Next Phase in Forcing Biometric Tracking on Consumers

Ironically, banks in Mexico are clamoring for it.

By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.

In 2018, banks in Mexico will face new regulations that will oblige them to collect biometric data (finger prints and iris scans) on all of their customers. Whenever a customer asks for a new home or car loan, cashes in a paycheck, applies for a credit card or opens a new savings account, the bank in question will have to request the customer’s digital fingerprints and then match those fingerprints with data against information in the database of the National Electoral Institute.

Foreign-owned subsidiaries of global banks like BBVA and Citi are thrilled with the initiative arguing that it will help them combat identity theft. Most high street lenders in Mexico have already agreed to help build a single biometric database, says Marcos Martínez, president of Mexico’s Banking Association (ABM).

The ultimate goal is to develop a unique identification system that will work alongside the government’s national ID scheme, which is in the final stages of development. According to the former Secretary of Finance and Public Credit (and now presidential candidate for the governing PRI party), José Antonio Meade, by the summer of 2018 all Mexicans will have a single biometric identification number.

These developments are moving fast and quietly. And as is the case with biometric programs being tried and tested all over the world right now, from the uncharted backwaters of long-forgotten war zones to the bustling metropolises of the West or East, no one is being consulted along the way.

Most national passports these days include biometric data. Driver licenses in the US (which serve as de facto ID cards) already have them or soon will. Meanwhile, millions — perhaps soon billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, we’re already giving away our most private data to work, communicate, cross borders or get on planes.

China has taken biometrics to a whole new level, using facial recognition technology to validate identities in virtually all forms of transaction, including the use of toilet paper in public bathrooms.

What sets the biometrics program in Mexico apart from what is happening in most other countries is that it is the country’s financial regulators and private banks — and not the government — that are requiring this, though the government is not far behind. The development of a single biometrics database to be used by banks and other financial institutions raises serious questions about financial security as well as data privacy.

“Biometrics are tricky,” Woodrow Hartzog, an Associate Professor of Law at Samford University told WIRED. “They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.”

Unfortunately, as recent data leaks have shown, most databases remain incredibly porous. In this year’s hack of the U.S. consumer credit bureau Equifax, the personal data that was stolen included names, birth dates, Social Security numbers, driver’s license numbers, bank account numbers, credit card numbers, mortgage data, and payment history data, including to utilities, wireless service providers, and the like.

This, in itself, is highly compromising data that can be of huge value in the wrong hands. But imagine what could have happened if the database had included U.S. consumers’ most personal data of all — the biological traits that make them unique?

If the United States’ biggest consumer credit bureau can be hacked and key data on 143 million US consumers stolen with such apparent ease, what are the chances that a similar or even worse fate could befall Mexico’s newly created biometrics data bank? It’s not like Mexico is short of enterprising criminals with lots of liquid funds to hire gifted, mercenary hackers — or pull off an inside job.

Hackers are already engineering ways to spoof biometric authentication. Researchers were able to break into Apple’s Touch ID system with just a small piece of Play Doh.

The scariest thing about this mad rush by corporations, banks, credit card companies, governments and (yes!) some consumers to embrace biometrics is not the speed at which it’s happening, which is scary enough, but the complete lack of public debate taking place about the thorny issues it throws up. Those include the threat it poses to privacy and anonymity, the fact that use of data about your body parts is largely unregulated (and many companies want to keep it that way), or the deceptively public nature of biometrics.

“A password is inherently private,” says Alvaro Bedoya, Professor of Law at Georgetown University. “The whole point of a password is that you don’t tell anyone about it. A credit card is inherently private in the sense that you only have one credit card.”

Biometrics, on the other hand, are inherently public, he argues. “I do know what your ear looks like, if I meet you, and I can take a high resolution photo of it from afar,” says Bedoya. “I know what your fingerprint looks like if we have a drink and you leave your fingerprints on the pint glass.” And that makes them easy to hack. Or track.

But this juggernaut has now been put in motion, and it’s unlikely to be stopped because the biggest benefits will be enjoyed by the governments, banks, and corporations that are busily rolling out these schemes for their own purposes. By Don Quijones.

Just don’t call it cryptocurrency. It’s a “digital currency.” Read…  Big Banks Are All Over Blockchain

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.



  66 comments for “Next Phase in Forcing Biometric Tracking on Consumers

  1. cdr says:

    Mixed feelings about this. Of course there will be problems. But, if properly and thoughtfully applied, it would be a good way to prevent identity theft and other thefts. A two-factor application, bio metric plus a password or a credit card is a good step. Passwords alone make me nervous. I use additional steps whenever possible.

    • Ty says:

      If you don’t mind being tagged like a piece of property.

      • cdr says:

        like your driver’s license or social security card or your passport or your credit card?

        • cdr says:

          or your cell phone number

        • Ty says:

          You (we) are being boiled slowly.

        • cdr says:

          Ty,

          yes. the cell phone number is a slippery slope. Next comes the camera at home or the computer attached to your thermostat or TV or refrigerator. Pretty soon, they’re in your car navigation or storing your DNS history at your ISP. Then your phone provider keeps a record of the numbers you called, forever.

          And someone somewhere has nothing better to do than look your sh*t up and wonder about you while being paid to do it.

          Unless, of course, you’re in the EU and experiencing the war on cash or being considered a hate criminal by complaining about an immigrant committing a crime in Sweden.

          Thus the need for a thoughtful discussion. Although I’m more concerned about advertisers and related goofballs looking into my affairs than the US govt.

          The EU, yes, you have a point.

    • Gary says:

      And if it makes identity theft and other thefts more likely?

  2. tony says:

    THIS IS BAD BAD BAD IN FACT WORSE THEN BAD.

    • cdr says:

      no, not really. Although I understand your kneejerk terror. Most people just react. Few have actually thought through this or that security method.

      Agree the potential for abuse exists. This is why a thoughtful discussion without the kneejerk fright is needed.

      As said, biometric with another thing is not bad.

      Security requires something you have, something you know, and/or something you are. Combinations of these are called two factor authentication. Two factor security is pretty good.

      • TJ Martin says:

        Nice try but the simple fact remains … Big Brother is on the rise … as Huxley claimed it would .. not Orwells version .

        e.g. Huxley ( Brave New World ) stated clearly we’d beg for it . Preferring the pretense of convenience and entertainment over any and all forms of privacy

        And lets be blunt here .. with the way the world is going … including here in the ( not so ) good ole US of A … abuse isn’t just possible … it is eminent

        And that CDR … aint no ‘ knee jerk ‘ reaction .. but simply a statement of fact .

      • millard fillmore says:

        Privacy is not a ‘kneejerk terror’.Acceptance of biometric identifiers is more of a kneejerk ,sheeplike acceptance of a lakc of personal privacy.

    • RepubAnon says:

      Whenever I think of biometric data, I think of the movie “Demolition Man” – where prison doors are locked by a biometric scan of the warden’s eyeball. An escaping prisoner unlocks the doors by gouging out the warden’s eye and holding it up to the sensors.

      Being as how people have hacked biometric facial scans with fake heads printed by 3D printers, I’m not thrilled by the idea of non-tech-savvy managers being dazzled by the tech, and implementing insecure systems. Remember the electronic voting systems with no audit trail, because they were so very high-tech that no audit was needed? The ones where the hard-wired administrator login name was “admin” and the password was “abcde”?

  3. Mike Earussi says:

    Most people are willing to sacrifice some freedom and privacy for security AS LONG AS IT ACTUALLY WORKS. The problem is that it seldom does work. They lose freedom/privacy but don’t gain any more security. I expect the same to happen here.

    As you’ve pointed out there’s no such thing as a hack proof system, but that won’t keep the government/banks (is there any difference?) from gathering data while promising to create one (but never quite succeeding). So instead of security getting better, it will just get worse.

    • Imre Kovacsi says:

      And this is a shame because it could easily get better. Suppose the owner of the information was liable for losses due to the loss of the information. I no longer think that data collection can be stopped. But if my info is stolen then I don’t want liability. Have the data collectors do my credit watch. No I don’t want to change all my direct pay accounts – you do it. No I will not contest false cards and other debts – you do it. You want my involvement? Personal services are billed at $100 per hour. I bet something like this would cut down on the amount of data stored just because we can. I can’t stop someone but that shouldn’t mean that I automatically assume liability for something that I have no control over.

  4. bandini70 says:

    This is just the stupidest idea of people that do not understand security. You do not create security based on changeable or easily copied keys. Can your iris change or finger prints change, actually due to accidents or diseases, yes they can.
    This is nothing more than a reason to start collecting biometric data as to try to more easily identify people. There will be no more anonymity, not in public either physically or financially. The CPC is already implementing this and sure petty crime is down, only because government doesn’t want competition.
    The rhetoric that only criminals use gold, guns, cash, etc… is the first warning of a sociopath.

    • cdr says:

      a fingerprint AND a password or other two factor method is pretty good.

      Few to none could provide both. A lot like public / private key.

      • TJ Martin says:

        Wanna lay a little wager on that CDR ? Fact is there is no such thing as fool proof security …. anywhere .. or with anything .. regardless of the layers and complexities involved .

        But a complete and total invasion of your privacy ? Well now … that … is massively doable … easier than you or anyone else would be willing to admit to .. especially when compliance on our part is involved .

    • SFTOBEY says:

      BINGO! Spot-on. And if you just so happen to become an “enemy of the state” for wanting secure borders, an end to the demographic destruction of your country, or keeping government / banking snoops out of your life? Well then, they can just make you an “unperson”, with no access to the money you earn; and literally no way out.

      No, I don’t like this one bit. (Kind of like all of the idiots giving out their DNA — and paying for the “privilege” — to companies that will give you a “pie chart” of your supposed origins. Yes, it is stupid.) It isn’t about “security”, and it never was.

  5. John says:

    It’s quite scary to think that some kid working for the N$A, sitting at a computer terminal like in the Snowden movie, can pull up data about me and start nosing around to see what I’ve been doing, where I’ve been, etc.

    We’ve a had a number of provincial gov’t employees here in (bankrupt) Ontario recently exposed for unauthorized access to peoples’ health records (the late Rob Ford comes to mind). They’ll now have more data to pilfer. I wonder if the gov’ts will start selling this biometric data to the marketing companies, kinda like MS, Google, Apple, etc., do?

  6. JungleJim says:

    Correct me if I am wrong, but I believe that a hacker at The Black Hat conference has already shown how to beat the biometric checks.

    The problem is that the bureaucrats are looking for a “magic bullet” and there isn’t one. Any system has to be maintainable by the SysAdmin folks and there are special trap doors left for their use. The hackers know this and focus on those trap doors. When they locate one and spring it, they’ve gotcha ! And it’s not that hard either when you remember that commercially available security packages are just that, available for sale.

    • gardener1 says:

      Links? Details?

      Asking for a friend./

      • d says:

        When Bio-metrics first came in on passports one of our local people removed his digital photo and replaced it with one of Osama Bin Laden.

        Then proceeded to travel to many countries that were supposed to be checking the digital DATA.
        \
        He finally got picked up on it, at his point of return entry.

        It was documented an dreported.

        His case was dismissed, as his deference was, that he was simply proving.

        It could be done.

        Just like the “Love Bug” worm.

  7. Dave B. says:

    And the Sheep run to slaughter !

  8. andy says:

    Next thing you know you involved in illegal eye swapping to avoid justice for crimes you did not yet commit.

  9. GSH says:

    It is a given that your biometrics data will be hacked. Then what?

    You won’t be able to change your biometrics data. It will be your responsibility to convince whoever got scammed with your biometrics that it was not really you. Good luck.

    • cdr says:

      The only way someone could hack your biometric fingerprint is by removing your finger.

      If you show up with an ID and a finger, it’s you. Not the identity thief. If your finger is gone, then you have some explaining to do.

      • cdr says:

        actually, there’s a flaw in the above argument. Can you find it?

        • Art says:

          Well, your biometric information is going to be stored digitally and linked to your other personal identifiers: name, ssn, etc.
          How difficult would it be for a hacker to delete your biometrics and substitute their own? Voila! You are no longer you.

      • I M says:

        I’ll just leave this here:

        https://www.xkcd.com/538/

      • I M says:

        cdr says: “The only way someone could hack your biometric fingerprint is by removing your finger.”

        False.

        If the application exchanging the data is not designed securely or the underlying system components/libraries are vulnerable then the entire system is vulnerable to Man-In-The-Middle and attacks involving identifying data stolen/copied during legitimate transactions.

        You are underestimating the technical skills of the people that do this stuff and overestimating the technical skills of the software consultants hired to build these applications for the lowest bid.

  10. tony says:

    I’m sorry but this is not kneejerk terror.This is outrages is it not enough to restrict how much money you can carry where and when, how much you can deposit or withdraw from a bank who accepts cash who does not. All the big banks are going to jump all over this it will take a little time but it will happen here. Big brother will work it in nice and easy using 911 and drugs as the reason keep the wars going and we have the constant need for protection against ourselves.I’m sure when it starts the famous name of goldman sachs will pop up.

  11. Petunia says:

    There is nothing secure about doing this, especially in Mexico, where their citizens living illegally in the US have already stolen somebody’s identity. It is easy for an illegal to go back home and open an account with some US identity and using their own biometrics. Now the US citizen/resident gets screwed again county by country. So much for biometric data.

    • cdr says:

      OK. Assume an illegal uses his fingerprint with your SSN.

      As long as you can prove who YOU are, the illegal is busted and specifically identified. Without the fingerprint, it’s a spook in the wilderness who got you, unless it was really you pulling a fast one.

      Yes, we need to stop this now!!!

      • JungleJim says:

        “As long as you can prove who YOU are, the illegal is busted and specifically identified”

        Nice try ! Proving that you are the real person is a lengthy process. There have been criminals who stole peoples identities and ran up criminal records with the stolen identity. Their innocent victims have been repeatedly jailed before the matter could be corrected. Same with hospitals when someone steals your medical records and has procedures done.

        • Petunia says:

          And it being Mexico, I would just bribe the bank employee to let me open many accounts at once using one set of biometrics and separate identities. They don’t cross reference on biometrics, it takes too long.

        • cdr says:

          Here’s my finger attached to my hand. Here’s my passport and driver’s license. This fingerprint is me.

          That fingerprint is not mine.

          The debt belong to that fingerprint.

          Case closed unless you can PROVE otherwise.

      • I M says:

        cdr says: “Here’s my finger attached to my hand. Here’s my passport and driver’s license. This fingerprint is me.”

        Government employee replies: “But sir, that’s not what my computer says.”

        Good luck trying to fix that and good luck trying to recover the time and money to do so.

        Your whole premise relies upon a faulty assumption that mistakes do not happen. They do. The more perfect and secure someone considers a system to be, the more resistant they are to the idea that a mistake is possible. When the government is involved it’s worse because they consider themselves the final arbiter.

        Your second mistake is believing the burden of proof relies on the bank, government, etc. It does not. The burden will be on you to prove you are who you say you are, and you will get no compensation for your efforts. If you believe otherwise you are just fooling yourself.

        Ask all the small business owners that had assets seized by the IRS for alleged money laundering how much of their lost interest, business harm and legal fees they recouped. Hint: zero.

        • d says:

          “Government employee replies: “But sir, that’s not what my computer says.”

          Good luck trying to fix that and good luck trying to recover the time and money to do so. ”

          You really have to have “Been there” before you can understand that’s how it will be.

          Identity theft is old, and is for life. I have 40 years experience of that. As the victim’s of the Equifax hack (and various others) will slowly come to understand. A “Deed-pol “Name change can alleviate most, but not all identity theft issues.

          To so many Sheeple the State is never Wrong.

  12. Saylor says:

    No need to cut off fingers, remove eyeballs…, etc. etc.

    You just convince the ‘system’ that the biometric info and all passwords belong to ‘this’ data and not ‘that’ data.

    Sort of like the electronic key pad to open the door to your house. Screw the keypad and noting which keys are used the most, just go behind the key pad. Is this the same as the biometric systems? Yes. Just on a bit more complicated level.

  13. Winston says:

    Passwords can be changed once compromised. Biometrics CANNOT and, therefore, should only be used as a secondary authentication at most.

    • Petunia says:

      Don’t cut your finger or scratch your eye, very common injuries, because you identity is gone.

    • cdr says:

      that is called two factor authentication. Something you are and something you know or something you have.

      Common stuff.

      Nobody with 1/2 a brain would secure anything based on a fingerprint only. A fingerprint and a password known only to you is far more secure than only a fingerprint or only a password.

  14. Its fairly well known that eye witness testimony in a trial is the least reliable. So if this can properly match faces up with identities that improves the justice system. I figure government is going to collapse (due to debt) and they will be lucky to classify half the people on the planet, and most of them will need protection from the other (unregistered) half.

  15. economicminor says:

    Maybe it is just in the movies but there are silicone replicas of fingerprints.. I have seen them in the movies.. get a finger print off a glass or ? and make a thin replica and put it on your finger every time you want to use that ID? A retina ID is more difficult but I imagine it will be figured out..

  16. IdahoPotato says:

    In India all bank accounts, policies, IT returns, government services, drivers’ licences etc. are now mandatorily linked to one’s biometric Universal ID card (also called Aadhar card)

    A college kid can hack into the system.

    http://indianexpress.com/article/india/iit-grad-hacked-aadhaar-data-through-digital-india-app-cops-4781447/

  17. George McDuffee says:

    The privacy ship sailed long ago.

    The only question is will the typical person be hurt or helped by the hyper accumulation of data.

    If it is used correctly for example to minimize welfare or voter fraud, check for wants and warrants, verify check and credit card transactions, etc. it will be a good thing.

    More good applications would be the use of artificial intelligence and “big data,” to deep data mine economic [SWIFT and credit card data], social and medical records to provide early warning of modern crisis such as the opiate epidemic.

    It will be a bad thing if hyper data collection is used to monitor/track citizen participation in legal activities such as political rallies etc. , although the recording of riots for later legal action seems reasonable.

    As in everything else, the final result will depend on the people operating the [ever expanding] program, not the program itself.

  18. Anon1970 says:

    Just think what the Gestapo could have done with an ID system based on biometrics during the Third Reich.

  19. gunther says:

    I did a short search about hacking biometrics. To fake fingerprints there is a wiki how and a bunch of other hits. For an iris scan contact lenses with a fake pattern come to mind. That does not sound like added security to me.

  20. d says:

    SF movie around blade runner vintage.

    iris ID is being used for many things.

    Criminal rips out eye of victim, who can gain access to a facility, presents it to the scanner, enters the PW and enters the facility.

    A lot of security companies stopped using handcuffs to attach briefcases to wrist, as too many hands were getting cut off.

    Mass bio-metric ID, will cause a serious rise in violent crime.

    I need your face to get into a Facility, fine. I cut your head off.

    Also its very hack-able.

  21. R Davis says:

    So as to track every cent.
    To know where every cent that exists is.
    Be it hard currency or, cyber currency created on a computer screen.
    The Gimmie, Gimmie, Gimmie, mindset.
    In their schizo paranoid fit for control of their Sacred Almighty Buck.

    Money can be fiddles into & out of any & all companies balance sheets, with bogus payments for ven more bogus goods & services.

    This is not the answer to reigning in the stupendous, billion dollar, global fraud that has been enabled as a result of online capabilities.

    Why do they always believe it is the common man, the little guy, the average joe in the street ?
    Or is it a cover for their own criminal endeavors ?

    It is all just one big waste of valuable monies – but more important – a waste of electricity & telecommunication resources.

    • R Davis says:

      The story is thus:
      You get a job, at a convenient time you are alone in the office, you plug in your memory stick & download the company files, pass them on to the processor who utilizes the data to creates fiction accounts, purchases, salary’s etc. an extension of the business / growth = cash via the banking system.
      6 months tops you get yourself sacked & move on to the next sucker.
      The banks either know & are helpless or most likely they are totally oblivious to the facts.

    • d says:

      666

      THEY are the “Beast”.

  22. R Davis says:

    The above technology will cost billions & is designed to only track the nickles & dimes in the system.
    The feeble minded moron rides again.

  23. William Charles says:

    Sorry, but my mind is my own, not to be infiltrated by nefarious forces hell bent on taking it away! Keep in mind, they will use every excuse in the world but their real motive is to hunt down revenue.

    • R Davis says:

      Hi William Charles.

      Who’s motive though ?
      The government ?
      The banking sector ?
      The Tax Department ? … please know that I tremble as I write their name.
      The scrooge in the scheme of things ?
      It’s going to cost billions to set up & billions more to maintain & service … & so much for conserving energy in the name of Climate Change.
      And for what ?

      (please excuse what I am about to say here – it is purely for effect – no offence is meant – I also have little monies to speak of)

      To make sure that a few million Mexicans, on a little better than subsistence living, don’t cheat on their taxes … dear God is that how trivial it is.

      But also, it is not foolproof … no … not for one moment … fake irises can be concocted & fake finger prints also.
      Here is the birth of a new branch of counterfeiting.

      We marvel as the halfwit & his brilliant invention has done it again.

      • R Davis says:

        AI machine Learning intellectual capacity will make counterfeiting happen in picture perfect mode.
        Has everyone forgotten that we can do anything ?

  24. Gershon says:

    The sheeple are meekly being corralled into the globalists’ incorporated neoliberal plantation where they can be fleeced at will.

  25. raxadian says:

    Is been proven again and again that stuff like face ID and digital fingerprints to log into their smartphones and other digital devices is very very unsafe. More than just typing passwords in fact.

    So if anything identify theft will become even easier.

  26. Emanon says:

    Long ago – during the last millennium, in fact – I held a job that required a security clearance from the US federal government.

    Years later, Chinese hackers stole the entire OPM database.

    https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

    The stolen data included 5.6 million sets of fingerprints, probably including mine.

    If banks require only biometric data, then a hacker could buy a copy of my fingerprints (I’m sure the hackers sold them on the black market) and clean out my bank account.

    If the people in charge of the security clearance system for the US government can’t keep this data secure, then what chance is there that a bank that outsources its IT to the lowest bidder in India can keep this data secure?

    Innocent people will be at risk for the rest of their lives if any hacker, anywhere can breach one database that contains their biometric data one single time.

    It’s a system that requires perfect data defense forever, because one breach, in one database, just one time is enough to obviate the security of *your own body* for *the rest of your life*.

    This is a terrible, terrible idea.

  27. DDrake says:

    Don’t need an identity with cash. …For WHAT? Identity for all, is the ENSLAVE.

  28. Cricket says:

    Don’t DO IT. You’ll be ENFORCING their agenda on you. Which always works against you!

  29. Kenny Logoffs says:

    Yay it’s stops ID fraud.

    Plus it also ties all your funds you could hold anywhere to your ID.

    Thus no one is capable of escaping the ‘great bailout’, coming to the failing ‘Western’ Central Banking Empire soon!

    After which posts like these will be banned under terrorism or insurrection laws.

    Welcome to USSR 2.0, digitally shafted edition!

    • SFTOBEY says:

      Yep. That is exactly why the banksters are pushing all of these so-called “cash cards”. Hey, get your paycheck FASTER! Or: No more “waiting by the mailbox for your “government benefits checks”. The “convenience” is great!!! Meanwhile, ALL of them require “identity verification” to obtain. (All cards that let you add funds to them are already this way.)

      If you can’t pay your old credit card bill, we’ll just take it from your money-card. If you don’t happen to support the globalist, oligarch “New World Ordure” cabal and their One World Government, they will just “flip” a data switch on your money card so that you can’t get any money (if there still is any in circulation), or you can’t and won’t be able to make any transactions on your now “switched off” money card.

      Best yet, if the bankster shysters want to steal YOUR money for a “bail-in” — because they are running short of faux “funds”, they will just take it from your money card, and you won’t even know. Until, that is, you try to buy food or anything else. No, this isn’t about security, and it never was. It is all about CONTROL. Control peoples’ money and you control the people.

Comments are closed.