While passwords are still the most common authentication method for online banking and mobile financial services applications, they are far from perfect. The challenges passwords pose are plain to see. Passwords are unsecure, easy to steal, aggravating to use, inefficient, and costly to maintain. But the fact that passwords are still an integral part of our lives after decades of technological advancements can make it hard to remember that there are better ways to protect access to financial resources.
Enter passwordless authentication. The concept has been around for a while. Passwordless authentication is an authentication process that can verify the user’s identity without entering a password. There are different ways to accomplish this – some involving multifactor authentication, others just relying on one form. Passwordless authentication bases the authentication requirement on factors that the user uniquely possesses (a one-time password generator, a registered mobile device, or a hardware token), owns (a biometric signature such as fingerprint, faceprint, or retinal scan technology), or knows (location of the user’s job or name of their favorite pet).
The Bank’s Problem
Many banks and financial institutions choose to put facial biometric authentication systems in place to provide their customers with high security and ease of use and to limit or eliminate passwords. It’s not surprising why banks and other financial institutions choose biometric authentication. Customers can authenticate their identity quickly using just a selfie. The process is fully automated (cutting out password reset problems for IT support staff) and highly accurate.
However, shifting from password-based to biometric authentication comes with a potential hurdle. This white paper highlights how one bank began noticing increased instances of bad actors attempting to subvert their facial authentication process with a different kind of attempt – injection attacks.
What is an Injection Attack?
Injection attacks target the software performing the authentication capture itself. Injection vulnerabilities allow attackers to insert malicious inputs into, or relate malicious code through, an application into another system. During an injection attack, an attacker infects a regular, safe web application with malicious code meant to compromise your system. Your computer system or app thinks you initiated the command, but a bad actor executed it.
Defending Against Injection Attacks: Aware’s Solution
Aware’s work to help a large Brazilian bank defend against injection attacks was multifaceted. Aware secured the bank’s application, so the integrity of the biometric capture was preserved and, secondly, performed an analysis of the biometric data for face presentation attacks – analyzing how cybercriminals were attempting to gain access through fake facial attributes.
The third layer relied on non-biometrics best practices. Aware addressed the security aspects for the three different pieces of the bank’s onboarding pipeline. Aware’s work resulted in a significant decrease in the injection attack vector.
How Injection Attacks Can Be Prevented: Best Practices and Takeaways
There are several lessons from Aware’s work with this bank that others should consider when faced with evolving biometric authentication attack vectors. Here are two takeaways:
Presentation Attack Detection (PAD) is only one element in a complex biometric authentication system. A successful solution needs to minimize friction but maximize accurate results. This includes detecting presentation attacks before they even enter the biometric subsystem and end-to-end solutions that verify the integrity of the authentication transaction. Collaborating with other financial services institutions to advance the common goal of accurate, secure facial authentication can be critical.
When implementing or improving a biometric authentication solution, liveness detection is vital in any scenario where security is paramount. Put simply, liveness detection determines whether the user is a living, breathing person being presented live to the imaging device or if it’s a presentation or spoof attack designed to breach the system. It serves as a solid line of defense against any presentation attack, whether a simple photo spoof, a deepfake, or a morph video, thanks to its ability to distinguish between a live person and a facsimile of a live person. While some liveness detection requires a user to follow a series of prompts, such as head turns, highly effective liveness detection can also be performed entirely in the background without inconveniencing the user. For organizations committed to protecting themselves against presentation attacks, passive liveness detection is the ideal blend of security and convenience.
Find the right partnership with an authentication company. Ultimately injection attacks are best thwarted by strong network and software security. Organizations can detect injection vulnerabilities in their system and avoid attacks altogether through various testing methods, software, and products designed for this purpose. Security professionals trained and practiced in the latest injection attack types can and should be of significant interest to organizations looking to protect against these evolving threats. A close partnership between the financial institution and the authentication company means cooperation at both the technical and enterprise security levels and transactional data sharing. This helps financial institutions stay ahead of evolving attack vectors to realize the full benefits of biometric authentication.
For more information on how your financial services company can stop injection attacks and to read the Aware case study on how we helped one large bank, download our white paper.