Countering Cyber Criminals with Biometrics: The growth in online banking and electronic payments has made it easier for criminals to target banks and their customers and is prompting the financial services sector to invest in new security measures.
A problem banks face is that online fraud has grown as banking and financial services have become more anonymous and automated. Online banking takes away that personal relationship, forcing banks to rely on passwords and other electronic security measures. Unfortunately, passwords are easy to forget and also easy to crack.
Biometrics are, at least on paper, hard to hack, but also convenient to use. Coupled with smartphones with fingerprint readers or computers with webcams, they might not even need banks to give their customers additional hardware. Already, some banks allow their customers to authorise transactions with a fingerprint and fingerprints are also under consideration as a way to secure smartphone payments. Unfortunately for advocates of biometric security, as well as for banks’ anti-fraud departments, biometrics is neither completely secure, completely reliable nor as easy to set up as they might hope. Of the dozens of biometric security trials carried out by banks, only a handful have led to successful, large-scale deployments. The first challenge banks face is enrolling customers in biometric programmes.
The last few years have seen plenty of new biometric tools join fingerprints and iris recognition. These include advanced voice biometrics, and palm and finger vein readers, systems that read heartbeats, breath sounds, and even the way we write or type, a science known as “behavioral biometrics”. But to make these systems work, banks have to capture the customer’s biometric ID, as well as check they are who they claim to be. This process is time consuming, expensive and often disliked by customers. And biometrics, despite the way they are portrayed in science fiction or detective novels, are rarely completely accurate.
Factors as diverse as background noise to the sweatiness of a palm, can affect a biometrics’ accuracy. Banks have to decide whether to accept a lower score – and a higher risk of fraud – or a tougher biometric and the risk of inconveniencing genuine customers, and forcing them back to passwords or memorable words. It is even possible to fake some biometrics, such as smartphone fingerprint scanners, using little more than sticky tape and glue, warns Candid Wueest, a researcher at security firm Symantec. “That means you can unlock the device, unlock online banking and start a transaction,” he says. This means, at least in the short term, banks look set to use biometrics alongside other checks, such as background checks on transactions, smart cards or phones, and even the humble password. “It has to be seamless, but also allow the customer to keep control,” Accenture Technology Labs’ Emmanuel Viale concludes.
PayPal is one of the best-known names in online payments and is used for thousands of transactions every day. But PayPal is also trying to build an offline payments business, for example by supplying card readers to small businesses and retailers. In addition, PayPal customers can use the company’s app to pay for goods and services, including meals at the Pizza Express chain. Last year, though, the company went a step further and added fingerprint approval to its app. The service was set up initially to work with selected Samsung smartphones and tablets because they have built-in fingerprint readers. The system is designed to replace user names and log-ins, otherwise, anyone wanting to pay by PayPal would have to remember their sometimes complicated computer-based PayPal credentials in a retail store.
The scheme was originally planned for roll out in 25 countries, and was supported by an authentication scheme called FIDO, which was also backed by Google, Microsoft and MasterCard. However, although other firms have since turned to smartphone fingerprint readers to authorise transactions, including Apple’s Apple Pay in the US, security researchers claim the fingerprint system on the Samsung S5 – the launch device for PayPal’s scheme – was allegedly easily hacked. Researchers were able to photograph a fingerprint on a user’s phone and create a false print to unlock the handset. However, given the sophisticated tools hackers would need to do this and that they would need to capture the user’s fingerprint in the first place, the risks to users could still be minimal.
Halifax, part of the Lloyds Banking Group, became one of the first companies to use customers’ heartbeats as a biometric identifier earlier this year. The bank has tested out a device called a Nymi band, to capture heartbeats and use them instead of PINs or passwords. The Nymi band is similar to wristbands worn by athletes to monitor their heart rate for sports training, but it has been developed specifically to create a heartbeat-based authentication system, which the company calls HeartID. This uses the customer’s electrocardiogram, or ECG, which is unique to each of us. The band itself communicates wirelessly with a computer, smartphone or other device.
Source: Cyber Security Intelligence