Considering the Cons – Biometrics and Financial Services

Do biometrics also carry potential negatives for big banks and their customers? One con to consider is; where will all the criminals go?

As biometrics makes it more difficult for criminals to pretend to be someone they’re not, and steal from private citizens, it could force sophisticated crime syndicates to target bank systems directly instead.  A rise in hacking and cyber-attacks on financial institutions has already begun.  Cyber crime is more organized than ever before and more than 50% of attacks now focus exclusively on financial and e-commerce services*.

Targeting Banks with Poison Arrows

There are a number of different ways that criminals are trying to target financial institutions. One is through social engineering exploits, which include when an end-user receives e-mail, supposedly from their bank, asking them to confirm their account information. Cyber criminals then use the information to gain access to the user’s financial records and banking accounts. Malware is another weapon.  In these instances, criminals distribute malicious software to trick users into installing programs on their device. When an end-user then enters their credentials, the program can capture all of the information, allowing criminals to gain access to the account.  Industry cyber security experts claim that they see about 120 million new types of malware every month*!  And that’s not all.  Phishing attacks are also on the rise.  These tactics target the bank employees, tricking them to download malware that lies dormant in the bank’s internal systems.  When the criminal wants to capture desired information, he activates the malware and then easily transfers data to thirsty third parties.  It’s enough to keep you up at night!


Could Biometrics Backfire?

Another possible problem arising from increased biometric use by banks is the way in which data is captured and transmitted. Ultimately, biometric systems still need to communicate data back to a system, which is authenticating the user – it’s only that the data is different.  Just as with traditional usernames and passwords, biometrics can be susceptible to, “man in the browser” or, “man in the middle” attacks. Today there are some tactical methods to prevent biometrics from such attacks.  Apple, the US Government and India’s UIDAI program for instance, all use cryptography together with other techniques to ensure only partial, encrypted or unique tokenized data, rather than the biometric data itself, is shared.  As the use of biometrics increases however, so too will the need to consider standards around the proliferation of biometric data.  In order to accept biometric data, participating systems should be forced to abide by a structured storage and transmission framework and protocol.


Time Marches On – One Fingerprint at a Time

Biometric Innovation will wait for no man and despite the risks, stories regarding financial institutions moving ahead with biometric services abound. Fingerprint authentication for access to mobile banking applications, for instance, works fairly well. Users already have the necessary hardware built into their iPhones, making the authentication process quick and seamless. Also, users don’t need to go through a separate biometric registration process specific to different mobile apps.  Think of the iPhone fingerprint recognition system. You only have to provide your fingerprint details to the iPhone once. After that, any app, which has the ability to use fingerprint authentication, can make use of the iPhones authentication.  The customer only has to register once, and then their other service providers can authenticate data against the biometric profile created when they first registered on the iPhone. It doesn’t mean that anyone can access accounts if the phone is lost because a would be criminal would still need to unlock the phone with the right pin or fingerprint, and then provide the correct fingerprint each time they want to use the user’s banking apps.

Facial and voice recognition aren’t as elegant. While the users have the hardware needed in their phones, they need to go through a separate registration process for these more complicated authentications.  Many would-be users are frustrated and report that the effectiveness of the authentication can be impacted by background noise, lighting and even sore throats or colds. They’re also not as quick or seamless to use.  Customers complain that facial registration can be awkward and difficult because the user must hold one’s phone at arms-length, while trying to find the best lighting, and attempting to keep one’s face inside the authentication circle. Having said that, once facial recognition is authenticated it is incredibly secure due to “liveness detection” (can’t be fooled by holding up a picture) through “expression detection” (e.g. raise your eyebrows, smile etc.).  Some say the current inconveniences may be a reasonable cost to pay for the advanced security until the usability kinks are ironed out.


Round and Round She Goes…

The industry has seen a number of big names in financial services take serious steps towards implementing biometrics security over the past year. The Royal Bank of Scotland (RBS) and NatWest, now enable fingerprint recognition to access their banking apps using Apple’s Touch ID on iPhones*.  Other banks in the US, like Barclays and U.S. Bank*, are already using voice recognition to authenticate customers when they call into call centers, use telephone banking services or access to their mobile banking app. MasterCard has also recently announced voice and facial recognition for mobile payments.  Where she stops, nobody knows, but one thing is for certain – the use of biometrics in fighting mounting security issues must be explored.  Imperative will be that pioneers in the field of biometrics think carefully about the potential ramifications for this new technology.  Careful regulation, process and procedure will be key to keeping biometrics in the voices, the eyes, the faces… and the hands, of the good guys.