For hackers, biometric data is the Holy Grail.
In a move fraught with risk, Mexico, a country that has become a haven for the black market of stolen personal data of all kinds, is about to build a big biometric database to be used not just for the benefit of government institutions but also for the nation’s banks.
Last year a law was passed that gave Mexican banks until the end of August 2018 to collect biometric data (finger prints and iris scans) on all their customers. Foreign-owned subsidiaries of global banks like Citi and BBVA were thrilled with the initiative arguing that it would help them combat identity theft. It could also help lenders fulfill their “know your client” (KYC) anti-money laundering checks, at much lower cost.
The ultimate goal is to develop a unique identification system that will work alongside the government’s national ID scheme, which is apparently in the final stages of development. But Mexico’s banks — in particular the smaller ones — struggle to develop the infrastructure needed to comply with the new rules by the end of August.
So in the past week, the banks were granted a nine-month extension to harvest their customers’ biometric data — and not just their fingerprints and iris features. The lenders will now also be collecting their customers’ facial and voice characteristics, all of which will be stored on a super-secure, highly centralized platform that no hacker, no matter how skilled, resourceful or Russian, will be able to penetrate. At least that’s the plan.
But what happens if the database on which all this data is stored is itself not secure? Mexico has hardly proven itself to be a safe place for valuable data. Last year it won ninth place on PriceWaterhousecooper’s list of global “economic crime” hot spots. The country’s banks cannot even keep their own payment systems secure, let alone a centralized database full of priceless information on their customers.
In the last two months hackers have made off with around 400 million pesos ($20 million) from three Mexican financial institutions, including one of its biggest banks, Banorte. First they targeted vulnerabilities in the banks’ connections to the country’s domestic payment transfer system, known as SPEI. Then they removed the funds by creating hundreds of phantom orders that wired funds to fake accounts across a number of banks.
This happened just months after a group of cyber criminals came close to stealing $110 million from Bancomext, a state-owned trade bank. It would have been the world’s biggest ever virtual bank heist.
Part of the problem in Mexico is the widespread impunity cyber criminals enjoy, owing to the absence of adequate legal tools and the lack of enforcement of the existing laws. Cyber theft in Mexico is dominated by professional, well-funded criminal organizations. In nine months’ time, those organizations could have the chance to get their hands on the most personal data of all: the biometric identifiers of tens of millions of Mexican bank customers.
If that data is hacked, there is no way of undoing the damage. You cannot change your iris like you can change your password.
As recent data leaks have shown, most databases in general remain incredibly porous, even in countries with far more advanced cyber security systems than Mexico — as demonstrated by the Equifax hack in the US. Yet these biometric technologies are being rolled out with dizzying haste by banks and other financial institutions.
Last year Mastercard set a deadline of April 2019 for the blanket use of biometric identification for its services across the whole of the EU. UK global bank Standard Chartered has begun rolling out fingerprint and other biometric technologies across 15 of the 31 African and Asian markets in which it operates, as part of a $1.5 billion technology investment package. According to Standard Chartered, it is the largest deployment of any form of fingerprint biometric technology by any international bank.
Passports around the globe have had biometric features for years, as have other forms of IDs, including many driver’s licenses in the US. In India, over a billion people have been enrolled in Aadhaar, India’s biometric ID system. In China, biometric systems are now so advanced and so widespread that they’re used for surveillance purposes of people on the street. People now sign into their smartphones with biometric data.
In Mexico, as elsewhere, there’s been no public debate about the potential implications of harvesting biometric data on such a large scale, including the fact that use of data about body parts is largely unregulated, and many companies want to keep it that way.
With biometric passports, people have a choice: no passport, no international travel. Mexican bank customers will probably be granted a similar ultimatum: either comply with your bank’s requests for your biometric data, or risk losing access to banking services. A recent headline in the Mexican financial daily El Financiero sums up the attitude perfectly: “Bid farewell to PINs, the banks will have your complete biometric data”. All that was missing was a little tag at the end with the words “whether you like it or not.” By Don Quijones.