How social networks put your biometric data at risk

In this blog post, together with Andrius Januta, Cybersecurity Technical Manager at Nord Security, we'll explore how content shared online can be used to steal our biometrics and discuss ways to protect ourselves from this threat. Let's dive in.

Biometric data: What is it?

Biometric data, or biometrics for short, are body measurements and calculations related to an individual's biological, physical, and behavioral characteristics. This can range from DNA, blood type, signature, and walking gait to the more commonly known fingerprints, face, iris, and voice patterns.

Each person's biometrics are unique, so they offer a superior alternative to passwords for ease of use and enhanced privacy and security. As a result, biometric identification has become increasingly widespread, not only in high-security facilities but also in people's everyday lives.

Today, over 80% of smartphones offer biometric capabilities for their users, enabling device unlocking, user authentication for purchases, and confirmation of sensitive actions within various applications.

Social networks: An endless source of biometrics

Our digital lives are dominated by biometric features that can be exposed on social media platforms like Facebook, Twitter, Instagram, YouTube, TikTok, and others. So by posting seemingly innocent-looking eye makeup, unboxing or live-painting videos, profile photos, stories featuring our daily life, and voicemails, we’re also sharing our unique identifiers with the world.

Rapidly advancing technology and media platforms supporting high-resolution image and video can inadvertently expose our face, iris, fingerprints, and voice patterns that can be cloned and used by threat actors.

How can biometric recognition systems be fooled?

Face, iris, fingerprints, and voice patterns are the four most common biometrics that can easily be harvested from social networks.

Andrius Januta, Cybersecurity Technical Manager at Nord Security, says that while, in general, biometric data offers greater security than passwords, several cases also demonstrate its inherent vulnerabilities.

• Facial recognition systems can be fooled by gathering high-quality images or videos of an individual, which can then be utilized to craft makeup that mimics another person's facial features, produce hyper-realistic masks, generate 3D renderings, fabricate full-size head replicas, and even employ deepfake technology.

• Fingerprint recognition systems, designed to permit authorized users to unlock or access applications, can be compromised by silicone fingerprint replicas or even crafted duplicates made from wood glue.

• Iris recognition systems are generally more challenging to falsify compared to facial and fingerprint equivalents. Nevertheless, A. Januta highlights that a few years ago, a high-resolution photograph of the iris, in combination with a contact lens, was sufficient to mimic an eye for unlocking personal devices.

• Voice recognition systems are widely used in smart home devices, banking, and finance. However, voice cloning AI software can replicate the voice captured from video or audio messages. Important to highlight is that today, even a short three-second recording is enough to create a high-quality replica of someone's voice.

Malicious use cases

While it’s possible that biometric data can be extracted from social networks, the majority of it doesn’t leak directly from these platforms. Rather, the greater risk for biometric data leaks is from poorly secured databases. In both cases, exposed biometric data can be exploited in various malicious cases.

Accessing devices and accounts

With access to your personal devices and a convincing replica of your facial features, fingerprint, or iris, a cybercriminal can bypass authentication requirements to unlock your device. As a result, they can gain full access to your private information, including contact lists, personal photos and videos, work files, financial data, login credentials, and other sensitive documents.

They can access online shopping portals and financial accounts and make unauthorized withdrawals, transactions, or purchases. They could install malicious software on your device to extract data or monitor your activities. A compromised device may even be used to distribute spam or malware to others.

Accessing services or committing fraud

Exposed biometric data can also enable fraudsters to impersonate you when accessing various services and facilities. This may include unauthorized entry to restricted areas and accessing financial, educational, governmental, or medical services. A.Januta adds that in some countries, biometric data already enables people to withdraw money from ATMs, enter sports events, and even pay for goods in supermarkets.

Equipped with your biometric data, threat actors can impersonate you while committing crimes. Examples of this include wearing hyper-realistic masks to take loans, accessing bank accounts using AI-synthesized voice clones, or scamming contacts with deepfakes, which according to A. Januta is one of the most common cases today.

He mentions that in one of the cases, threat actors impersonated a Binance executive, copying his image during video meetings and compromising multiple crypto projects. In another case, fraudsters created a deepfake video of one American in which he encouraged his friend to invest in Bitcoin mining.

Compromising your reputation

Deepfake videos or AI-generated images can falsely portray you participating in inappropriate activities or experiencing emergencies. Additionally, this data could be employed to fabricate your fingerprints at crime scenes or impersonate your voice in vishing schemes aimed at your family members.

How to protect biometric data?

"Biometric system spoofing is like a cat-and-mouse game. Once cybersecurity specialists or threat actors find a vulnerability in biometric recognition systems that can be exploited, biometric system providers and tech companies quickly fix them. While it's less likely to happen to average people, high-profile individuals like celebrities, businesspeople, or politicians remain vulnerable, so we cannot overlook the potential risks associated with the exposure of biometric data on social media,” warns A. Januta.

To address these concerns, A. Januta offers a range of practical suggestions for safeguarding our biometric information and preventing its extraction from social networks.

• Be cautious about sharing biometrics on social media: Stay vigilant when posting videos or images that may expose your unique biometric features, such as fingerprints, face, or iris patterns.

• Modify media quality and cover sensitive areas: Reduce the resolution of videos and images featuring you, and consider editing or blurring sensitive biometric information before sharing.

• Opt for less exposed biometric factors: Choose biometric authentication methods that are less commonly exposed publicly or have a lower risk of being compromised, such as iris or retina.

• Review shared media thoroughly: Scrutinize any media featuring your biometrics before sharing it on social networks, ensuring that no unintended exposure occurs.

• Conduct regular media searches: Periodically search for your own image online and assess the context in which your images appear, taking necessary actions to remove any unwanted or potentially harmful exposure.

• Prioritize multi-factor authentication (MFA): Use biometrics that are less exposed for single-factor authentication, or better yet, incorporate biometrics as part of a multi-factor authentication process rather than relying solely on a single biometric factor.

• Use an additional hardware authentication device: Enhance security with a FIDO-enabled hardware device, providing an extra layer of protection against unauthorized access via standardized protocols.

• Instead of biometrics, use complex and unique passwords: For less important accounts, use strong passwords, just don’t forget to update them regularly and securely store them in a reputable password manager.

• Exercise caution with new services and technologies: Be vigilant when providing your biometric data to emerging services or technologies, and ensure that these entities have robust security measures in place to protect your sensitive information.