deleted the folder with the photos of your children since their birth, or from your overseas holiday?
  3. What would you stand to lose if GMail, Yahoo mail or Windows Live mail service suddenly shut down or suffered irrecoverable data loss?

 

I ask these three questions because they cover three common scenarios of how someone might lose data including loss and corruption, human error, or cloud service disruption. I have always said, data loss isn’t a matter of IF, it is a matter of when.

Data loss can happen because of any one of a number of reasons including (but not limited to):

  • Hard drive failure
  • Loss of computer due to malicious causes (such as computer being stolen)
  • Human error (accidentally deleting files)
  • Virus or other malicious software
  • Power failure causing data corruption
  • Natural disasters such as lightening (power spikes), flooding, extreme heat and so on

 

So with all these factors in consideration, why are data insurance and home backups still overlooked and seen as an optional extra rather than a critical necessity. Businesses put backups in place often due to legal requirements as strict minimum, as Well as the fact that is just good practice, however no such legal requirements exist for the home user.

With services such as Backupify.com who can backup an increasing number of cloud data services, and Crashplan.com which covers the data on your local computer, insuring your data has never been easier or cheaper (you can check out my review of Crashpan Family Unlimited for the full rundown there). For those that wish to look for a one off payment solution even something as simple as an external hard drive at home is still better than nothing to ensure you have at least some of the bases covered. For the cost of a couple of coffees a month you can backup your online and offline life and start protecting all the data you have ever put together.

I can say that in my life I have suffered four major data loss events at home, three were due to hardware failure and one due to human error. It wasn’t until the last event of human error that I had a huge hole in my data backup regimes. Covering against myself deleting a file and then not realising until six months later. Having a backup strategy and testing the backup strategy is one of the best things you can do and at some point you will be thanking yourself for taking the time and and a small amount of effort to invest in insurance for YOUR data.

So, now to discuss… Do you back up your data? If you don’t backup, what is it that stops you, is it because it is too hard, lack of knowledge about how to back up, or is it that it is too expensive? I ask in the hope that I can write up some articles on how to overcome these obstacles. If I can convince one person that reads this article to put in a backup strategy, I know I have helped that one person immensely, and that I have saved at least one person future pain and frustration.
Stuart

P.S. For the record even as little as a week ago I experienced data loss on a personal server I house in the United States… as I said, not a matter of IF just a matter of WHEN… you will be happy to know that yes, I had backups so we are all good 😀

Do you control your phone, or does it control you?

Cuddling while on phone ©Depositphotos/OtnaYdur
©Depositphotos/OtnaYdur

If someone took your mobile phone away for eight hours, how would you cope? A simple question that many people answer with, “I would feel naked” or “I can’t live without my phone”.

So the question is a simple one. Can you, and do you ever, turn off your mobile phone? If you see me on the street, I will happily admit I am often there tweeting away, sending an SMS, or surfing the web. Therefore I am probably the last person on earth that you might think would happily say, “I can live without it for a few hours, and at times I like to”.

Each night when I go to bed I turn my phone off, nobody can call me, nobody can SMS me, no emails, messages or otherwise to wake me up. If I go out to a movie, I turn my phone off, I don’t want it vibrating in my pocket, bothering other patrons or interrupting the movie I have paid three limbs and my first born to see. I like to retain control over my device, and control if, and when I can be contacted.

The Backstory

This post comes out of something that happened a little over a year and a half ago when I was out for my birthday dinner with my family at a lovely little restaurant. We were sitting there having a wonderful time when we all observed a couple at another table who had just sat down and both taken their mobile phones out.

From the time they sat down, till the time their food arrived (and much to my own dismay, during their meal) both barely said a word to each other and spent the entire time playing games (and different games so not even a co-op) on their iPhones. It was to the point where I was positively BAFFLED at how anyone could consider the two people as even knowing each other, let alone being out for a romantic dinner.

Is there a solution?

As a geek I know that technology is a part of our daily lives, I struggle to see why people have to grab for their phone the moment they get a message or an SMS, why they insist on letting their phones control their lives. I also can’t believe how often I see social interaction such as the case above with people grabbing for their phones.

Do I think there is a one-size-fits-all solution? Well no, probably not, however I can recommend a great first step for you is to take a step back, next time an SMS comes through, an email goes off or the phone rings, consider whether it is starting to control your life rather than you controlling it. The phone will be there in an hours time, as will any messages or anyone that was trying to call you.

As far as if there is a solution, I can tell you from first hand experience that your friends will need to be “managed” if you start taking back control of your phone, it took me a while to get people used to the fact that I will respond to their messages when I am ready to do so, rather than the instant they popped up on my phone. Initially people may perceive this as rude, but upon explanation they start to understand and accept why I do it.

Having said all this, it is simply my opinion, what are other people’s thoughts? Am I being too old fashioned? Do you have a different opinion or possibly agree with me?

#OpeningTheDialogue

Stuart