7 minute read
Biometric Devices Sold on eBay Contained US Military Data
German researchers who purchased biometric capture devices on eBay have reported that they discovered sensitive US military data stored on their memory cards.
The data reportedly included fingerprints, iris scans, photographs, names and descriptions of people, mostly from Afghanistan and Iraq – many of whom worked with the US army.
Advertisement
The researchers, who are the Chaos Computer Club (CCC), which had previously made a name for itself exposing security flaws with other systems and devices, explained that the US military used biometric devices to capture people’s data in Afghanistan. The biometric devices were used to identify individuals, and ‘on used US military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis,’ the researchers noted.
‘Allegedly, access to the biometrics database should not be possible without further technology, but our research shows that all data on the mobile biometric devices is completely unprotected. We were able to read, copy and analyse them without any difficulty,’ said CCC.
The researchers acquired a total of four Secure Electronic Enrolment Kits and two units of Handheld Interagency Identity Detection Equipment at the online auction house.
The devices were examined forensically, and the researchers found that ‘all storage media were unencrypted. A welldocumented standard password was the only thing needed to gain access. Also, the database was a standard database with standard data formats’. It was fully exported with little effort.
The devices CCC acquired ‘contained names and biometric data of two US military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos’.
Taliban
Could this possibly be linked to the disturbing reports that are emerging that the Taliban have possibly accessed biometric data collected by the US to track Afghans, including people who worked for US and coalition forces.
Afghans who once supported the US have been attempting to hide or destroy physical and digital evidence of their identities. Many Afghans fear that the identity documents and databases storing personally identifiable data could be transformed into death warrants in the hands of the Taliban. Furthermore, a March 2022 report from Human Rights Watch1 indicated the Taliban have been collecting biometric data to potentially match against captured US and Afghan government databases.
This possible data breach underscores that data protection in zones of conflict, especially biometric data and databases that connect online activity to physical documents and locations, can be a matter of life and death.
By 2004, thousands of US military personnel had been trained to collect biometric data to support the wars in Afghanistan and Iraq. By 2007, US forces were collecting biometric data primarily through mobile devices such as the Biometric Automated Toolset (BAT) and Handheld Interagency Identity Detection Equipment (HIIDE) 2 .
BAT includes a laptop, fingerprint reader, iris scanner, and camera. HIIDE is a single small device that incorporates a fingerprint reader, iris scanner, and camera. Users of these devices can collect iris and fingerprint scans and facial photos, and match them to entries in military databases and biometric watchlists.
In addition to biometric data, the system includes biographic and contextual data such as criminal and terrorist watchlist records, enabling users to determine if an individual is flagged in the system as a suspect. Intelligence analysts can also use the system to monitor people’s movements
1 www.hrw.org/news/2022/03/30/new-evidence-biometric-data-systems-imperil-afghans
2 www.nist.gov/system/files/documents/2021/03/23/ansi-nist_archived_vermury-bat-hiide.pdf and activities by tracking biometric data recorded by troops in the field.
Over the years, to support military objectives, the US Department of Defense aimed to create a biometric database on 80% of the Afghan population, approximately 32 million people at today’s population level. It is unclear how close the military came to this goal.
Digging up the road twice
With all of the personally identifiable data of the Afghan people that has been collected, it seems odd that many Afghans still lack national ID cards. Local officials in the Farah province of west Afghanistan have claimed that at least 70% of the residents of Farahrud district have no national ID card.
At least 14,000 people hold identity cards in Farahrud while the remaining 70,000 are yet to get the national document, according to the National Statistics and Information Authority in Farah. Residents of the district said that some of them are 40 years’ old but still don’t have any recognisable identity documentation. Recently, the media reported that many Afghans are angry about the delay in the issuance of electronic ID cards, saying that printing and issuing of ID cards from Kabul had already stopped. The applicants added that they are unable to register their names online due to technical issues with the Department for Statistics and Information’s website.
Realising that data for counter-insurgence activities in conflict zones is not the same as for civil registration, it still seems a bit like digging up the road to lay sewers and then digging it up again to lay water pipes.
Belgium and Philippines Discuss Digital ID Cooperation
Manila Bulletin reports that an official from the Department of Information and Communications Technology (DICT) recently held discussions with the Belgian ambassador in relation to the country’s plans for digital cooperation.
According to DICT, this is part of President Ferdinand ‘Bongbong’ Marcos Jr’s aim to accelerate the country’s adoption of digital innovations. DICT Undersecretary for Public Affairs and Foreign Relations, Anna Mae Yu Lamentillo, met with Michel Parys, Ambassador of the Kingdom of Belgium to the Philippines, to discuss areas for digital cooperation, including cybersecurity and digital ID.
‘We want to learn from digitally advanced nations in terms of building and improving digital infrastructure, improving the public’s access to the government’s delivery of public services through digitisation, and strengthening measures against cyber threats,’ Lamentillo said.
Belgium already has an operating electronic citizen identity system, an electronic proof of identity that citizens can use for electronic transactions, such as signing electronic documents and securely logging in to online public services.
One of Marcos’s priorities is to fast-track the issuance of national IDs to make transactions with different government agencies seamless and more efficient.
Lamentillo said that the DICT is also exploring partnerships with other nations to help pursue the Marcos Administration’s ‘Build Better More’ strategy, which aims to bridge the digital divide and improve the provision of public services through eGovernance.
Men More Likely to be Victims of ID Fraud
Men are about twice as likely as women to have had their identity stolen, a survey1 by UK’s Nationwide Building Society has found.
Nearly a quarter (23%) of men said their identity had been stolen, while 11% of women reported the same. A third (33%) of those who said their identity had been stolen reported that it had been used to order goods such as a mobile phone or a vehicle.
More than a quarter (27%) said it was used to access or steal from their accounts. One in five said it was used to borrow money in their name, such as by taking out a credit card or a personal loan.
19% said their details were used by criminals as part of a scam to impersonate their bank or building society, or a public organisation, such as the police, to trick them out of their money.
Nearly two thirds of men surveyed were concerned about becoming a victim of identity fraud, compared with 70% of women.
Women were more likely to say they protect all their social media accounts, with 63% doing so compared with 50% of men. Women were also less likely to have friends or followers on social media that they have never met — with 37%, compared with 53% of men. Nationwide warned that oversharing information on social media can make people vulnerable to fraud. Its survey of more than 3,000 people across the UK found that full names, ages, dates of birth, email addresses, mobile numbers and job titles were among the most common items shared. This information can be pieced together by criminals.
Some people shared their pets’ names, which could give criminals clues about their passwords or security questions. Some also shared their address or postcode.
PopID and Toshiba Partner on Facial Recognition
PopID’s biometric solution PopPay will be integrated into Toshiba Global Commerce Solutions’ Elera Commerce Platform, enabling the use of artificial intelligence (AI)-based facial recognition software that authenticates consumers’ identities. Biometric payments have been gaining ground in retail outlets like grocery stores because consumers, who are used to the speed and convenience of online shopping, are growing frustrated with the time-intensive process of traditional checkout.
With the new integrated solutions from PopID and Toshiba, customers can opt in, scan items and then select a button to have their face scanned. Because PopPay biometric cameras authenticate them, customers don’t need to use a card or phone.
‘With nearly a quarter of America’s consumer spending going through Toshiba’s point-of-sale solutions, Toshiba is the largest retail-focused solutions company in the US and globally,’ PopID CEO John Miller said in a press release. ‘This partnership will enable Toshiba’s customers to use our technology to increase revenue, drive loyalty engagement, improve operations and lower costs while enhancing the overall customer experience.’
With the comfort level of younger demographics that have grown up taking selfies, PopID’s verification system is both familiar and trustworthy.
‘These college students have grown up taking pictures of themselves and putting them all over the internet with TikTok and Snapchat,’ Miller said in an interview. ‘The idea that you can take a picture of yourself to get your loyalty and pay is a natural extension of what they’ve been doing their whole life.’
Report Finds More US Service Members are Reporting Identity Theft
A new federal report shows an increase in military members experiencing identity theft. Officials say service members reported nearly 50,000 cases of identity theft to the Federal Trade Commission in 2021 alone.
‘This is having a real impact on service members and their families,’ said Tom Feltner, Senior Engagement and Policy Fellow at the Consumer Financial Protection Bureau (CFPB).
The agency said military customers had their information misused to fraudulently access government benefits, credit cards and bank accounts. Experts say this can impact the hundreds of thousands of service members who move every year and look for housing off base.
‘What they don’t have is the luxury of waiting to make sure that their credit report is clean,’ said Jim Rice, Assistant Director of the Office of Service member Affairs at CFPB.
Many service members are also required to pass a national security clearance check. This includes a review of their credit history. If that review shows excessive debt, experts say it can impact some military careers.
‘It’s not that everyone is at risk of losing their security clearance,’ said Rice. ‘But in that process, it is a combination of both gaining a security clearance and holding onto a security clearance.’
1 www.thenationalnews.com/business/2023/01/09/men-more-likely-to-be-victims-of-stolen-identity-than-women-survey-suggests/
