British bank TSB recently announced come September, its mobile banking app will allow some customers to log in via iris scanning technology. According to published reports, customers with either a Samsung Galaxy S8 or S8+ can access their accounts literally at a glance.
TSB’s iris scanning uses 266 unique characters as opposed to 40 for fingerprints.
While many in the industry hail such developments as an improvement in security, the devil’s in the details, Richard Parris said. Mr. Parris is CEO of Intercede, an identity authentication solutions provider. Customers need to be convinced biometrics are indeed more secure, and that means the banking industry needs to produce dedicated education campaign.
“Biometric authentication is not entirely immune to potential attack and therefore should not be relied on as the sole means of verifying a user,” Mr. Parris said, citing German hackers penetrating a Samsung GalaxyS8 iris scanner with the picture of the owner’s eye and a contact lens and a journalist’s fooling of HSBC’s voice recognition system as two recent examples.
Mr. Parris said many attack victims share a key trait.
“The downfall of most companies that have fallen victim to attack recently was vulnerabilities at the user authentication level. Hackers can easily gain access to systems and networks with insecure passwords and personal information such as your date of birth or full name.
“The premise is the same for biometrics – your personal genetic data can be ‘stolen’.”
The solution, Mr. Parris said, is a security blend containing three elements – possession, knowledge, and inherence. Possession means having control of your device. Knowledge involves remembering something such as a PIN, while inherence incorporates the physical element, including iris scanning.
“The onus is on the business to provide the appropriate security to protect the customer and the consumer needs to be aware of the data they are sharing and how they can better protect themselves from the prying eyes of cyber criminals,” Mr. Parris said.
Etienne Greeff is the cofounder and CTO of security services provider SecureData. He said biometrics are much more secure than passwords, they too have their warts.
“The person using the authentication data has a big responsibility to store the data in a secure fashion,” he explained. “If we think about a ‘normal’ breach, for example when a password is hacked, it’s easy to reset your password or change the security settings. It’s also relatively easy to recover from one of these threats. If you’ve lost money from your online bank account at the hands of opportunistic cyber criminals, it’s likely you’ll be able to claim it back from your bank.”
“But what happens when your biometric security settings are hacked? You can’t change your voice, you can’t replace your eyes, you can’t reset your fingerprints. Those things are constant, permanent and contain genetic data that is unique to you. The implications of biometric security hacks can be much more severe as a result, and businesses are being forced to consider how they are protecting consumers’ genetic data through the imminent GDPR (General Data Protection Regulation) initiative.”
Because of GDPR, companies need to more focused on protecting clients’ biometric data. Mr. Greeff added.