Major breach found in biometrics system used by banks, UK police and defence firms | Fingerprints, facial recognition and other personal information from Biostar 2 discovered on publicly accessible database

Read the Story

Show Top Comments

> In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data. URL manipulation is right up there with SQL injection on the list of most obvious and easily-prevented vulnerabilities. Even regular devs know about this stuff. Apparently everyone at Suprema skipped Cybersecurity 101.


The thing I don’t trust about biometrics is that you only have to leak them once. With a password I can change it if I suspect it’s been stolen. Good luck changing your fingerprint.


This is my favourite: > “We were able to find plain-text passwords of administrator accounts,” he said. Good greif…. what always puzzles me about such stories is how do such stupid poeple get these jobs in the first place?


Biometrics should never be used as a password or similar. It should always be the user name. A secure system may identify with biometrics, but you authenticate with either a secondary token or a password.


WHO COULD HAVE PREDICTED THIS Oh, everybody? Yep, everybody.