Fingerprints and eye scans are a very exciting way to access your phone, but they’re not yet strong enough to replace passwords and PINs on your bank accounts.
They may never be, according to Nick FitzGerald, senior research fellow at threat detection specialists ESET. He says banks are moving too quickly toward biometric identification, driven by customer demand for convenience.
A recent article in the Sydney Morning Herald highlighted the big shift at some of the world’s largest banks to offer not just fingerprint, but iris identification to log into their account through their mobile phones.
Others are offering facial contours and voice recognition technology.
All are luring users with the same pitch – your biometric information is unique.
And it is, but there’s also one aspect in all of that which certainly isn’t unique, says FitzGerald.
“Whatever biometric input banks choose to use, these will have to be converted into some kind of digital representation within the recording device, such as a fingerprint scanner on phone or laptop,” he says.
“If the devices themselves are not well-secured, e-criminals can ‘record’ that digital representation and divert or replay it for their own devious purposes.”
In other words, it’s not twisted criminals lopping off your finger or using sticky tape on a beer glass to rob you of your access code that you need to worry about. That’s not the entry point for a sophisticated cybercriminal.
It’s much easier for them to simply steal those details after they’ve been recorded in your device.
“We can already see this phenomenon with keyloggers and related malware that steals login credentials, such as your username, account number, or password,” FitzGerald is.
But here’s the key difference, he says:
Passwords can be cancelled and replaced when needed. Physical features can’t, or can only be for a small number of incidents.
FitzGerald admits the initial uptake of biometric security would see a drop in online and mobile fraud, but it would only be a matter of time before cybercriminals find methods of accessing digital representations.
And when they do, they’ll realise there’s only a limited number of times that such unique information can be used, mainly due to the complexity of the malware needed to capture it.
That in turn means “fewer incidents but larger sums per incident”.
Even some of the big banks seem to realise this, though. JPMorgan Chase gives customers access to their accounts with fingerprints, but a traditional password is still needed to actually transfer money.
FitzGerald thinks there needs to be more discussion before the rush to offer the most innovative, efficient access methods wipe out “inconvenient” passwords and PINs.
“Realistically, banks can’t afford the potential backlash of removing online and mobile banking,” FitzGerald says.
“While fingerprint and face scanning methods won’t be the most secure, they tick the box when it comes to offering new, interesting, and easy-to-use tools.”