Financial institutions are increasing their investment in biometric authenticators to replace the use of PIN-based authentication mechanisms at Automated Teller Machines (ATMs), but cybercriminals are already developing ways to defeat the new authentication measures. A Kaspersky Lab investigation discovered at least twelve underground sellers offering skimming devices designed to steal fingerprints from ATMs enabled with fingerprint scanners.
By 2019, consumer biometrics could be a $30 billion industry with over 500 million scanners on devices from mobile phones and laptops to automobiles and ATMs. Cybercriminals are hoping to infiltrate many of those scanning devices. According to Dark Reading, the first wave of biometric skimmer devices used on ATMs, which surfaced last September, were too slow to handle large data loads, but future devices will have faster data transfer technology. Fingerprint skimmers are not the only devices that could be used to bypass biometric authenticators. At least three criminal outfits have begun testing ATM skimmers designed to steal data from iris recognition and palm vein readers. Hackers are also discussing the use of mobile applications to take an individual’s photo and manipulating the photo to hack a facial recognition system.
Kaspersky Lab security expert Olga Kochetova said the investigation highlights the need for strong controls over biometric data. “The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image,” Kochetova said. “Thus, if your data is compromised once, it won’t be safe to use that authentication method again.”