A new malware targeting banking customers in Brazil calls into question the security of biometric account protections. Interestingly, the sophisticated attack – dubbed as CamuBot, uses very low-tech, retro ways to target its victims.
CamuBot was recently described in ThreatPost as highly personalized. “It is very possible that [the threat actors] gather information [on potential targets] from local phone books, search engines, or professional social networks to get to people who own a business or would have the business’ bank account credentials.”according to whose input was featured in the ThreatPost article.
CamuBot’s emergence will certainly re-ignite the discussion about the future of biometrics and its seeming “stone age” counterpart: the password.
The death of passwords has been long-reported upon. In 2012, Wired declared “The Age of the Password is Over,” but six years on those easy-to-forget keys to the cyber universe have been holding firm. In 2016, Google was vowing to kill the password by the end of the year. Still, the password’s demise, at least in some form, continues to be forecast by experts.
“It is only a matter of time before passwords are completely superseded, but only for certain types of products and services,” says Robi Karp, CEO of Fluffy Spider Technologies, an Australian supplier and developer of software solutions specializing in telecommunications. Karp points to the natural tension that exists between security and convenience, and biometrics — in theory — solves a lot of that.
“The level of security has to be proportional to the worst risk,” Karp tells SmarterMSP. Karp says the best type of everyday security employs two-factor authentication where the two devices are unconnected. The second device should be personal, Karp says, and that is where the strongest case for biometrics can be made.
“It makes sense to incorporate some type of biometric verification there, banks and other services already do this. The barrier to adding biometrics is now lower as the infrastructure is there, so I would expect to see more two-factor authentication where they make sense,” Karp says.
The most common biometric authentications are fingerprint and retina technology, but more methods are on the horizon.
The case for passwords
Passwords still have proponents, though. Dr. Gernot Heiser, scientia professor at the University of New South Wales, is, perhaps reluctantly, one of them.
“Passwords suck in many ways, and in an ideal world, biometrics are clearly superior and should replace them. But the world is far from ideal, and there are two reasons why I’m skeptical,” Heiser tells SmarterMSP. The main reasons for keeping passwords around, according to Dr. Heiser, include:
CHANGEABILITY: Passwords can be changed if compromised, biometrics can’t. In the ideal world, biometrics can’t be compromised – because they are supposed to be a unique identifier. In other words, you can’t get a different fingerprint or retina, if those ever get compromised.
Any scanner of a biometric property is imperfect and can be fooled. In some cases, the effort to fool is small — the iris scanner fooled by a photo, for example. In others, the effort is massive but that wouldn’t stop a sophisticated cybercriminal. It’s probably only a matter of time until it’s possible to produce an artificial finger from a photo of a fingerprint that will trick a scanner. Once the biometric property has been broken, the only way to un-break it is to completely change your biometrics recognition system.
ANONYMITY: The second advantage of a password is that they are anonymous. “I would be very reluctant to use biometrics, and thus my real identity. It’s bad enough that governments are trying to put citizens under constant surveillance, but it’s even worse to allow untrusted commercial entities to do the same,” Heiser shares.
Despite these arguments in favor of passwords, researchers are working on developing more airtight biometric login options that may yet hasten their demise.
If all this talk of biometrics has caught your interest, stay tuned. Next week, SmarterMSP will talk with a researcher that has developed a heart-based biometric login.
Photo: HQuality / Shutterstock.
