Biometric Security Comes with Unique Advantages, Concerns

Some businesses are looking to biometric markers to replace ID cards, but the shift raises security questions.

by Brian Nearing, Times Union / October 31, 2017

(TNS) -- This spring, a popular Queensbury amusement park offered its customers a choice — use a membership pass with their photo on it, or switch to a new pass based on a scan of their fingerprint.

Most people visiting the Six Flags Great Escape park opted for the fingerprint scan, and some possibly made their first entry into the world of biometrics — a system where a person's unique individual characteristics, like fingerprints, eyes or facial features are the key to their identification.

"A very small percentage of our guests choose to process their pass with the traditional photo," said Rebecca Wood, director of marketing and sales for the park. "Our guest feedback this season has been tremendous. Members and season pass holders have sincerely appreciated the ease of access and processing."

While such a system will make it impossible for a paying customer to share a park pass with someone else, Wood said the fingerprint system was "implemented with our guests in mind. The easy, expedited method allows guests to process their pass more quickly and eliminates the need to have their photo taken and printed on the membership or season pass."

Biometric markers, unlike passwords or personal identification numbers, should be very difficult for criminals to copy or mimic, which businesses hope should cut down on fraud.

Such fingerprint systems are already available as security on some later model smart phones. A new vending machine system at the Albany Times Union cafeteria even employs a fingerprint identification system to manage accounts.

Biometrics is entering the business world after the U.S. government invested in the technology as part of armed conflicts in the Middle East, where U.S. military officials needed a way to more accurately identify people in regions where documents were not always reliable.

But the large-scale storage of such inherently personal information also raises the possibility that hackers could gain access to the data, as has happened with millions of financial records in the recent Equifax credit reporting data breach.

A password or PIN code, once compromised, can be deleted and replaced. What happens when pilfered data is based on personal characteristics that cannot be changed?

Six Flags tells its customers that a digital finger scan is converted to "an indecipherable series of numbers" which are linked to the customer account, according to the corporate terms of service. "Biometric data collected from guests is securely stored and is not shared with third parties for marketing or other commercial purposes" and is "automatically destroyed within one year following the cancellation/expiration of a pass holder's account."

Two years ago, Attorney General Eric Schneiderman warned that the state's data security law was outdated to deal with such challenges.

He proposed an update, called the Data Security Act of 2015, that would require stronger technical and physical security measures for protecting information, as well as limit legal liability for companies that meet certain security standards.

His proposal would also update the definition of "private information" to include biometric data, as well as email addresses and passwords. Attempts to reach Schneiderman's office for comment Tuesday were not successful.

According to a report issued by Schneiderman in July 2014, the number of reported data security breaches in New York more than tripled between 2006 and 2013.

During that period, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, which cost the public and private sectors more than $1.37 billion in 2013. The report also found that break-ins to data networks by computer hackers accounted for about 40 percent of all breaches.

In an op-ed published in September in the New York Daily News, urging that lawmakers take up the two-year-old proposal, Schneiderman wrote that in 2016, there 1,300 significant data breaches in the state — up 60 percent from the year before.

©2017 the Times Union (Albany, N.Y.) Distributed by Tribune Content Agency, LLC.