A recent investigation by Kaspersky Labs reports that a number of underground sellers are offering skimmers, which have the capability of stealing users biometric data such as fingerprints. A number of others are researching iris scanning and palm vein recognition systems.
With a number of banks looking to introduce fingerprint-reading technology into their ATMs, Cyber Criminals are looking to stay ahead of the curve by cashing in on exploiting these systems before they make it to general release.
With the inherent weaknesses in PIN and password based authentication, biometrics looks to take over as the most prominent authentication type in the near future.
Biometric skimmers first made their appearance in September of last year, however, due to a number of technical limitations and bugs including the slow data transfer rates of biometric over GSM impacting the functionality, progress was quickly stalled.
This generation of the technology, however, is proving to be more effective and faster.
“The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus, if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way.” explained Olga Kochetova, a security expert at Kaspersky Labs.
“Biometric data is also recorded in modern passports – called e-passports – and visas. So, if an attacker steals an e-passport, they don’t just possess the document, but also that person’s biometric data. They have stolen a person’s identity.”
Discussions have also been seen online where would be scammers are looking into mobile applications that use masks worn over they would be criminals face in order to fool facial recognition systems.
Although these techniques are more advanced than the current malware and ransomware attacks that are so prevalent against today’s Internet banking technologies, Kaspersky Labs also commented that it did not expect to see many of the more traditional methods abates.
Below a video PoC of an ATM attack.
It’s expected that exploiting biometric authentication will just be added to the banking scammers arsenal.
Written by: Steven Boyd
Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.
(Security Affairs – BT Wi-Fi extenders, hacking)