Is biometric data really secure?

By Sarah Whipp is CMO & Head of Go to Market Strategy at Callsign

As technology has evolved, online and remote services have steadily become the norm. As a result, the use of biometrics as a convenient and secure way for customers to authenticate themselves in order to access these services has also seen an uptick. One sector that has felt the impact more than others is financial services. From authenticating the opening up of a current account by using the sound of your voice, to accessing an online banking portal using a fingerprint on a smartphone, the use cases are vast.

But before any type of biometric authentication is possible, the consumer or employee has to first register their personal information, such as their fingerprint, voice, iris, etc. However, fraudsters have identified an opportunity: to register their information ahead of the true account holder – effectively beating them to it. Currently, it appears that there aren’t sufficient measures in place to prevent these criminals from impersonating an individual and registering their own biometrics fraudulently.

Sarah Whipp
Sarah Whipp

One example is telephone banking interactive voice response (IVR). Hypothetically speaking, before a victim is able to do so first, fraudsters can register their own voice in the name of the victim. This could result in a target being aware that they are being hacked only when their banking provider calls them up informing them that their payment details have been used by an imposter.

The crux of the problem is that for an individual to register a particular biometric for activities, including facial or voice recognition, the organisation providing the service must be certain that it is actually them registering the biometric. For this to be possible, organisations must only use people’s existing security credentials. On channels including telephony, that principally depends on knowledge-based credentials, this generates an opportunity for criminals who have been able to get hold of those credentials, perhaps via the means of phishing. It implies they can register their own biometrics and pretend to be the victim. Worst case scenario, fraudsters could for all intents and purposes hijack a person’s physical characteristics. Could this be the next generation of “identity theft”?

Compounding the issue, providers generally favour biometrics over other credentials, the reason being that they believe this type of authentication is the most secure and that the ability to impersonate physical attributes is a near impossible task. As a result, if a fraudster can get in there first and register their biometrics before their victim, they might be able to attain a higher level of security clearance. This then makes the process of resolving the problem of a compromised account incredibly cumbersome. It is only logical that the service provider would question a victim

highlighting an attempted fraud when informing them of an account take over, when the fraudster is declaring that they’re really the victim and using a stronger set of credentials to do so. Differentiating between the fraudster and the real owner is now more challenging than ever for organisations because currently, there is no means for them to cross-reference an individual’s biometric information to guarantee that they are truly the real owners.

A simple remedy could be for users to register their biometrics before, at the outset of engaging with a business, or specifically tell the organisation to avoid using that form of authentication. At the moment, where biometrics is the default authentication method, until the user chooses to “opt in” they are automatically “opted out”. Is reversing this process the simple solution? Sadly, it isn’t – even when a provider offers a service to impede the use of particular types of authentication, they must still provide a means for the end-user to amend their choice at a later date. Unfortunately, this offers another opportunity for the fraudster, if they have the ability to use other (non-biometric) forms of authentication to impersonate the user.

Even so, if the option is available end-users should register their biometric information straightaway. We are now in a situation where it is a race for people to establish their biometrics with their current service providers before the fraudsters. Irrespective of eagerness to adopt the latest biometric capabilities, it is advisable to be safe in the knowledge that their own (genuine) biometrics are registered before that gap is taken by a criminal, should they steal other knowledge-based credentials.

There remains a large cohort of the public who still aren’t relaxed with the idea of using their biometrics to carry out financial transactions. For this group this could create a security trade-off. To alleviate any concerns, consumers should undertake an audit of what authentication methods their banks and other providers use in terms of biometrics and contemplate registering them, even if they don’t intend to use them immediately.

Understandably, the onus shouldn’t all be on the customer. If service providers do offer a method of biometric authentication, they must ensure they do not cut corners on the authentication level necessitated to register a biometric in the first place. It is imperative that they avoid a form of “privilege escalation” to happen by permitting a weak method of security to provision a new one – particularly if the latter is deemed as safer for other processes or channels within a business.

Additionally, the storage of biometric data must be done correctly in a non-extractable format, and enhanced with liveness checks, to ease end-user anxieties regarding the potential compromise of their data and privacy. Guaranteeing that any biometric authentication implemented doesn’t damage the customer experience by increasing the amount of friction in any activity is crucial. Also, to help encourage customers to proactively sign-up to these services rather than being forced into it, the benefits of biometric registration must be properly communicated to customers.

Finally, organisations cannot depend on one type of authentication such as face, fingerprint or voice alone. It is vital to supplement these with other contextual and behavioural intelligence, in addition to further authentication factors appropriate to the level of risk, so a reliable authentication outcome can be assured.  Organisations and end-users will only be safe in the knowledge that fraudsters cannot intercept the biometric registration process and undertake criminal activity without their victims realising by taking heed of these aforementioned recommendations. The risk of financial loss is too high for them to be complacent.

Related Articles