Behind The Biometrics – All Fun & GamificationsteemCreated with Sketch.

in #security5 years ago (edited)

The prevalence of gamification in the products and services we use everyday is creating a dangerous environment where people are willingly releasing information that is vital to their personal security. All in the name of convenience.

Considering that virtually all products and services interfacing with payments now have KYC/AML functionality, one could easily see how the data surrounding one's biometrics holds immense value.

Think of KYC/AML (Know Your Customer / Anti Money Laundering) as a screening/filtering process. It verifies individuals' identifies when signing up on that new FinTech App / weeds out individuals who may be affiliated with terrorism, pedophilia, and other less than desirable activities that land you on Uncle Sam's Shit List.

Unlike passwords, biometrics cannot simply be reset when forgotten or compromised.



Seeing that all KYC/AML providers now market biometrics and liveness checks (which are automated processes, of course) as the cutting edge in privacy and security, the reality of the situation is that these technologies have already been compromised.

The biometric data for well over 150 Million Americans has been freely collected by a private company, all in the name of people being able to send funny photos and videos to one another appearing as a much older version of themselves.

All that was required for people to give up their most essential security apparatus (facial biometrics) was the gamification of visual arts, memes, and the ability to make our family and friends laugh. Talk about a psychological and social hack.

Keep in mind, the data associated with each face that was captured in this game is now being hosted and run through third party infrastructure in AWS, various server farms, and/or several internal databases with unknown protection around them.

It is safe to assume all of this data is essentially fully exposed and free for anyone with the incentive and technical know-how to acquire.



Which is to say, bad actors now have the authentic biometrics for 150 Million Americans, and counting. KYC/AML is not effective against social engineering schemes using authentic biometrics. Rather, it is only effective against schemes using fraudulent information, or those containing anomalies that recursive pattern analysis can pick up.

The reason I even mention that these users are American is because relative to the rest of the world, Americans are extremely wealthy. Cyber criminals view American targets as the biggest fish in the financial sea. To say that FaceApp is sitting on perhaps the most valuable treasure chest of a heavily American biometric dataset would be an understatement.

This does not even address the fact that regulation is waaay behind the curve. The rhetoric within the regulatory/compliance community still views facial biometric analysis as the next big step in KYC/AML.

A big step forward, I should clarify. They view this as the next logical step in a regulatory/compliance mandate. So if you're still looking to the government and its host of three letter agencies for guidance, then you're sorely mistaken.

The only way to rationally operate in cyber is to assume you’re always operating within a zero-trust environment. Trust, but verify. More plainly stated, trust nobody.


It is ironic that while people are so willing to give up their data for free, on the reciprocal end, they are not likely at all to take advantage of reparations for having their data completely stolen.

Of the 147 million users compromised during the Equifax breach, only 7 million are expected to take what is rightfully theirs in free credit monitoring. Less than 5%, folks.

Quite amazing stuff, really. After having single-handedly placed 147 million users into a dangerous sea full of sharks looking to harvest identities, siphon funds, infiltrate private data troves, and harvest as much money as possible from "wealthy Americans" Equifax is paying virtually no consequence. There is plenty of precedent for this, and unfortunately until public perception comes around on this issue it will perpetuate itself.

What I find more fascinating is that the users themselves are so uneducated and uninterested in the matter that they cannot even bring themselves to accept free credit monitoring from a company that put them directly into this very vulnerable position.

This goes to show how illiterate people are in caring and managing their cyber hygiene, data, and personal information security.

And with respect to narrative infiltration rates and timing indicators, this suggests that the narrative around cyber security, data integrity, distributed ledger technology (blockchain), and other emerging technologies has substantial room to run.

If only 5% of the general public have the wherewithal to accept meager reparations, we can safely assume that this structural trend has 95% of its runway ahead of it. Digital information and its security is still in its early innings.



Once this number reaches a higher proportion, we will have an excellent opportunity to sell some stake of our digital assets and convert them to physical assets, in addition to reviewing our bullishness on cybersecurity-related equities.

We are still early.

However, in terms of potential catalysts, there is a fire-storm on the horizon of mainstream narrative shifts in the form of Chinese companies having the DNA sequences of virtually all US citizens who have submitted to DNA tests.

Once this knowledge becomes common knowledge, things will shift rapidly. Just ask yourself, how many third party vendors in the form of suppliers, data managers, organizers, IT facilitators, medical processing labs, payment processors, and the like have access to the DNA that you freely chose to send to them?

Apply this line of questioning to each and every product and service you have interacted with...

Follow the money and you will be shocked at what "private" companies make the supply chain list.




"The aim of the wise is not to secure pleasure, but to avoid pain."
— Aristotle


DISCLAIMER : This content is for informational, educational and research purposes only. This post is not to be taken as personalized investment advice.

If you found this interesting, please up-vote and chime in via the comments. If not, feel free to clog the inbox of a frenemy.