Biometrics Scare Sends a Reminder About the Need for Thorough Data Protection

What appears to be only a scare about a breach of fingerprint data from a kiosk deployer is sending a reminder to the payments industry that biometrics are no panacea for data-security problems.

“Any security system is not 100% bulletproof,” says David Lott, payments risk expert at the Federal Reserve Bank of Atlanta. “Anything can be penetrated. You have to take very strong steps to protect that data.
The scare came late last week when Tukwila, Wash.-based Avanti Markets Inc., a deployer of payment card-accepting kiosks that dispense food and snacks in company break rooms, disclosed that malware compromised an undisclosed number of its kiosks. Some of the compromised machines were provisioned with fingerprint readers that enable cashless payments through Avanti’s Market Card, a payment and loyalty service that includes a mobile app. The malware may have captured Market Card users’ fingerprint data as well as names and email addresses, Avanti said in a notice on its Web site late last week.

The KrebsOnSecurity news service reported that many of the kiosks did not use point-to-point data encryption. Later, however, Avanti updated a notice on its Web site to confirm that the biometric data were protected.
“In an abundance of caution, our original notice advised customers who used their Market Card to make payment that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality,” the notice says. “We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data, and as such this biometric data would not be subject to this incident as it is encrypted.”

The company did not make a spokesperson available to Digital Transactions News for further comment.
Avanti Markets, which claims 1.6 million customers, said the breach affected about 1,900 kiosks. The malware, which the company believes got into its system shortly before July 4 through a workstation belonging to a third-party vendor and became active July 2, may have captured cardholder names, account numbers, and expiration dates of the payment cards used by employees who weren’t paying with cash or the Market Card. Avanti turned off the cashless-payment functions on the compromised machines soon after discovering the breach on July 4.
Avanti said it worked with the vendor to remove the malware within hours of discovering the attack. The company is working with a forensics investigator to investigate the attack, the perpetrators of which aren’t yet known. Avanti Markets in May began working with its partner operators to provision all of its kiosks with point-to-point encryption technology, a project that as of last week was about half done.

Lott of the Atlanta Fed, who moderated a panel about biometrics at a recent payment-industry conference, notes that biometric technologies convert fingerprints, voice patterns, irises, and other physical attributes into data, which means where and how that data are stored is highly important. For example, Apple Inc.’s iPhone stores fingerprint data on the phone’s secure element, which means a compromise of one phone is limited to that device, whereas systems that store biometric data in central databases could be the source of widespread damage if hacked.
“If they compromise a central database … they could compromise thousands, millions of records,” Lott says.
Security experts say biometrics are most effective as part of a so-called layered security approach that includes other data protections. Rather than relying on physical attributes, some companies are rolling out so-called passive biometric systems that record consumers’ physical motions and usage patterns of payment-originating mobile phones and computers.

Al Pascual, senior vice president and research director at Pleasanton, Calif.-based Javelin Strategy & Research, says it is not surprising that fraudsters are interested as usage of biometrics increases. The Avanti incident is the kind of event “that the industry needs to learn from before biometrics are even more broadly deployed,” Pascual says by email. “If true, it is fortunate that the biometric data is encrypted, but there are undoubtedly a wealth of systems where biometric data is co-located in the clear with other data of value” such as payment information and customer personal identifying information.

“If this type of data was consistently compromised, then it would diminish consumers’ perception of the security value of biometrics,” says Pascual.