Stolen OPM Fingerprints: What's the Risk?

 The reported severity of the U.S. Office of Personnel Management breach continues to grow, with investigators now reporting that substantially more government employees and contractors' fingerprint data was stolen than had originally been found.

"Of the 21.5 million individuals whose Social Security numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million," says OPM's press secretary, Sam Schumach, in a Sept. 23 statement. "This does not increase the overall estimate of 21.5 million individuals impacted by the incident. An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals."

By "incident," Schumach is in fact referring to just one part of the overall OPM data breach, in which attackers compromised sensitive records - relating to government background-check investigations - for 21.5 million government workers, as well as an as-yet-unspecified number of their friends, spouses and dependents (see Analysis: Why the OPM Breach Is So Bad).

In what the agency has called a "separate but related" hack attack, attackers also stole 4.2 million federal employees' and contractors personnel records. The April discovery of that theft, which reportedly occurred in December 2014, led government investigators to then discover the background-check-record theft, which reportedly began with a May 2014 network intrusion. OPM has notified the 4.2 million personnel-records victims to that breach, and offered them identity theft monitoring services. But the agency says that it has yet to begin notifying the 21.5 million background-check-record victims, or making available three years' worth of prepaid identity theft monitoring services (see OPM Breach Notifications: 21.5 Million Are Still Waiting).

Fingerprints: Future Fallout?
Despite the quantity of stolen fingerprint data being worse than suspected, OPM officials have been attempting to downplay the potential fallout, and say they have formed a committee to explore the issue.

"Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves," OPM's Schumach says. "Therefore, an interagency working group with expertise in this area - including the FBI, DHS, DOD, and other members of the intelligence community - will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse."

But Schumach warns that the stolen OPM fingerprint data may affect victims well into the future, as authentication systems evolve. "If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach," he says.

Stolen Biometrics: No Replacement Policy
Some security researchers refer to authentication systems based on fingerprints - such as unlocking an iPhone by using the home button's fingerprint reader - as a type of active biometrics, as opposed to passive biometrics, which might look at the location or MAC address of a PC that is attempting to log into a banking application. And when active-biometrics data gets stolen, there's little that victims can do to prevent the data from being abused.

"You only have 10 [biometric] passwords - if you're lucky to have all of your fingers - and you only have 20 passwords, if you count all of your toes," says Ryan Wilk, an anti-fraud and biometrics expert at cloud security vendor NuData Security. "It's one of the risks of using active biometrics: you run out of options if they start to get breached."

Stolen biometric data can also be used to defeat some biometric-based security systems. In 2011, for example, a researcher known as "CC" fooled the face-unlock log-in feature on his Galaxy Nexus - running Android 4.0 "Ice Cream Sandwich" - using an image of himself, displayed on the screen of a different smartphone and held up to the Nexus camera.

In light of those types of easy defeats, some biometric systems have added new types of checks, such as requiring people to blink and demonstrate that they're a real, live person. But as Popular Science journalist Dan Moren documented in March, he was able to defeat that check - in an iOS bank app, which he declined to name - simply by holding up the screen of another smartphone that displayed a video of his face, in which he blinked.

"One of the problems with biometric security in the past has been that of course you could fake it," says computer science professor Alan Woodward from Surrey University, who's also a cybersecurity advisor to the association of European police agencies known as Europol. "We've seen some people, just from photographs, being able to reconstruct people's fingerprints - there was the famous one of the German politician."