Are We Safe to Bank on Biometrics?

Paul Dignan, Global Technical Account Manager, F5 Networks 

For financial institutions, the primary goal of digitisation is making banking simpler and more intuitive for customers. Biometric identification has huge potential, offering convenience, simplifying password management and providing a frictionless authentication process. However, combining the desire for ease of use with the need to improve security is a difficult balancing act. With biometrics in banking rapidly gaining momentum, it is equally becoming an area of great interest for cybercriminals, meaning the security of the apps and systems that support these mechanisms is more critical than ever.

Biometrics offer an exciting new frontier in security, with the global biometric system market expected to reach an estimated $32.4 billion by 2022. From TouchID to iris scanning, and facial to voice recognition technology, consumer demand for biometric authentication is increasing, with research from Mastercard and Oxford University showing banks and their customers favour the use of biometrics in consumer financial services.

Many financial institutions have already put the technology to use. Wells Fargo began offering revolutionary eye-recognition technology as a security measure for corporate customers in 2016, and financial services company USAA has been offering users the option to log in using face and voice recognition technology since the beginning of 2015. Voice recognition technology has also been employed by Citi, Barclays and HSBC to verify customer identity when phoning a customer service line and Santander has started trialling a voice-based chat in their standalone app, SmartBank.

Is biometrics a fool proof way to keep hackers at bay?

Despite their potential, biometric-based authentication is not failsafe and poses its own security challenges. The unique nature of biometric verification, and the fact that the digitised record is stored and encrypted locally in a secure portion of your device, does make the data better protected than traditional verification methods. However, the risks surrounding this type of data are greater. Unique, permanent biological identifiers can’t be changed or replaced in the event of a breach, so they are very dangerous if they end up in the wrong hands.

The risk of a criminal stealing your eyeball (à la Tom Cruise in Minority Report) is mere science fiction fantasy; the real risk is the chance that a hacker could gain access to the digitised record of biometric data. The National Fraud Authority estimates that £3.3 billion is currently lost through identity crimes each year. Imagine how this could increase if hackers could access biometric data.

What’s the key to protecting biometric credentials? 

Although biometrics offer an extremely strong alternative to traditional authentication methods, such as passwords and PINs, there is no such thing as 100 percent security, but having multiple gatekeepers in place can fortify the security of apps and systems. The more different proofs of identity required through separate routes, the more difficult it becomes for a cybercriminal to steal a consumer’s identity or to impersonate them.

As technologies progress, machine learning offers the potential to help banks authenticate users based on multiple assessments, including behaviour, appearance, voice and even the speed at which they type. With such capabilities, a user’s device can constantly calculate a trust score that the user is who they claim to be. According to Deloitte, together these factors are 10 times safer than fingerprints and 100 times safer than four-digit PINs.

Furthermore, solutions are being developed to solve the issue of biometric records being re-used when stolen. For example, a new approach is to split the biometric information between the user’s device and the data centre storage, meaning that if one is compromised, the hacker will not have all the information needed to gain verification.

How will biometric security continue to evolve?

New techniques are emerging that remedy some of the typical challenges associated with biometric solutions, including a lack of capability on the user device and verification failure (facial recognition is prone to problems with lighting conditions). Regardless of the challenges, biometric technology provides organisations with another layer of defence against cyber criminals while simultaneously streamlining the customer experience. This has been successfully adopted by many financial institutions, with great promise to further transform digital banking.

As our lives move progressively online, the level of personal data stored by organisations, the stakes are becoming higher for businesses to ensure consumers’ data is fully protected. At the same time, lucrative areas, such as digital banking, are at the top of cybercriminals target lists. Even with the higher level of security that biometrics promise, having multiple gatekeepers in place is the only way to guarantee the highest level of security.

Paul Dignan, Global Technical Account Manager, F5 Networks 

For financial institutions, the primary goal of digitisation is making banking simpler and more intuitive for customers. Biometric identification has huge potential, offering convenience, simplifying password management and providing a frictionless authentication process. However, combining the desire for ease of use with the need to improve security is a difficult balancing act. With biometrics in banking rapidly gaining momentum, it is equally becoming an area of great interest for cybercriminals, meaning the security of the apps and systems that support these mechanisms is more critical than ever.

Biometrics offer an exciting new frontier in security, with the global biometric system market expected to reach an estimated $32.4 billion by 2022. From TouchID to iris scanning, and facial to voice recognition technology, consumer demand for biometric authentication is increasing, with research from Mastercard and Oxford University showing banks and their customers favour the use of biometrics in consumer financial services.

Many financial institutions have already put the technology to use. Wells Fargo began offering revolutionary eye-recognition technology as a security measure for corporate customers in 2016, and financial services company USAA has been offering users the option to log in using face and voice recognition technology since the beginning of 2015. Voice recognition technology has also been employed by Citi, Barclays and HSBC to verify customer identity when phoning a customer service line and Santander has started trialling a voice-based chat in their standalone app, SmartBank.

Is biometrics a fool proof way to keep hackers at bay?

Despite their potential, biometric-based authentication is not failsafe and poses its own security challenges. The unique nature of biometric verification, and the fact that the digitised record is stored and encrypted locally in a secure portion of your device, does make the data better protected than traditional verification methods. However, the risks surrounding this type of data are greater. Unique, permanent biological identifiers can’t be changed or replaced in the event of a breach, so they are very dangerous if they end up in the wrong hands.

The risk of a criminal stealing your eyeball (à la Tom Cruise in Minority Report) is mere science fiction fantasy; the real risk is the chance that a hacker could gain access to the digitised record of biometric data. The National Fraud Authority estimates that £3.3 billion is currently lost through identity crimes each year. Imagine how this could increase if hackers could access biometric data.

What’s the key to protecting biometric credentials? 

Although biometrics offer an extremely strong alternative to traditional authentication methods, such as passwords and PINs, there is no such thing as 100 percent security, but having multiple gatekeepers in place can fortify the security of apps and systems. The more different proofs of identity required through separate routes, the more difficult it becomes for a cybercriminal to steal a consumer’s identity or to impersonate them.

As technologies progress, machine learning offers the potential to help banks authenticate users based on multiple assessments, including behaviour, appearance, voice and even the speed at which they type. With such capabilities, a user’s device can constantly calculate a trust score that the user is who they claim to be. According to Deloitte, together these factors are 10 times safer than fingerprints and 100 times safer than four-digit PINs.

Furthermore, solutions are being developed to solve the issue of biometric records being re-used when stolen. For example, a new approach is to split the biometric information between the user’s device and the data centre storage, meaning that if one is compromised, the hacker will not have all the information needed to gain verification.

How will biometric security continue to evolve?

New techniques are emerging that remedy some of the typical challenges associated with biometric solutions, including a lack of capability on the user device and verification failure (facial recognition is prone to problems with lighting conditions). Regardless of the challenges, biometric technology provides organisations with another layer of defence against cyber criminals while simultaneously streamlining the customer experience. This has been successfully adopted by many financial institutions, with great promise to further transform digital banking.

As our lives move progressively online, the level of personal data stored by organisations, the stakes are becoming higher for businesses to ensure consumers’ data is fully protected. At the same time, lucrative areas, such as digital banking, are at the top of cybercriminals target lists. Even with the higher level of security that biometrics promise, having multiple gatekeepers in place is the only way to guarantee the highest level of security.