Unfortunately, we have another contender for Breach of the Month. In fact, this one could radically change the trajectory of modern authentication, depending on the aftermath.
Yesterday, security researchers Noam Rotem and Ran Locar announced the discovery of a security hole in Suprema’s network. Based in South Korea, Suprema serves as a biometric authentication and identity security provider across the globe. The security hole allowed the researchers access to the authentication data of more than 1 million users. This information includes facial recognition data, fingerprints, unencrypted usernames, and passwords.
Moreover, the researchers discovered they could view administrator passwords, replace users’ fingerprints, and observe the usage of biometric data. Indeed, Suprema allegedly stored fingerprints unhashed as actual fingerprints, allowing hackers to exploit them.
Additionally, the researchers discovered the exposed personal data records of 27.8 million users in the Suprema Biostar 2 database. The information in this database had no cybersecurity protections and little in the way of encryption. For example, Suprema seemingly stored both user and administrator passwords in the database in plaintext.
The researchers worked with vpnMentor to discover the security hole. They found it by scanning ports for familiar IP blocks which led them to the public-facing dataset. Allegedly, Suprema proved reluctant to listen to the researchers about the security hole; subsequently, they told The Guardian the hole had been plugged and that they would inform customers of any resulting threat. However, it remains ambiguous whether a malicious threat actor discovered the vulnerability before the researchers.
Our Take on the Suprema Breach
The Suprema Breach represents the first major breach of biometric data of its kind. Of course, the potential consequences become impossible to predict accurately. We don’t know whether hackers ever discovered the problem previous to the researchers’ discovery. As such, we don’t know whether hackers weaponized the data already.
If they had, the Suprema breach indicates the dangers of over-relying on biometric authentication. Across our articles, we constantly decry the usage of passwords in enterprise authentication; we stand by those assessments of passwords as unreliable, easily cracked, and damaging to business workflows.
However, the real issue doesn’t lie with passwords but with single-factor authentication. Any time your enterprise only places a single layer of identity security between access request and database puts your entire business at risk. The Suprema Breach shows not even biometrics are immune to this maxim.
Instead, your enterprise needs to embrace biometric authentication through the lens of multifactor authentication (MFA). The more layers you can enact, the more challenge hackers face in trying to breach your databases. Even if biometric data becomes compromised, it doesn’t leave you completely vulnerable.
Additionally, please take the Suprema vulnerability as a warning to configure your data storage options. You should never store sensitive data in plaintext, should always hash sensitive data, and databases should never face the public. In fact, you should deploy step-up authentication to ensure only the most trusted users can access the data.
What the Experts Said on the Suprema Breach
What does the Suprema breach mean in the long and short term? How can enterprises learn from it, and how can they prepare? We consulted with identity management and security experts to find out. Here’s what they say:
Robert Prigge, President, Jumio
This data breach comes at a critical moment, as a growing number of consumers are comfortable using biometric technology on a daily basis to unlock their phone or authorize a digital payment. Storing sensitive biometric data without encryption, such as the actual fingerprint and facial recognition information compromised with this breach, is gross negligence.
At the bare minimum, biometric data requires strong encryption but additional steps, like hashing and creating mathematical models that can’t be reverse engineered, should be applied to further increase data security. Retaining the actual fingerprint images proves dangerous on behalf of Suprema; biometrics cannot be changed and this puts 28 million people at extreme risk.
If a username or password is compromised, consumers can recover the account and update their credentials. This won’t work with biometrics—once the information is leaked, the end-user is out of luck and their biometrics can be used in future attacks.
This data breach proves that biometric data remains extremely valuable to fraudsters, but when used on its own, isn’t enough to prove an individual’s identity. This is why liveness detection is absolutely crucial in the digital identity verification process. A liveliness check can quickly ensure an account holder is physically present during the transaction to prevent cybercriminals from spoofing a system using stolen biometric data in an attempt to acquire someone else’s privileges or access rights.
Anurag Kahol, CTO, Bitglass
The Suprema incident is the first reported biometric database breach and is yet another example of a company that exposed highly sensitive consumer data due to a simple security mistake. Leaving a database publicly accessible is unacceptable—especially given the extremely sensitive data with which Suprema is entrusted. While it is not currently known exactly how many accounts were compromised, it is reported that fingerprints and facial recognition records for millions of people have been exposed.
To avoid a similar mistake, organizations must have full visibility and control over their customer data. Security platforms that enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information are critical for organizations that want to be certain that their data is truly safe. Likewise, cloud security posture management (CSPM) is an indispensable tool in detecting misconfigurations that expose data.
Kevin Gosschalk, CEO, Arkose Labs
Suprema’s breach exposing biometric records for more than 28 million people—including fingerprint data, facial recognition data, and face photos of users—disrupts the long-held belief that biometrics are the most effective authentication solution. This breach not only exposes individuals to fraud but also makes them indefinitely vulnerable to future attacks, as biometrics, unlike passwords or credit card numbers, cannot be changed.
Today’s cybersecurity ecosystem has commoditized the sale of consumer records and credentials on the dark web, making passwords and other traditional authentication methods easily susceptible to account takeover attacks. Biometric authentication technology emerged as the go-to solution in a post-password world. However, comprising the biometrics of millions of users could have long-term impact on its viability and security. We are in uncharted territory because this is the first major biometric breach to-date, and it’s unclear how immediately cybercriminals will be able to weaponize this information to the detriment of 28 million victims impacted and 5,700 organizations currently using Suprema’s biometric identity technology.
What is clear, however, is that this highly-sensitive information should have never been left on an unprotected database. Data powers today’s global economy, and businesses must understand their threat landscape and implement a proactive approach to fraud prevention.
Jeff Hickman, Director of Solutions Engineering, SecureAuth
The unprecedented Suprema breach today underscores why we still can’t rely on a single factor or method of authentication. Whether you choose passwords or biometrics, there is always a risk that the factor will be compromised. Arguably, biometrics are a much stronger method of authentication than passwords and provide an improved user experience, but this risk is now much more real because of this breach.
This doesn’t mean that we—as an industry and consumers of biometrics—need to jump ship. But we must scrutinize how and where we store our data, and understand what that means for our risk tolerance.
At this point in time, the breach report states that in addition to usernames and passwords, fingerprint data and facial recognition data leaked as well. It’s important to remember that this doesn’t necessarily mean that your actual fingerprint or face map data has been compromised. Some biometric solutions aren’t actually storing a “scan” of your fingerprint, but rather the result of the scanner “fingerprinting” the key data points that make your fingerprint or facial scan unique.
We don’t have enough data at this time to make a conclusion on how Suprema is storing biometric data, but it does remind us to ask questions of these biometric companies of how they are storing this information.
Thanks to our identity management experts for their time and expertise! The Suprema breach may change the conversation about Biometric Authentication, but your enterprise should still consider incorporating biometric authentication in its access management. To learn more, check out our 2019 Biometric Authentication Buyer’s Guide or our 2019 Identity Management Guide.
Latest posts by Ben Canner (see all)
- Key Findings: The Gartner 2019 Critical Capabilities for Identity Governance and Administration - November 13, 2019
- 60 Percent of Enterprises Misunderstand Cloud Security Responsibility Sharing - November 12, 2019
- 5 Identity Management Insight Videos for 2019 (and 2020) - November 11, 2019