Jerri-Lynn here: This piece succinctly debunks the idea that embracing biometric identification systems is a panacea for a host of identity-theft ills. The root problem is the widespread collection of data in the first place and the failure to prevent criminals from accessing that information to commit economic crimes.
The piece focuses on Mexico’s plans to require banks to collect biometric data from all customers beginning this year. But belief in the biometric fairy is not limited to Mexico alone. India, for example, has created the largest biometric database in the world– the Aadhaar system– yet is only beginning to think through the challenges of safeguarding data and preventing its misuse. And as this piece makes clear, the public is not being consulted in the many places that biometric systems are being rolled out.
The piece closes by making a point that cannot be repeated too often: once a biometric system is hacked, you’re done– you can’t go out and replace your ear, fingertips, iris, etc. So then what happens?
By Don Quijones, of Spain, UK, and Mexico, and an editor at Wolf Street. Originally published at Wolf Street
Criminal organizations in Mexico have branched out into a lucrative new market and revenue stream: big data. They have developed innovative practices to obtain sensitive user information by lifting data from the databases of government agencies such as Condusef, Consar and Buró de Crédito. They call bank customers and spoof on the caller ID screen the phone number of the bank they claim to represent. To gain the target’s trust, they give the credit card security code to the target and ask if it matches what they see on the back of their card. And it goes from there. Now, they’re about to be gifted an invaluable cache of data: the biometric identifiers of Mexican bank customers.
In recent years, Mexico has become a haven for the black market of stolen personal data of all kinds — enough to earn it ninth place in PriceWaterhousecooper’s latest list of “economic crime” hot spots. According to Symantec, in 2015 Mexico lost 101.4 billion pesos ($6.7 billion at the prevailing exchange rate) in breaches, identity theft, and other unlawful cyber activity per year, about 12 times more than the total annual losses from fraud committed against banks.
A large part of the problem is the widespread impunity cyber criminals enjoy in the country, owing to the absence of adequate legal tools and the lack of enforcement of the existing laws. Cyber theft in Mexico is not just the preserve of isolated hackers but is dominated by highly professional criminal organizations. According to Sebastian Brenner, a security strategist for Symantec Latin America, these are “very well structured groups, with experts for every stage of the process: infiltration, capture, commercialization.”
Now, these criminal organizations are eying the most personal data of all: the biometric identifiers of millions of Mexican bank customers.
This year, banks in Mexico are required to begin collecting biometric data (finger prints and iris scans) on all of their customers. Whenever a customer asks for a new home or car loan, cashes a paycheck, applies for a credit card, or opens a new savings account, the bank will have to request the customer’s digital fingerprints and then match those fingerprints with data against information in the database of the National Electoral Institute.
The law is only in its infancy and it’s highly unlikely that all of Mexico’s banks — in particular the smaller ones — will be able to develop the infrastructure needed to comply with the new rules by the end of this year.
As is the case with biometric programs being tried and tested all over the world right now, from the uncharted backwaters of long-forgotten war zones to the bustling metropolises of the West or East, no one is being consulted along the way.
Biometric identification systems are already encroaching into more and more facets of everyday life. Most national passports these days include biometric data. Driver licenses in the US already have them or soon will. In India, biometric data is starting to underpin everything. Meanwhile, millions — perhaps billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, people are already giving away their most private data to work, communicate, cross borders, or get on planes.
The government of Mexico is already finalizing its own national ID scheme. According to the former Secretary of Finance and Public Credit, José Antonio Meade, by the summer of 2018 all Mexicans will have a single biometric identification number.
The development of a single biometrics database to be used by banks and government raises serious questions about data privacy and financial security. As recent data leaks have shown, most databases remain incredibly porous, even in countries with far more advanced cyber security systems than Mexico. In Mexico almost one-third of all cyber attacks registered in 2015 targeted government agencies. A further 26% were aimed at private sector institutions, including banks. These are the selfsame organizations that will soon be entrusted to protect tens of millions of Mexicans’ most personal data — the biological traits that make them unique.
“Biometrics are tricky,” says Woodrow Hartzog, an Associate Professor of Law at Samford University. “They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.” In other words, if the newly harvested data is hacked by one of Mexico’s burgeoning ranks of cyber criminals, which it almost certainly will be, there is no way of undoing the damage done.
The London property market is already in trouble. Read… UK Vows to Crack Down on Money Laundering: What Will This Do to the Property Bubble?
When I see a story that seems out of character, I wonder what is really behind it. Why would Mexico be willing to spend billions of dollars to plan, organize, equip, train, supply and maintain something that appears to be not vitally needed? What incentives must have been paid somewhere to make this a good idea?
I have seen something like this in use before and that is with the coalition forces in Afghanistan. They’ll go out to the back of beyond and take iris scans and the like from some hard-scrabble mountain herdsman so that they know who is who. Maybe a century from now all that info will be useful for the Afghanistan Genealogical Society but whatever.
This brought me to my next thought. After this in use for a coupla years, it could be really useful – in the US. Think about it. Once that database is up and running – that vital, vulnerable, hackable database – the US will want access because of terrorists or drug gangs or whatever. Then when some cop pulls up some Mexican looking guy in the US, a quick iris scan will show that he is actually Pedro from Guadalajara whatever he claims and proving his identity to a deportation court will be snap.