Breach Notification , Governance & Risk Management , Incident & Breach Response
Pakistan's National Database Biometric Data Compromised
Pakistan's Federal Investigation Agency Says Biometric Data Leaked
Tariq Pervez, additional director, cybercrime wing at Pakistan's lead investigation bureau, the Federal Investigation Agency, during a briefing to the National Assembly Standing Committee, revealed that the country's National Database and Registration Authority's biometric data has been compromised, according to a report by Pakistan daily Dawn.
See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases
Dawn initially reported that the biometric data from the National Database and Registration Authority, or NADRA, had been hacked. But Pervez later clarified that the data had been compromised, but not hacked.
The FIA additional director said that NADRA's biometric system had been compromised during the SIM card verification process, according to Dawn's article. Pervez reportedly told the national assembly that a crackdown in Faisalabad had led to the seizure of 13,000 fake SIM cards.
Pervez also told the national assembly that with only 162 investigating officers, FIA's cybercrime wing is unable to address the 89,000 complaints it has received thus far.
In February 2015, following the Peshawar school massacre, Pakistan's government made biometric verification mandatory for issuing mobile SIM cards.
Some publications, including ProPakistani daily newspaper The News, are continuing to report that the biometric data was hacked, but that's not the case, according to Pervez.
Rafay Baloch, lead security researcher at Cyber Citadel and former cybersecurity adviser to the Pakistan Telecommunication Authority, confirms to Information Security Media Group that NADRA's back-end data has not been hacked.
"I think the facts have been not been conveyed properly, or misrepresented," he says.
The data security and privacy protection capabilities of Pakistani telecom firms were put under the microscope when Pakistan-based cybersecurity firm Rewterz discovered that a data dump of 115 million Pakistani mobile users had been put up for sale on a dark web forum.
In September, NADRA rolled out a new feature in its app that could be used to capture the biometric data of Pakistani citizens, upload digital photographs and scan documents for processing national IDs.
In a LinkedIn post, Tariq Malik, chairperson and CEO of NADRA, said the initiative had served as a catalyst in digitalizing Pakistan. "To balance public convenience with protecting personal data, the NADRA platform deploys privacy-by-design and security-by-default principles coupled with multilevel authentication," he said.
NADRA officials have not responded to ISMG's request for confirmation of the recent data leak incident.
Exploiting Biometric Data
Although biometric data is perceived to be a stronger, more fool-proof identity matching and authentication mechanism compared to passwords and PINs, an Accenture study says that with increased adoption of biometric technologies, the incentive to attack biometric-enabled systems grows.
Baloch says that a user being tricked to give their biometric information is no different from users being tricked to share their passwords, PINs or answers to security questions.
According to Accenture's report, biometric fraud detection capabilities are still limited. This encourages cybercriminals to use impersonation techniques and obfuscation tactics, manipulating one's own biometric data to avoid recognition.
A review of state-of-the-art biometric technologies showed that all biometric recognition systems can be spoofed. Even iris scans and DNA-based systems are vulnerable to cyberattacks, the report says.
Accenture's researchers suggest that presenting attackers with a series of varied and unpredictable barriers can make their work not only more challenging, but also impossible to systemize.