By Martin Brampton, 3 May 2005 13:40
COMMENT Banks may talk of using biometrics but doing so would hardly be a foolproof means of providing secure transactions, says Martin Brampton.
There seems to be as much window dressing as there is clear thinking in the security arena. Headlines say the banks are thinking of using biometrics to authenticate transactions. Yet how much thought has actually gone into this idea?
Maybe something of the kind is inevitable with banking, which has always involved a good deal of smoke and mirrors. For many years, we were impressed with the solidity of the banks, mainly on account of their grand buildings and the imperious looks of the managers. Of course, such features did not stop banks failing, especially in countries with a less substantial support regime than the UK.
So perhaps the latest moves are in the same vein: designed to give us a sense of security more than to actually achieve anything. The banks' efforts are built around the currently popular mantras of the IT security industry. Yet the reality is always more complex and a lot messier.
The favourite story nowadays is three-factor authentication: something you know, something you possess and something you are. The first has never been very effective because of people's inveterate tendency to blab.
Remember the researchers who stood on Liverpool Street station asking people for their computer passwords? Most people told them. And last week it came to light that bank customers were happily revealing their PINs to call centre staff, only to find their accounts promptly cleaned out.
Something you possess seems a more promising angle. For the banks, that used to mean magnetic strip cards. Nowadays it means smart cards with embedded chips. Increasingly, it is likely to mean ingenious security devices that generate single-use codes that are constantly changing. These would be used more if they were less expensive.
The trouble with all these technological fixes is that it is difficult to keep ahead of the enemy. Magnetic strip cards - and to a lesser extent smart cards - are vulnerable to the wide availability of readers, and the inevitable tendency for people to try to crack the systems for their use. The problem is that it is difficult to package up sophisticated security in a form that can be used millions of times a day by people all around the world.
So now there seems to be a lot of talk about biometrics for the 'something you are' level of authentication. Before we get to worries over the effectiveness of the technology, it seems to me there is a significant problem of user perceptions for organisations such as banks.
There is something quite offensive about being subjected to physical checks such as fingerprints and iris scans. We know who we are and sometimes the people we are dealing with know who we are too. So the implication tends to be that in circumstances where we have to be identified by some machine, we are being treated as an object and not a person.
Moreover, despite all the talk of the primacy of the customer, we tend to feel we are supplicants when we ask to receive some of our own money, the safe keeping of which we have entrusted to the bank. Is the bank providing us with a service or are we merely the tools of the bank?
However that may be, the thinking behind biometrics is confused. They make some sense in situations such as an airport, where it is necessary to be certain that a person matches their documents, such as their passport, and that the documents are genuine. But the vast majority of banking transactions now take place at a distance.
That opens up a plethora of possibilities. There was the Japanese man, Matsumoto, who made a false latex 'finger' for about £5 worth of materials, which was good enough to fool a fingerprint identification machine - albeit some years ago when the technology was less sophisticated. Then there is the simple fact that what is transmitted to the bank has to be a digital representation of the fingerprint or whatever biometric identifier is being used.
Anything that can be digitally transmitted can be copied and therefore can be perfectly forged. The only issue is getting hold of it. We know that spyware is becoming more of a threat than the old fashioned virus. It is hard to avoid the conclusion that biometrics in banking is just another variant of the grand façade.
Comments
There are 11 comments. Join the discussion
1. Stuart Moffat
Most remote biometric checks are vulnerable to fraud, simply because the biometric reader is in the hands of the potential fraudster and therefore vulnerable to attack. However remote biometric checks using voice biometrics are less vulnerable, providing that the use of recordings is prevented. This is easily done by promting the customer to say something specific, but different every time, and then check that the right words were repeated - and that the biometic matches. ALL the technology used to check the biometric is then in the hands of person checking the biometric, rather than the fraudster.
2. Terrence Gold
Good article but a little off the mark. I have been on both the IT application side in the fortune space, and worked for a biometric and directory companies.
There are MANY flaws with Biometrics. I have seen the ugly things that they do not tell the customer. What is more scary, are the things that they do not know because they are not application developers, and that, at the end of the day is what needs to be protected.
Banks fear 2 things. 1) the rogue capture of an image which would enable one to have a piece of someone's identity for the rest of their life. Fingerprints dont change and can't be reset like passwords or be reissued like smart cards. 2) user experience. If MasterCard processes 100,000 transactions per second and biometrics has a failure rate (let's say 1 in 10,000 which is generally what is claimed but I say it this is stretched) then you would have many people not able to transact affecting merchant's and financial processor's business. This also create's a poor user experience and floods customer service. So they won't really do it.
Biometrics are great in concept, even applicable in some situations, but widely miss the mark in the networked world. Additionally, when implimenting as a security measure, as opposed to convenience (no one loses their finger) I would never use biometric as the only credential. Such instances would always lead to a higher rate of access to malicious users.
3. anonymous
In the case of credit/debit card transactions face-to-face, what happened to the practice of putting a photograph of the card user on the card itself? It seemed like a simple but inoffensive way for the cashier to check that the person using the card was entitled to do so. Failing that could we copy the Spaniards in requiring photograpic ID be presented along with the card?
4. Darrell E. Smith
Mr. Gold has obviously had very little experience in the area of biometric security applications for the financial industry. There are many deployments right now in the banking/financial industry that have been functioning without any major problems for many years. These biometrically secured banking and financial functions range from internal security solutions including access control(computer and physical), network security(1 to 1 and 1 to N matching),the tracking of transactions, and the creation of biometric audit trails. I will name just a few of the banking/ financial institutions that have successfully implemented various biometric based systems that continue to function without any major problems to this day....The Brazilian Mercantile Exchange, Hermes Pension Management LTD.-UK, Credit Suisse-Switzerland, The Internal Revenue Service, ING Direct, Barclays Bank, Mellon Bank, Banko Santander, Bancafe, Banco Falabella, Banco Central De Costa Rica, Banco Convai-Columbia, Banco Produbanco-Ecuador, Banco Reformador-Guatemala, Bank of Cairo-Egypt, Bank of Central Asia, Capitec Bank-South Africa....and the list goes on. Either Mr. Gold was exposed to some very inferior biometric technology, inept integration techniques, or he may have an axe to grind with the biometric industry or one of its leading companies. His comments that banks are worried about the theft of biometric data(templates)lets me know that he does not have a full understanding of how the technology actually works. If he did, he would realize that captured biometric template data is useless, since it must be matched against the live user for verification/authentication/authorization. A hacker or thief would really need to kidnap the live user to be able to break into properly implemented biometric systems(they don't store full biometric images only templates that can't be reverse constructed to an image), and many are now using Match On Card- smart card technology that does not store template information in a database in the first place. If you have to kidnap the user in order to break or hack into a secure system, then you have arrived at the very pinnacle of security solutions. Thus, this is why biometric systems are ramping in demand very rapidly in the banking and financial industries. Mr. Gold is mistaken in his assumptions, at best.
5. www.omniidentity.com
I understand Mr. Brampton's position that he may be offended when asked to submit to biometric authentication, and even that others may be offended as well. However, as banks become larger with more branches and virtual with online banking, institutions know less and less with whom they are dealing. Almost gone are the days of walking into your bank and having the bank staff greet you with, “Hello Mr. Doe.” Consequently, advanced authentication methods, like biometrics, are needed to replace the antiquated, costly and insecure password. That the article’s title is “…Biometrics offer false hope” is misleading when the only support for the claim is an example that was “some years ago.” I have worked in biometrics for over four years and now specifically work with financial institutions around the world – this technology is ready for prime time… evidenced by the fact that soon you will see it a bank branch or POS near you.
6. anonymous
One fact that is overlooked here is, that in a criminal situation a person who is threatened so he gives away his pincode is saveguarded by the fact that he won't be able to give it when dead. This is not the case in the proposed identification schemes. Also, being robbed of a credit card is far less mutilating than being robbed of a finger or an eye for the purpose of robbing your bank acount.
(Ed note. Biometrics will include liveness tests meaning a dead or severed identifier such as amputated finger or gouged eyeball will not work. As long as robbers don't try it anyway to find out we should all be safe.)
7. www.biometricsforums.com
I don't get the remark regarding getting a copy of the biometric (or template) by sniffing the transmission. That can easily be prevented by using encryption and digital signatures that change with every communication.
Also, this is a problem that PIN's and passphrases have, too.
8. James T. Byers
When it comes to using Biometrics for security, computer pros experience brain freeze because of their indoctrination into thinking that "SECRECY" is paramount to security. Biometrics are not based on secrecy. So what if someone intercepts a transmission with my biometrics. I may as well complain about having to fax my Photo ID (the photo being the biometric) for a loan application -- EEGAD! Someone might intercept the fax and get a copy of my face!
To understand the tremendous advantages that comes with using Biometrics instead of UserID/Password/Digital Certificate approaches, you have to drop your bias for SECRECY. The strength of Biometrics is NOT SECRECY - it is its ability to be verifiable at any time.
The successful use of Biometrics for identification (or authentication for inefficient systems) requires a secure CAPTURE of the Biometric and a secure STORAGE of the Biometric. "Secure storage" means that the Biometric cannot be modified once stored. It is accessible to any number of persons, or the public, but is not modifiable. "Secure capture" means that the Biometric is obtained in a manner that ensures that the real person is providing the Biometric.
Argue about storage and capture if you want, but please get a grip and forget about any need for secrecy or fear of fraud because someone might steal your Biometrics. Or, don't get a grip, and put a bag over your face.
9. Muhammed Saleem Rehmani
The real issue is the foolproof security of the network rather than users of cards. Can biometrics defeat the hackers ? Can the biometics data travelling on netowrk is fully safe ?
10. anonymous
Alot of companies are starting to go with the EMV solution. It is not as invasive as biometrics in the instance that there are false accepts or false rejects. It is very secure and can have a photo. Mastercard just announced their CAP initiative for user not present transactions which can be used to user present...
11. anonymous
The writers knowledge is out of date. Nobody would use optical sensor anymore, they are to unsecure at are pretty easy to fool.
Todays sensor as AC capacative swipe sensors. They compile a fingerprint image based on electrical characteristics of the skin, and not a photograpich image of the finger. There are very few materials which have the same characteristics, paprika is one. Try to make a fingerprint out of that.