The Office of Personnel Management on Wednesday revealed that the hackers who penetrated its records system stole 5.6 million fingerprints of federal employees — five times the 1.1 million originally reported.
The cyberattack, which came to light this spring, compromised the Social Security numbers and other sensitive information of 21.5 million people. The discovery of the expanded number of stolen fingerprints does not increase the overall number of individuals whose records were breached.
OPM learned of the additional breached data through an investigation by the Department of Defense and the intelligence community. It is cooperating with them to improve the security of OPM’s databases and systems, said Samuel Schumach, OPM’s press secretary.
OPM is providing federal workers and their minor dependent children with identity theft and fraud protection services at no cost to them. However, many of those affected will not find out that their records were breached or be advised of how to enroll in the mitigation services until the rolling notification process is complete in November.
Federal authorities believe that the fingerprint data is of little use to cybertheives.
“What we have learned from federal experts is that as of now, the ability to misuse this data is limited,” Schumach told the E-Commerce Times. However, “experts do acknowledge that the ability to misuse this data could increase over time as technology changes.”
Stolen fingerprints might pose more of a threat than federal officials suggest. They potentially can be used for access or identity theft profiles.
“Although usernames and passwords can be changed, and compromised cards replaced, victims of a breach need to understand that every bit of information exposed is becoming more critical by the day,” said Ryan Wilk, director of customer success for NuData Security.
Hackers can combine stolen information to piece together comprehensive user identities. One example is the so-called “Facebook of Everything” that China’s intelligence service may be compiling, he said.
“They are able to use the stolen information and fingerprints to create more comprehensive identity bundles, which sell for a higher value to hackers. With more complete information, more damaging fraud can take place,” Wilk told the E-Commerce Times.
Biometrics at Risk
Hackers can gain access to geographical data on a specific person from one breach and bank account information from another breach. They can then fill out loan applications or apply for credit cards using that stolen identity.
“This is true for the millions of stolen fingerprints as well, especially with the increased adoption of touch/fingerprint-based authentication for mobile banking and payment apps. Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities,” Wilk said.
Victims of compromised fingerprints are at risk whenever server-side biometrics are used. That could be at a bank or the department of motor vehicles, according to Ramesh Kesanupalli, founder of Nok Nok Labs.
“Criminals can plant a fingerprint wherever it might be needed to commit their crimes. If criminals have compromised these fingerprints, they can be sold on the black market to any country they choose,” he told the E-Commerce Times.
“In the extreme, you could have a scenario where a government agent or someone on special assignment under a different identity is now at risk. Any government personnel on special assignment can be outed because of this compromise,” Kesanupalli added.
Hostile Foreign Governments
Individual hackers might not be able to do much with stolen fingerprints, but government agencies conceivably could use them to cause some damage, said Kevin A. Crane, a retired special agent who worked for the DoD and OPM.
“Not a lot can be done with these prints unless a hostile foreign government or entity reverses the prints to be used for access control to secured areas or information,” he told the E-Commerce Times.
If a stolen print were transferred to a skin-like material, a spy potentially could use it to gain access to classified areas, for example.
Government and military properties aren’t the only places at risk. Having the fingerprints of an identity theft victim in hand “allows for the possibility to gain control of secured areas for financial, commercial, industrial proprietary areas using fingerprint-controlled access,” said Crane.
Fingerprint data can be used as biometric authentication to gain access to smartphones, tablets and laptops, according to Christopher Burgess, CEO of Prevendra.
“In addition, the fingerprint data can and probably will be added to the plethora of targeting data already accumulated by the foreign governments’ intelligence services,” he told the E-Commerce Times. “They can then use this data to validate the authenticity of an individual … is this person who we think it is? [Further], the fingerprints can be used to compromise the alias of a law enforcement or intelligence operative operating undercover.”
Criminal scenarios are a definite possibility with stolen fingerprints, said identity theft expert Robert Siciliano.
“A James Bond 007 scenario where someone duplicates a fingerprint and impresses it upon their own is always possible. There have been reports of fingerprints being copied from photos, so having an actual imprint would make it even easier,” he told the E-Commerce Times.
Too Little Too Late
While identity theft protection services can be useful for victims of the OPM breach, it’s impossible to determine the adequacy of that help until the agency selected to provide it proves itself, suggested retired agent Crane.
“The government has provided this identity protection for a relatively short duration. It truly should be lifetime protection since their identity can be utilized immediately after the government coverage ends,” he said. Still, “identity theft protection is definitely an added layer of protection.”
OPM’s offer of identity-protection services to individuals affected by the breach is the equivalent of building a barn after the herd has been rustled, according to Prevendra’s Burgess.
“This offering takes care of the individual’s ability to monitor their fiscal identity for malevolent behavior. For the national security angle, the individual currently enjoys the trust of the U.S. government via their being granted a classified security clearance,” he said.
Beyond that, robust counterintelligence training and briefings are needed to alert individuals about how to react, what to listen for, and how to report approaches from foreign actors who have the contents of their SF-86, a questionnaire used by applicants for national security jobs, he explained.
Offering conventional identity-protection services is not really adequate for a situation involving biometric information, noted Nok Nok Labs’ Kesanupalli. Identity-protection services are useful for theft of Social Security numbers and other personally identifiable information.
“Biometric information is a different animal that identity-protection services do not address. We cannot really imagine all of the future situations where biometrics will be used, given how rapidly biometrics is progressing,” he said.
Identity protection services like Experian and LifeLock manage only the financial and identity fraud aspects of a breach. They do nothing for theft of a person’s “likeness” that can be used to commit crimes or bypass security measures, said Morey Haber, vice president of technology at BeyondTrust.
“Your likeness is unique to you, and fingerprints used to identify you, and only you, have now been compromised. Identity services have no concept how to protect their misuse,” he told the E-Commerce Times.
Many types crime can be committed with fake fingerprints extracted from a real source. Dozens of websites document how to transfer even an image of a fake print.
“These can be used to bypass biometric devices or even plant fake fingerprints. Any place we rely on fingerprints as evidence or security access is potentially in jeopardy,” said Haber.
While identity protection services and credit monitoring are not enough, user behavior analytics can provide the extra layers of protection even after hacks have occurred, NuData Security’s Wilk noted.
“This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information,” he said. “Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.”