Biometric Authentication Presents New Security Risks

It sounds like a no-brainer. Adding biometric authentication to customer service channels, whether voice or fingerprint, makes identification easier for customers and reduces fraud—no more password reset dramas and endless security questions. A much needed scenario given that 85 percent of customers are frustrated by the identification process during customer service interactions.

All of the above is very true and explains why the customer service industry has been a leading adopter of the technology. But there are a myriad of substantial risks that hasty adoption has opened up. Biometric data can be stolen by hackers, and it cannot be changed, like a password can, by consumers.

In addition to the potentially devastating impact on a company that sees its customers’ biometric data leaked, the promise of biometric authentication could be washed away overnight if customers get spooked.  

The vast majority of customer experience technology vendors offer biometric authentication and their customers are rolling that out to millions of consumers. What started with voice biometrics—a natural progression given the R&D within speech technoloy in the customer experience field—has spread to fingerprint and even facial recognition, given the prevalence of mobile customer service and the ease of deploying biometric authentication over smartphones.

How Is Biometric Data Vulnerable?

Voice biometric data is particularly vulnerable because hackers only need to record a victim’s voice. From there, they can create phonetic records that break up every sound they make into single letters and vowels and organize it into entirely new sentences, thus passing authentication tests but also performing transactions not authorized by the customer.

When it comes to mobile customer service, the smartphone offers a plethora of other biometrics to identify and authenticate customers: fingerprint, hand, face, and potentially even iris scanning. If you want to use these biometrics to identify customers, you need to store data on that biometric somewhere to enable a matching process with the live customer. Biometric identifier information is typically stored either on the organization’s servers (in physical servers or via cloud storage) or locally on the device.

In the former case, even the tightest layers of network security, network segmentation, and encryption cannot guarantee that this high-value data won’t be accessed by skilled hackers.

In the latter case, a hacker would need to access the individual device, which sounds like a lot of work for one biometric identifier,but might not be if they simply head down to their local coffee shop for the day and take advantage of the hundreds of hapless people transmitting information over public Wi-Fi.  

The common problem for both storage methods is that the complete biometric vector—all the hacker needs to spoof a recognition system—is stored in one place instead of being split and stored in separate places. As such, companies are vulnerable to an “ultra-breach” where they lose significant amounts of customers’ biometric data.

How Can Hackers Use that Biometric Data?

As IT security capabilities advance, so too do the tactics of hackers. To many of us, it seems an inconceivable leap to take data on a fingerprint and turn it into something that could trick TouchID or other fingerprint sensors. Not so difficult as it may seem, however: Silicon molding kits are available online that can fool most sensors.

Some biometric identifiers might seem much harder than fingerprints—what some might describe as Mission Impossible–style stuff with iris recognition. That’s not so much the case—with a good 3-D printer, hackers can print contact lenses that can fool iris recognition systems. Attaining the biometric data is actually the hard part, not spoofing the sensor, but to the previous point, it is not hard enough in a lot of cases.   

Building a Strong Future for Biometrics in Customer Experience

While biometric authentication does offer a frictionless customer experience and will ultimately slash fraud, those responsible for customer relationships need to be aware of the very real risks that exist in current implementations. With this knowledge they can safely deploy authentication and also avoid the nasty shocks that can harm their customers, their organization, and the progress of biometrics within customer experience more generally.

John Callahan is chief technology officer at Veridium. He has previously served as the associate director for information dominance at the U.S. Navy’s Office of Naval Research Global, London U.K. office, via an Intergovernmental Personnel Act assignment from the Johns Hopkins University Applied Physics Laboratory. 

CRM Covers
for qualified subscribers
Subscribe Now Current Issue Past Issues