Passwords are inherently flawed. Whether it’s in their simplicity or rampant re-use, people have a tough time using only a secure character string to protect valuable information. As a result, it’s become increasingly common for individuals and organizations to use biometric data, such as iris scans and fingerprints, to secure information and devices. Yet, these systems create a whole new attack vector for threat actors, since those biometric scans ultimately get turned into the same ones-and-zeroes that also store character-based passwords.
Intel 471’s research on cybercrime attack methods has found that biometric data presents a bespoke risk to device or network security. If attackers can obtain biometric data and subsequent access to the information it protects, they could leverage the access and data in an extortion attempt and/or sell the data on underground forums or shops in the form of stolen identities. Additionally, compromised biometric credentials bring further risk because unlike a credit card, account number or password, leaked physiological or behavioral biometric data cannot be changed.
Threat actors are becoming increasingly aware of the value associated with access to biometric data. As they increase their understanding of biometric security protocols, they have learned to exploit vulnerabilities in facial and fingerprint recognition software to gain access to a device and/or share information on how to bypass the behavior-based anti-fraud systems. In turn, those exploited systems allow actors to commit crimes as if it were any other system being targeted. While currently in its infancy, we assess with a high degree of confidence this data will become a popular target as biometrics become more commonly used.
Documentation fraud remains a prolific threat in the underground, as fake documents with biometric data allows threat actors to conduct other illicit activity, such as illegal immigration and property fraud, or create false identities.
In September 2020, we observed two Iranian actors offering to sell biometric and other identification documents that could be leveraged in multiple countries. One actor advertised a package of 76,000 national codes and biometric national cards, including but not limited to drivers’ licenses, identification cards, passports, personal badges and student identification cards. The documents had a wide array of origin: Brazil, Egypt, India, Jordan, Saudi Arabia, Senegal, South Korea, Spain, Sudan, Ukraine and the United States were all in the package. The other actor offered to sell 72,400 scanned Iranian identification documents allegedly obtained from Iran’s Ministry of Cooperatives, Labor and Social Welfare. The actor provided screenshots to support the claims that included images of national identity cards in the classic and new designs, with biometric details and corresponding birth certificates and military cards, when available.
Fingerprints and facial features
As fingerprint identification and facial recognition systems become more commonly used, the ability for actors to take advantage of vulnerabilities in these technologies is growing.
One financially-motivated attack scenario was unearthed in 2020 when it was reported that a vulnerability in Apple Pay could allow an attacker to bypass biometric protections and conduct fraudulent contactless payments. According to the U.K. scientists that reported the flaw, the “replay and relay” attack was leveraged to make an unauthorized contactless payment of U.S. $1,350 on Visa credit cards linked to an Apple Pay account while the phone was locked.
Several other biometric vulnerabilities were disclosed in 2021, including a vulnerability that allows attackers to bypass biometric authentication on Android devices (CVE-2021-3145) and another in Samsung Note20’s fingerprint scanner permitting fingerprint mirroring, which would contribute to a high false recognition rate for users logging into the devices (CVE-2021-22494). In August 2021, yet another vulnerability in the Windows 10 Hello facial recognition system was discovered that allowed an attacker to bypass biometric authentication with a spoofed image, but the assessed risk associated with the vulnerability was low because an attacker would need physical access to a device with Windows 10 to leverage the security flaw.
Intel 471 does not have any evidence that actors on the cybercrime underground have leveraged the aforementioned vulnerabilities. But, as this technology grows in use, we are confident there will be an increase in the number of threat actors seeking similar vulnerabilities that allow remote execution of biometric security bypass techniques.
Behavioral features turn into bugs
In addition to focusing on technical vulnerabilities, there are actors who aim to manipulate the behavioral aspects of biometric security. While discussed much less than other attacks, Intel 471 has observed cybercriminals sharing information on bypassing behavior-based anti-fraud systems. An actor has claimed some banks implemented random forest algorithms to reduce the cost of a popular digital identity subscription service. This less effective encryption contributed to the threat actors’s ability to reset behavioral pattern parameters and enter protected environments. This actor also allegedly bypassed the service’s two-factor authentication (2FA) by emulating his twin brother’s behavior patterns, such as copying keystrokes and mouse movements.
The cybercriminal underground is only beginning to scratch the surface of what’s possible with biometric data. While some actors choose to target systems with the least resistance, others have exhibited the patience and persistence required to overcome security challenges and exploit systems protected by biometric technologies. While actual attacks have been very limited, the observed conversations from threat attackers suggest they find the data enticing and have explored organizations possibly at risk for biometric data compromises. As organizations consider adding this technology to their overall security strategy, it's crucial to understand that as it becomes a valuable target for threat actors, the loss of biometric data becomes so much more impactful than stolen passwords.