Tuesday, October 13, 2015

Why you should never use your fingerprint to unlock your devices

OPM breach included fingerprint data:
The Office of Personnel Management's press secretary, Sam Schumach, announced this morning that the breach of OPM background investigation data included approximately 5.6 million sets of fingerprints from federal employees, contractors, and other subjects of federal background checks. The new number, tied to the discovery of additional archived data that was stolen over the period of the breach, more than quintuples the amount of individuals whose fingerprint data was stolen. OPM's previous estimate stood at 1.1 million. However, the new findings do not increase the overall number of people affected in the background investigation data breach from 21.5 million, Schumach said in an official statement.
Those fingerprints were collected as part of the OPM's background investigations at all levels of sensitivity—ranging from the "National Agency Check with Written Inquiries" (NACI) inquiries for federal employees with "moderate, low risk and non-sensitive positions" to the full field investigations required for more sensitive positions. Based on leaked statements from the Obama administration, the fingerprint data is now, at a minimum, in the hands of the foreign intelligence services of China. Just how that fingerprint data could be used, however, is not clear.
"Is not clear"?  Orilly?  OPM has a decidedly limited imagination.

But if your password gets stolen, you can change it.  If your fingerprint gets stolen, you can't.  And the OPM hack shows that eventually large enough databases of personal information get stolen.

So don't use your fingerprint to unlock your devices.


Educated Savage said...

Mythbusters actually did an episode where they proved that you can lift someone's fingerprint and unlock their devices with it. They weren't explicit in detail because of the liability issue of broadcasting that kind of instruction, but they did prove it. This kind of thing is why I don't use the fingerprint option on the self serve food kiosk at work.

Anonymous said...

Best advice I heard on this topic was to treat your finger print as a username, never a password.
Wish I could give credit where credit is due (may have even been this blog), but I can't recall the source.

Weetabix said...

My daughter told me that when she visited the Great Wall of China, they pulled everyone over and took a thumbprint. I wonder if they're building a data set for hacking?