Yan Zhu, a staff technologist with the Electronic Frontier Foundation, agreed the eBay case was mainly a problem of vulnerable infrastructure. Although eBay stated in a memo that the passwords were encrypted and financial info was not compromised, Zhu said the attack may have been even scarier had the material in the databases included biometric profiles rather than just passwords.

"You can imagine if they were storing a fingerprint scan in plain text and somebody broke into the database, they could also steal your fingerprint scan," she said. "And if somebody stole your fingerprint scans … they could reuse it on other sites as well. And that would be harder to change than a password."

As for why the uptake on biometrics on the consumer level has been so slow, Zhu said backwards compatibility poses a major obstacle.

"If you’re a website like eBay, you have to support the lowest common denominator of users, and of course you have users and in countries where it may not be easy to update your technology," she said.

Thursday, May 22, 2014
CBC News