Is Biometric Security Already Obsolete?
An international security consulting firm, has created quite the stir across the pond by reporting that hackers have already figured out not only how to steal biometric data from ATM machines but also how to commercialize the sale of devices facilitating its capture.
On September 22, 2016, Kaspersky Lab reported there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints from ATMs. In addition, at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems. By the way. this is in addition to reports demonstrating that it is possible for hackers to steal information stored on EMV chip cards.
The news caused one British regulator to write a letter to banks telling them to report on the steps that they are taking to secure biometrics. What makes this report so disturbing is that, whereas compromised ATM and credit cards can be reissued, you can’t change someone’s biometric data. If it really is as easy to steal this information as it appears it will be, then the use of biometric passwords will offer convenience to people like your faithful blogger, who is frustrated by an ever-growing list of passwords, but will be an expensive dead-end when it comes to security.
From now on I’m going to tell my wife to follow Kim Kardashian’s lead and take millions of dollars in jewelry with her wherever she goes instead of using a safety- deposit box. What could possibly go wrong?
The report also underscores just how behind the curve this country is when it comes to cyber theft. Merchants are merchants are still grumbling about the use of chip readers and a major Presidential candidate is encouraging cyber-hacking his opponent while Europe is already debating the merits of biometric security. I can’t believe that this is the best the country that created Google, Facebook and Microsoft can do.
Which brings me to my proposed one sentence guidance for all regulators , financial institutions and businesses to follow: “Every business must have a cybersecurity plan, but one which is tailored to its size, complexity and cyber vulnerability. Any mandate more prescriptive than this will be outdated in days and deny institutions the flexibility they need to weigh cybersecurity costs against other expenditures eating away at the bottom line.
Extended Exam Cycle, Right Around The Corner
NCUA announced yesterday that well managed credit unions with assets of less than $1 billion could move to an extended examination cycle, beginning next year, subject to board approval. The recommendation is among ten put forward by an agency working group on exam flexibility.
On that note enjoy your long weekend, I will be back on Tuesday!