Biometric Honey. No More.

Dateline: Threadbo, 16th August 2024.I am sure that responsible commentators on the world of digital finance are not supposed to have a favourite data breach, but I cannot help it. I have a new favourite data breach pretty much every week. One of my current favourites comes from El Salvador, where more than five million personal records, including high-definition facial photos labelled with the individual’s El Salvador national ID document number (DUI), have been made available for free.(The number and nature of the records prompted speculation on social media that the breach is from the Chivo Bitcoin wallet.)ShareHoneyNow you may be wondering, as I was, why a responsible digital wallet operator would create a centralised database of personal information, particularly when that information may be of considerable assistance to criminals of many varieties. And, in particular, you may be wondering why the digital wallet operator would store the facial photos at all, never mind in an unencrypted format. If the selfies were required for onboarding (to match an individual face against a photo on a driving licence or some other ID card) then they should have been deleted immediately after the match was made. If they are retained for future “step up” authentication, then the operator should have stored the biometric templates, not the biometrics.These biometric templates are typically much smaller in size compared to raw biometric data, such as a facial picture, which makes storage and transmission efficient, and they are much more secure because they do not store the…Biometric Honey. No More.