Are Biometrics Secure for Banking Transactions? | GBAF | GBAF

Are Biometrics Secure for Banking Transactions? | GBAF | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Banking > HOW ARE PRIVATE BANKS TO COMBAT IDENTITY FRAUD?

HOW ARE PRIVATE BANKS TO COMBAT IDENTITY FRAUD?

Published by Gbaf News

Posted on April 22, 2017

8 min read

Last updated: January 21, 2026

Travis Schreiber discussing the impact of financial reputation on businesses - Global Banking & Finance Review — Travis Schreiber, Director of Operations at Erase, emphasizes the importance of managing online reputation in finance. This image highlights the crucial link between financial missteps and consumer trust.

Schalk Nolte, CEO Entersekt, discusses the latest innovations in security, and asks if biometrics alone is secure enough when it comes to banking

Schalk Nolte

Schalk Nolte

Identity fraud is at an all-time high. According to figures from the fraud prevention organisation Cifas, there were almost 173 000 cases of identity fraud in the UK in 2016 – the highest number ever recorded. Last year, identity fraud cost the UK economy £5.4 billion, as revealed by research conducted by Experian in partnership with the University of Portsmouth’s Centre for Counter Fraud Studies. It should therefore come as no surprise that enterprises are increasingly looking to the digital space to improve their security, and private banks are no exception. Their challenge is that customer opinions are split between millennials, who are comfortable with the integration of social media, payments platforms and digital banking, and an older, more conservative client segment who do not necessarily trust this revolution. It therefore becomes a balancing act between a demand for one-click checkouts and all manner of mobile banking features, and a duty to ensure the security of these convenient digital channels, especially for high-risk transactions.

To add to this challenge, the Revised Payment Services Directive (PSD2) is now heralding an era of open banking, forcing financial institutions that operate in SEPA countries to allow third parties access to their customers’ accounts (with the customers’ consent). In the UK, the Competition and Markets Authority has underscored the importance of opening access to new entrants, saying that older and larger banks are not having to compete hard enough for consumers’ business. The aim of PSD2 to foster competition and customer-centric innovation may be commendable, but this opening-up of customer data will bring with it a host of new fraud vulnerabilities. Open banking therefore necessitates the strongest possible user authentication – but will the current developments in security technology be enough?

There is no silver bullet

Biometrics represents a leap forward in usability, but the irreplaceable identifiers they make use of, such as fingerprints, voice patterns and retina scans, represent a highly attractive target for hackers.

To avoid the theft of these identifiers, mobile manufacturers require that they never leave the mobile device on which they were scanned. This means that the identifier is never transmitted to an application’s server to be matched. During a biometric login, the application then simply attests that the identifier has been matched on the device. The bad news is that a fraudster could very easily attest the same thing – without matching anything at all.

As with biometrics, there have been significant advances in machine learning technology. These promise improved risk analysis based on past and present user behaviour and on the state of the user’s device when they access digital services. This approach is attractive to banks because the data that is used in doing risk assessment is collected without the user’s direct involvement, which means less user friction.

The problem is that reliance on risk-based authentication may not translate into better security. A false-positive authentication could result in an account breach, and a false-negative in a declined transaction – a key cause of the current prevalence of abandoned e-commerce carts. Card issuers are finding their top-of-wallet status threatened as consumers resort to competing institutions in frustration over risk-based declines.

A winning strategy

Risk assessment can certainly help determine which transactions qualify as high-risk, while biometrics can be used as a second factor of authentication. For example, in addition to a password and/or PIN, the user can be requested to present a fingerprint (or, in the case of voice biometrics, speak a phrase) in order to authenticate themselves before being allowed to log in, proceed with a transaction, add a beneficiary, or make a payment. But neither biometrics nor risk assessment can provide foolproof authentication on their own.

Instead, the answer lies in deploying digital certificate technology on the mobile phone to enable out-of-band, multi-factor authentication and encrypted communication. Selecting an authentication solution that combines the best security with low user friction will go a long way in meeting the requirements of both customers and regulatory bodies, and help prepare private banks and other financial institutions for both imminent and future changes.

Schalk Nolte, CEO Entersekt, discusses the latest innovations in security, and asks if biometrics alone is secure enough when it comes to banking

Schalk Nolte

Schalk Nolte

Identity fraud is at an all-time high. According to figures from the fraud prevention organisation Cifas, there were almost 173 000 cases of identity fraud in the UK in 2016 – the highest number ever recorded. Last year, identity fraud cost the UK economy £5.4 billion, as revealed by research conducted by Experian in partnership with the University of Portsmouth’s Centre for Counter Fraud Studies. It should therefore come as no surprise that enterprises are increasingly looking to the digital space to improve their security, and private banks are no exception. Their challenge is that customer opinions are split between millennials, who are comfortable with the integration of social media, payments platforms and digital banking, and an older, more conservative client segment who do not necessarily trust this revolution. It therefore becomes a balancing act between a demand for one-click checkouts and all manner of mobile banking features, and a duty to ensure the security of these convenient digital channels, especially for high-risk transactions.

To add to this challenge, the Revised Payment Services Directive (PSD2) is now heralding an era of open banking, forcing financial institutions that operate in SEPA countries to allow third parties access to their customers’ accounts (with the customers’ consent). In the UK, the Competition and Markets Authority has underscored the importance of opening access to new entrants, saying that older and larger banks are not having to compete hard enough for consumers’ business. The aim of PSD2 to foster competition and customer-centric innovation may be commendable, but this opening-up of customer data will bring with it a host of new fraud vulnerabilities. Open banking therefore necessitates the strongest possible user authentication – but will the current developments in security technology be enough?

There is no silver bullet

Biometrics represents a leap forward in usability, but the irreplaceable identifiers they make use of, such as fingerprints, voice patterns and retina scans, represent a highly attractive target for hackers.

To avoid the theft of these identifiers, mobile manufacturers require that they never leave the mobile device on which they were scanned. This means that the identifier is never transmitted to an application’s server to be matched. During a biometric login, the application then simply attests that the identifier has been matched on the device. The bad news is that a fraudster could very easily attest the same thing – without matching anything at all.

As with biometrics, there have been significant advances in machine learning technology. These promise improved risk analysis based on past and present user behaviour and on the state of the user’s device when they access digital services. This approach is attractive to banks because the data that is used in doing risk assessment is collected without the user’s direct involvement, which means less user friction.

The problem is that reliance on risk-based authentication may not translate into better security. A false-positive authentication could result in an account breach, and a false-negative in a declined transaction – a key cause of the current prevalence of abandoned e-commerce carts. Card issuers are finding their top-of-wallet status threatened as consumers resort to competing institutions in frustration over risk-based declines.

A winning strategy

Risk assessment can certainly help determine which transactions qualify as high-risk, while biometrics can be used as a second factor of authentication. For example, in addition to a password and/or PIN, the user can be requested to present a fingerprint (or, in the case of voice biometrics, speak a phrase) in order to authenticate themselves before being allowed to log in, proceed with a transaction, add a beneficiary, or make a payment. But neither biometrics nor risk assessment can provide foolproof authentication on their own.

Instead, the answer lies in deploying digital certificate technology on the mobile phone to enable out-of-band, multi-factor authentication and encrypted communication. Selecting an authentication solution that combines the best security with low user friction will go a long way in meeting the requirements of both customers and regulatory bodies, and help prepare private banks and other financial institutions for both imminent and future changes.