The financial sector is doing a better job preventing cyber security breaches and fraud than other industries. According to a report from the Identity Theft Resource Center and CyberScout, the banking, credit, and financial sector experienced fewer data breaches in 2016 than any other sector.
That doesn’t mean banks are clear of threats. Financial institutions are well aware that hackers continue to target their access control processes. This specific issue has led many banks to apply biometric security measures to their employee- and customer-facing authentication practices. What sort of vulnerabilities can this technology address?
Security Threats and Challenges in Banking
Consider the threats at the customer side. We’ve spoken about the problems with passwords before: hackers get their hands on credentials through phishing, posing as a trusted individual or organization and then sending a message to victims requiring sensitive personal information such as passwords
Put yourself in the customer’s shoes. You get an e-mail from your bank that informs you that you need to change your username and password for security purposes. The message asks for your username and password as well as the new credentials you would like to use moving forward. You reply with the information because you trust your bank.
The problem is, while the e-mail look professional and authentic, it is actually from a fraudster, who now has the means to enter your bank account.
The biggest issue with passwords is that they’re often easy to guess and even easier to steal. Biometric information, on the other hand, is much more difficult to get a hold of and exploit for the following reasons:
- Biometric data doesn’t have to be centrally stored. Also unlike passwords, biometric authentication technologies do not need to store fingerprint, facial image and other biometric data in centralized databases. For implementations that leverage FIDO, biometrics are stored and compared authenticates biometric data on the devices people use. For instance, if a banking customer wanted to use his smartphone to log in to his bank account using a facial image, the image itself would reside on the smartphone, not a central server.
- Biometrics are a second factor. Unlike passwords, biometrics authentication is generally used as a second factor towards strong authentication, with the first factor being possession and control of an authenticated mobile device or computer. This means that before a fraudster can make use of their victim’s biometrics, they must first steal or otherwise compromise and establish control of their device.
- Liveness detection techniques help prevent spoofing. Liveness detection confirms that a person using a facial recognition image, fingerprint or some other biometric feature is actually present. For example, liveness detection will prevent access if someone tries to use a photo or video of the targeted victim. So even if a fraudster manages to steal someone’s biometric data, they won’t be able to use it to get access to their bank accounts.
But how eager are banks to add biometrics capabilities to their operations?
Banks are Adopting Mobile Biometrics
120 million consumers had used mobile biometrics to secure banking transactions in 2015, according to a report from Goode Intelligence. We’re only three years away from seeing more than 1 billion consumers use biometric data to access accounts, secure payments and engage in other banking transactions through their smartphones.
Mobile banking is quickly changing how people choose to engage financial institutions, particularly for under-banked populations. Given that biometric authentication delivers more convenience than entering a long and complex password, it’s not surprising that many consumers are open to the idea of using their fingerprints, faces and irises to access accounts.
Alan Goode, the report’s author and founder of Goode Intelligence observed that “we are seeing a flurry of activity by banks and payment services providers investigating ways in which they can implement mobile-based biometrics that meets their security requirements.”
He also noted that while a bank may integrate a biometric authentication solution into a mobile banking app, they may only allow customers to use their biometrics for low-value transactions, such as to pay bills. But when it comes to less frequent needs such as creating new beneficiaries or submitting loan requests, banks may require additional security mechanisms.
Goode also highlights the need to properly vet biometrics’ solutions capabilities. It can be challenging to accurately assess the performance and security of biometric authentication and liveness detection implementations. One reason is that is requires ground-truth data; to perform thorough testing, large numbers of realistic biometric samples are needed, with samples known to be from the same person and known to be spoofs.