Tactical Information Systems
Biometric Identification Software
SERVER.png

Tactical Information Systems Blog

Identity & Technology

OPM Data Breach: Why You Shouldn't Worry

Recently it has come to light that as part of the OPM breach, a large number of fingerprint scans were lost - first ~ 1 million, and now maybe 5 million. OPM is the Office of Personnel Management and they are basically the Human Resources department for every agency in the federal government. They do identity checks on all employees. Any data breach is bad, of course, and people are particularly troubled about the loss of fingerprints. Especially the fingerprints of every government employee. We know how to handle loss of credit cards - issue a new number. But what do we do when we lose biometrics? (for more basic information about biometrics, see my Biometrics 101 video.

Typically, people undergoing a security clearance investigation under OPM will have their fingerprints taken. This is a basic part of most ID verification. As of a few years ago, this was still done with ink and paper (not sure what they do now). Here is an example of a fingerprint card:
 

fingerprint-card.jpg

It includes all ten of your fingers, collected 2 different ways - "slaps" (bottom) and "rolls" (top). In case you are wondering, slaps are typically used to identify you and rolls are usually used for matching latent prints collected at a crime scene. When someone is investigated, these cards (or scans of them) get send to the FBI to see if they match any known criminals. They are also matched against "unsolved" latents - partial prints taken from crime scenes of unsolved crimes. Depending upon policy, the FBI may or may not retain them after the initial background check.

My understanding of the OPM hack was that a large number of scans of fingerprint cards were stolen as part of the gigabytes of data that were lost. As far as the data breach goes, let me bring in Captain Obvious:

obvious.jpg

I feel your pain. My prints are in the data breach. But I think we are way past our ability to trust anyone to protect our data. We just have to deal with the aftermath. So here are some of the concerns I have heard about these prints being owned by Chinese hackers, or whomever (it really doesn't matter).

Thank God they don't have digital prints, only scans.

This is one area where people are under-concerned. In our digital society, we have come to the conclusion that digital == best, but that is not always the case. Ink fingerprints are actually better than digitally captured fingerprint, because there is more detail - you can even see tiny things like sweat pores. Biometric Fingerprint cards are scanned at 500 dpi (dots per inch) or 1000 dpi, vs a typical office scan of 72 dpi. A good scan of an ink card collected by a qualified collector is better than a digital scan. It is just a matter of resolution. We don't know what resolution the scans are, but even if they are low resolution scans they can easily be used for matching.

With those prints, they can get into my iPhone/Android phone.

The answer to this one is yes, but with a caveat. With the scans, they can generate a synthetic fingerprint and log into your iPhone. But they have to get your iPhone first. And guess what is all over your iPhone? That's right - fingerprints. Once they get your iPhone, having the prints makes it a tiny bit easier, but they can easily lift fingerprints off the phone itself. They can't use your fingerprints to remote into your phone; the phone biometric technology just doesn't work that way. It all stays on the phone.

At this point it is worth elaborating on the security of a single-factor biometric on your phone. It is really more of a convenience factor - it makes it hard for your obnoxious uncle to get onto your phone and it is a little faster than typing in a PIN. But a PIN is more secure because it is only in your head where it can't be stolen without the threat of a hammer to the knees or four Long Island iced teas. Incidentally, the police can compel you to unlock your phone with a fingerprint, but they can't compel you to unlock it with a PIN.

Now they will be able to arrest/surveil people entering China.

This is the most realistic scenario I have seen proposed. When/if China uses fingerprint scans at the border like the US does, they can compare it against the OPM data. Maybe something in the OPM data says a person is a covert operative (I hope not), but at the least it means you worked for the US government at one time. That will likely get you some extra attention, or worse. This is the biggest issue with this data breach - it provides a strong identity marker (fingerprints) tied to potentially sensitive and damaging information. Without the fingerprints, they just have names, which are notoriously malleable.

One would wonder, though, why any operative would have information linking them to intelligence in an outside database.

My fingerprints have been stolen and I can't revoke my fingerprints!

This is a common, and valid criticism of biometrics as an authentication mechanism, but it is kind of obvious to anyone in the field. "Revokability" is an important security metric. For example, if someone steals your password they can masquerade as you. But if you find out about this, you can revoke (change) your password and they can no longer masquerade as you. That's really handy. If someone steals your fingerprints, they can potentially masquerade as you (like to an iPhone), and you can't revoke your fingerprints to prevent them from doing that. That is just the nature of the medium - fingerprints are something you "are" and you can't revoke things you are. That just has to be factored into the security posture of the thing you are protecting with biometrics. Most secure biometric systems require two factors - a PIN plus a fingerprint. In that case you are just fine. There are also liveness detection mechanisms which are good and getting better. It is a limitation, but it doesn't invalidate the usefulness of biometrics.

Since they have my fingerprints, they can plant them at a crime scene.

This is one of the more far-fetched examples I have seen. While researching this, I tried to find a single example of this ever occurring and I found none. I asked some friends who are Latent Print Examiners if this is possible and they felt strongly it was not. You can't just make a gummy bear fingerprint and go pressing it around a crime scene. You have to replicate the oils and grime and gunk that real hands leave everywhere. That is far from trivial. But let's say they can do that.

For them to frame YOU, they would presumably know you, have some other reason to link you to the crime, etc. In that case, they could just follow you around and get fingerprints from your car, a glass you picked, up, a shopping cart, whatever. It is at least theoretically possible, but the OPM hack doesn't make it easier in any meaningful way.

tl;dr;

The Chinese may have your fingerprints, and they probably have mine. But if you are working with a security system that depends upon your fingerprints being confidential, you have lost before you started. You broadcast your biometrics all the time, even before the Chinese hackers stole them. These aren't the droids you are looking for, move along.