The New Rise Of Biometric Banking

The New Rise Of Biometric Banking

When Apple started selling its iPhone 5S with a Touch ID fingerprint reading sensor, all of us entered the biometric age a bit. Apple acquired the technology when it purchased AuthenTec in 2012. Samsung followed quickly with its own version of the tech in the Galaxy S5 and soon-to-be-released S6.

German hacker Starbug - whose real name is Jan Krissler - is not impressed. He hacked Apple's Touch ID roughly a day after its launch, replicating the last fingerprint that had touched the glass iPhone surface with kit that included a scanner, a printer, and a bit of glue.

And he followed this up in December by reproducing the fingerprint of German Defence Minister Ursula von der Leyen, using photographs from a press conference at a distance of about 10 feet.

Starbug believes that proper protection requires "two-factor authentication, based on two completely independent components from one of three methods: knowledge - password; possession - smart card; and biometrics."

"The problem with that kind used here," he says, "is that you probably will find all the 'secret' information of one method on the device used for the second method. So, if you are able to make a dummy finger from fingerprints found on the phone, the two factors are only worth one," he concludes.

The vulnerabilities in fingerprint recognition are not exactly secret. And so the race for alternative biometrics is on.

It is spurred by a new abundance of cheaply produced sensors - mostly from east Asia - and software connecting them with cloud services. Low interest rates also provide a rich environment for tech investment.

When near-infrared light is transmitted through your finger, part of it gets absorbed by the haemoglobin in your veins.

Your vein pattern is established in the womb, and stable throughout your life, says Hitachi's Ravi Ahluwalia. Hitachi's VeinID scanners can authenticate you by your resulting vein pattern.

Mr Ahluwalia says his company has explored finger vein authentication on trading floors in France and Northern Europe.

But some working within financial technology think several of these biometric scanners are just a bit intrusive for banks and credit card companies to want to introduce them to ordinary consumers.

For these companies "the expensive and inconvenient part is actually challenging the user," says Dr Neil Costigan, an Irish cryptographer and chief executive of Stockholm-based BehavioSec.

"When they're asking where's the calculator in the drawer, or can you confirm your first pet - the user gets annoyed. With every step of security causing users to do something, a lot of payments fall off," notes Dr Costigan.

"It's a lot about easing the journey - only challenging the bad guy," he says. He also says voice recognition is promising for banks, precisely because consumers do not find it as "Big-Brotherish".

If you wish to push this to the extreme, there are start-ups experimenting with biometric implants - implanting an RFID [radio-frequency identification] chip under your skin, or a decomposable tattoo which may hold up for one to two months.

But most of the time, it's not so much biometrics that are the weakest link as their implementation, says Candid Wueest, principal threat researcher at the internet security firm Symantec.

"We've seen penetration testers, instead of hacking a fingerprint to get in a server room, just remove two screws to remove the fingerprint reader from the wall," he says.

"And then you can just get some device hooked up to the wire, and send a signal saying you've found a valid finger."

Governments and private institutions will often relax security rather than vex their consumers.

"The more people you need to get through, the more you tend to lower security," says British biometrics expert Dr Carol Buttle.

An alternative is behavioural biometrics - looking at the gestures and speed with which users key in their password, in a way they won't necessarily see.

When Danske Bank tried introducing a timer into its e-banking platform, it found that the speed at which a user filled out an online form could differentiate a real user from an imposter 97.4% of the time.

Many have predicted biometrics will cause the death of the password. Dr Costigan at least thinks devices like HSBC's physical Secure Key are on their way out, and credit cards, too.

"You don't expect people to have this very powerful mobile phone device, and then go off and search for a calculator," he says.

He believes Scandinavian banks, benefiting from closer co-operation in the banking sector, have led the way in applications featuring behaviour-based identification.

The major credit card companies agree that biometrics are very much on their radar.

"Probably 20 years ago, no one would've thought the phone would have the impact on banking that it's having," says Jonathan Vaux, executive director at Visa Europe.

"If I know the minute you land at JFK, because your phone is paired with your account and geolocation tells me you've landed - that should drive for a better customer experience," he says.

And Dr Stephanie Schuckers, a professor at Clarkson University and chief executive of NexID Biometrics, says hacking of the sort achieved by Starbug is well within the grasp of organised crime, but not easily scalable.

Perhaps we shouldn't rely on the humble fingerprint just yet.

Join discussion