International Cyber Expo International Cyber Expo
  • About Us
Wednesday, 15 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

How Bad Biometrics Decisions Can Create a Lasting Brand Nightmare

by The Gurus
February 27, 2018
in This Week's Gurus
Share on FacebookShare on Twitter

Great brands earn the trust of their loyal customers over time. But, brands are created by businesses, businesses are created by people, and people make mistakes. Fixing a mistake can be an opportunity to build a stronger customer relationship, furthering loyalty. But, cybersecurity breaches are mistakes of a much great magnitude. Once trust is lost, the road back can be painful and costly. In some cases, brand damage can be permanent.

Verizon, in their latest annual Data Breach Investigations Report (https://goo.gl/atQnAX), estimates over 80% of breaches “leverage stolen or weak passwords”, directly compromising the attack surface (the login screen). Understandably, choosing the right biometric solution to fortify the attack surface now plays a critically important role in corporate strategies. The decision to use an inappropriate or badly performing biometric can have significant consequences.

Some early adopters buying into overreaching security claims have already felt the public sting of a bad biometrics choice. A while back, a respected US financial organization with a trusted brand chose a biometric that claimed having a user blink proved liveness – but it doesn’t. The weakness was exposed when a national science magazine easily spoofed it, and it was done without even using photo animation software like CrazyTalk.

In the past several years, Samsung has fumbled through a series of major new-product launches that cost it dearly. Hours after the launch, a YouTube video showed a user logging in with a digital photo, destroying the illusion of security (>820,000 views to date). Further, their iris scanner was hacked and the brand took another very public hit.

A very similar story has unfolded around the performance of Apple’s Face ID, which has been spoofed with masks, siblings, a 10-year-old child and even… pizza toppings. At this stage in the development of Face ID, it can only be considered an on-device convenience feature. The consensus is it will improve, and if any long term damage to the Apple brand will exist remains to be seen, but as is plainly evident in social media, it is shaking confidence and is not shedding a positive light on the flagship device.

John Williams, a San Francisco Bay Area-based global marketing and strategy veteran, is unequivocal: “Major breaches of any sort, like those at Yahoo!, Target and Equifax have a lasting, negative effect on the actual value of the company; and moreover, on a customer’s willingness to stay with the brand. Users will run the other way if they think they are personally exposed. This is true for businesses of any size or type. Spending focused time to match your organization’s specific needs to an appropriate biometric that meets your specific needs and performs as advertised can prevent very serious, lasting consequences.”

This is not to say the massive efforts to advance biometrics are insignificant. Quite the contrary. It’s a difficult problem to solve, not only because of the inherent complexity, but the problem and its solutions are truly global and will always be a moving target.

But, there are two salient issues to examine today. First, if a biometric is presented as a security feature, it should perform at a level commensurate with what it is purports to protect. If it opens a device or can open an app, the level of security is relatively low, and can be classified as more of a convenience. Face ID, for example, is likely more secure than Touch ID, but for it to protect higher-level transactions, it will require more development (which, no doubt, Apple will do). A latte and a scone, sure. But a $5K wire  transfer, it’s not there yet.

This distinction is critical, because even if the spoofing of a biometric is contrived, like the Touch ID vs. cat’s paw video, the company’s brand is at risk because the general public can’t discern between real threats and contrived situations. Also, any demonstrable biometric spoof opens the door to liability for friendly fraud. A user can claim that since the biometric was not proven 100% secure, they had nothing to do with the $10,000 transferred overseas from their account, and insist that it had to have been done by an imposter.

With demand for biometrics high, but truly secure mobile biometric options low, many companies have settled for multi-factor solutions that compromise security. And in most of these cases the password isn’t actually being replaced, it’s simply being bypassed by the biometric. This means all of the security risks of the password are present, plus the added risk of the insecure biometrics, increasing the attack surface. Brands must realize that biometrics that are designed to unlock a device are not secure enough to replace a password when accessing a bank or healthcare account.

Reducing the attack surface is one of most effective means of improving security and the current trends toward multi-factor authentication embody this thinking: more login modalities strung together promise to increase security. But if one of the modalities can be easily spoofed, then it can’t really be considered a factor at all. So beware the false sense of security that comes when stringing weak factors together.

Some considerations companies should contemplate before adding a biometric to their app:

  • What percentage of the user base owns the specific hardware required to use the biometric? If users can’t try it because they don’t own the latest high-end device, or have not purchased a dongle, they will still have to use passwords by default and the company must continue to support both password and biometric logins indefinitely.
  • Is the biometric convenient enough for any customer to use daily? The biometric needs to be fast and be as secure as necessary with as few factors as possible
  • Transmitting digital images of faces or fingerprints to a server and then storing them long term in the cloud along with, passwords and other PII could prove problematic for the Brand if there is a breach.
  • Can the biometric be easily spoofed with readily available media? If it takes a 3D face scan and Hollywood mask-masking professionals weeks to fool your biometric, the general public will not likely see that as a real-world vulnerability. But if your biometric can be spoofed with a photo, slideshow, video, fingerprint copy or CrazyTalk7, then it’s entirely possible competitors, unhappy customers, or just YouTubers looking for views, may target your brand and expose the weakness.

Some additional considerations when making biometric decisions include:

  • Assess all related costs, like dedicated internal support resources and additional customer support requirements, as adding a biometric and keeping passwords may actually cost more to support.
  • The term “authentication” is not clearly defined today. A FIDO authenticator and Google authenticator are not the same thing and serve different purposes. True biometric authentication requires strong liveness detection.
  • Test and evaluate internally, but also look for reputable third-party verifications and certifications for the assurance of security.
  • Consider initiating your own third-party testing for independent verification.

The mobile security problem is global, and affects billions of people. The stakes for trusted brands are very high. The biometric your company chooses will directly impact your user’s security and your image . Give careful and deliberate consideration to not only the convenience level of any biometric you assess, but also the real-world security level, and determine from every angle whether that impact is net positive or negative.

————————————————————————————————————————-

John Wojewidka is the Director of Business Development for FaceTec, Inc. FaceTec improves security for businesses and consumers by providing intelligent, ultra-secure mobile biometric software to mobile app developers. Leveraging decades of Computer Vision, Artificial Intelligence and Machine Learning experience, FaceTec is changing mobile security by replacing app passwords on nearly all iOS and Android devices with ZoOm®, the world’s first universal 3D face login software for mobile apps. ZoOm’s patent-pending face authentication technology ensures not only positive identification, but also three-dimensionality and liveness. For more information, please visit www.ZoOmLogin.com.

Tags: biometricsface recognition
ShareTweet
Previous Post

CoinDash: Hacker returns another $17m worth of stolen Ethereum to firm just months after ICO heist

Next Post

Changes Made to White House Security Clearance Policies

Recent News

Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

July 15, 2026
Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

July 14, 2026
Lidl Confirms Data Breach After Third-Party IT Provider Hack

Lidl Confirms Data Breach After Third-Party IT Provider Hack

July 14, 2026
Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

July 14, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol