A researcher claims to have discovered a security vulnerability in 2 banks’ mobile phone apps that lets someone get into the account with just a picture of the account holders.
Meaghan Johnson, director of research at fintech consultancy 11:FS, says she found that people could access her account using an iPhone “Live Photo” of her. “Live Photos” capture and show limited movement and this tricks the app into thinking the account holder is actually there.
Johnson told Business Insider: “What you have to do is log in using biometrics. Once you log in to the secure site on the app just blink a few times and it records you blinking. We got a picture of me blinking which then was a Live Photo. We pressed down on the Live Photo facing my phone with the facial recognition screen open. After 5 seconds it picked it up and it logged us straight into the app.”
This vulnerability only applies to banks that are using facial recognition as a method of logging in, which at the moment is a limited number.
But the number is growing. The discovery comes days after Standard Chartered bank announced plans to do away with passwords and roll out biometric security to all its 5 million customers.
It is one of a number of large banks and financial institutions pursuing “biometric security” measures — identification techniques such as fingerprint scanning, facial recognition, and voice recognition. MasterCard, for example, is exploring the use of payment authentification through selfies and the World Economic Forum recently singled out biometrics as one of the key technologies that will transform finance in the next few decades.
Johnson did not name the 2 banks where she was able to use iPhone Live photos to get into the app, saying only that it was “a bank in the States and a new challenger bank in the UK.”
As far as BI is aware, new app-only Atom Bank is the only challenger that currently offers facial recognition technology to let users log in to its app.
Atom admitted to BI that breaking into the app using a live photo would be possible but emphasised that this is just one of a number of security measures its app uses and to get to a stage where you could use the live photo would be highly unlikely. Atom also authenticates its app on customer’s phones, for example, so you can only log into your account on your phone. This would mean the person with the photo would have to steal your device.
A spokesperson for Atom told BI:
“Not only does someone need your specific device, but we enforce the need for your device to have a device PIN. As such, you need to steal someones device. You then need to break their device PIN. We also check for jailbroken devices (i.e. If you jailbreak the device in order to break the PIN, then we will not allow jail-broken devices to access either).
“As with any security measure, people will try to find ways to bypass facial recognition. People may seek to use masks or moving images of a face to gain access via your device, and it if it looks very much like the real customer’s face the app will grant access.
“Does this mean your bank security has been compromised? No. We have built layers of security into our banking app to ensure that even someone with your phone and your face can have only limited access. For example, in order to set up a payment to a new payee (as the fraudster would need to do to steal your money) a further level of authentication would be required, such as voice recognition or passcode.”
Johnson admits that the security vulnerability is a limited one, saying: “You have to have a lot of moving pieces together, it’s likely that it would come from family or a friend or a colleague. Someone would have to take your phone if it was unlocked, they would have to have a picture of you blinking, and then they would basically have to do this without you being there.”
Does this mean your bank security has been compromised? No. — Atom
But she added: “If I were a bank that offered this I would just inform your customers that there are ways in which it is not secure. When you go to an ATM it says be careful of your PIN, maybe you need a warning like that.”
A spokesperson for Atom said: “Using your face offers a convenient and safe way to access your app, but customers can also take sensible precautions to protect themselves, such as using the standard security features that protect their devices — such as your phone PIN or fingerprint access to ensure that access to your device is inherently difficult.”
Johnson says: “This is kind of the first generation of biometric solutions — face recognition, voice recognition, fingerprint. I think the second generation techniques like pulse recognition, iris recognition, vein and heartbeat recognition will be much more secure.”