The 5.6 Million-Fingerprint Breach Could Haunt Its Victims Forever
SecureMySocial CEO Joseph Steinberg, on what losing fingerprint identities actually means.
Last week, news broke that 5.6 million people’s fingerprints were stolen as part of a major cyberattack on Washington’s Office of Personnel Management (OPM). It’s not clear yet what the consequences of the breach are. And that’s exactly the problem, says SecureMySocial CEO Joseph Steinberg.
Steinberg is a cybersecurity expert whose company focuses on protecting employers and their employees on social media, warning them if what they post online will leave them vulnerable to harm — financial, professional, or even physical. He has written columns on the topic for Forbes and currently does the same for Inc. But even Steinberg can’t say with certainty what will come of the fingerprint breach. What he does know is that we use fingerprint security more often without any substantial backup methods.
“I can’t issue you a new fingerprint like I can issue you a new credit card. That is your fingerprint for life, essentially,” he tells me. “The big difference between this or passwords or credit cards is you can’t really reset it.” So these 5.6 million people who’ve had their fingerprint identities compromised are vulnerable for the rest of their lives.
He offers a plausible hypothetical: “If you’re a 20-year-old that has their data compromised in the Office of Personnel Management, and you lived to age 100, the next 80 years that’s your fingerprint. So 30 years from now, whatever we’re using fingerprints for, you run some level of risk that your prints leaked back now, and that some nefarious party would have used it. You know, in an extreme case, imagine that, for example, 30 years from now, the President of the United States used a fingerprint in order to authenticate for something and that person had their fingerprints leaked. Now that’s an uncomfortable thought.”
Steinberg admits it’s the extreme case, but we couldn’t have imagined we’d be opening up iPhones with fingerprints as recently as five years ago. “Are you going to be authenticating going into your office building using a fingerprint in the future?” he wonders. “Are you going to be authenticating whenever we use a credit card in the future? We don’t know, and the point is we see a trend here and it’s more and more biometric authentication.”
The possibility of future attacks is the major threat, but there are more immediate threats, too. He tells me of a hacker who used high-definition photography to capture the German defense minister’s fingerprints. It was more of a test than an attack. Still, it goes to show how easy it can be to obtain fingerprints. Once obtained, “you need a $100 printer and you need to print on certain material,” but then it becomes possible “to reproduce a film that could be used to put on a finger or even put on top of an inanimate object, that would have the fingerprint to trick sensors.”
It sounds like a Mission: Impossible stunt right now, but the OPM leak points to reliance on a future technology that has not yet been secured. The backup system has yet to be perfected. Steinberg says, “You want to store information that lets you check fingerprints, but you don’t want to actually store the fingerprints.”
Fingerprints seem safe on the surface since they’re literally attached to us; they’re ours and ours alone. Everything is improving so rapidly, though, that hackers can move as fast — if not faster — than the major companies making fingerprint access more and more common. The OPM breach’s effects won’t necessarily present themselves immediately, and non-government officials likely won’t see any changes to their personal lives. Still, there’s no telling what the future holds and for what we’ll need our fingerprints. You wouldn’t input your Social Security number to open your phone. Fingerprints may not be any different.