Cybercriminals kidnapped fingerprints 5.6 million US civil servants

If attackers steal a person’s password, it can be changed, but if fingerprints are stolen, this opens up a wide scope for committing crimes against a particular citizen throughout his life. About this, in particular, in his recent interview spoke researcher Carsten Zero (we published excerpts from him in a blog on Habré). Now this thesis has received another confirmation.

In the early summer of 2015, it became known that unknown attackers carried out an attack on the US Office of Personnel Management (OPM) and stole personal data of more than 21 million US civil servants. Now the Office has admitted that among the stolen information, there were also fingerprints of 5.6 million employees.
')
Representatives of the US intelligence services investigating the incident, previously stated that they suspected of attacking hackers from China. The United States Office of Human Resources is the HR department of the country's federal government. This means that the fingerprints of very high-ranking civil servants could be in the hands of intruders.

In a special statement , OPM representatives stated that the possibilities for hackers to misuse stolen data are currently limited. However, over time, this risk may increase in view of, for example, the wider introduction of biometric authentication mechanisms in public services security systems.



At the same time, the victims of the diversion began to receive notifications that their data had been stolen, only at the end of September, although the Human Resources Department had hired a company in the summer to protect the financial data of civil servants.

How can I use other people's prints? Back in the fall of 2013, security researchers from the Chaos Computer Club demonstrated how easy it is to bypass the TouchID biometric identification system on popular Apple devices. Having received someone else’s fingerprint, German hackers produced an “artificial finger” using uncomplicated technology and unlocked the iPhone 5s, protected with a TouchID ( video ).

A year later, in the winter of 2014, on the forum 31C3, the same team presented a report on the remote receipt of biometrics - for example, from a photograph. Thus, now hackers do not even need to “take fingers off” from the victim’s glasses, a high-resolution picture is enough. Below is a video (in German) about this technique, with the help of which researchers obtained the prints of the first persons of the state: