Editor’s Note: A version of this piece first appeared on Javelin Strategy & Research’s blog.
Security researchers seem to love taking down biometrics, whether with gummy bears, handy photographs or — in the most recent case — a twin. Indeed, in the latest biometric bypass demonstration, BBC reporter Dan Simmons was able to have his non-identical twin brother successfully spoof his voice passphrase via HSBC’s phone banking portal and access his bank account.
While this is somewhat alarming, there are still (at least) two pieces of good news. First, it still took the twin — who had advantages associated with being related to the “victim” — eight attempts before the system accepted his voice. Second, while the twin was able to access HSBC’s phone banking, functionality for users logging in with voice biometrics is limited to hearing balances, recent transactions and transferring money between the user’s accounts at the bank.
Nonetheless, this penetration is one of a growing number of examples of holes in using biometrics to authenticate someone. In another, hackers from the infamous Chaos Computer Club recently reported that they had successfully tricked the Samsung Galaxy 8 iris scanner by using a photo of the user’s face (printed, ironically enough, on a Samsung laser printer) and an ordinary contact lens, for instance.
Is this bad news for biometrics? Not particularly. Undoubtedly, biometrics is a powerful tool in a financial institution’s arsenal; however, it is no silver bullet for fraud prevention. If and when someone presents it as such, financial institutions should immediately be wary so no one should be shocked when workarounds are discovered. Of course, this also means that banks should not suggest to their accountholders that biometrics is an impenetrable fraud-fighting barrier. But even with acknowledged weaknesses, biometrics is still much more reliable than many alternatives, especially when dealing with fraud committed by close family members.
Knowledge-based authentication, the primary alternative to biometrics, is particularly vulnerable to perpetrators who know their targets. But even if the fraud attempt is committed by non-family members, the growth of hacking tools such as mobile malware is opening more cracks in knowledge-based authentication and showing the clear value proposition for biometric authentication.
It’s also worth keeping in mind that different methods of biometric authentication have different levels of risk. With on-device authentication, the user authenticates against a template securely stored on the device. The device then sends a certificate to the bank’s server to verify the authentication, often using a strong cryptographic protocol like one from the FIDO Alliance.
Biometric information is never transmitted beyond the device and templates are not stored in a central location; thus, the risk of compromise is minimized. Moreover, in this scenario, the fraudster must both be able to impersonate the victim and gain access to his phone. To put this threat in perspective, a mere 1.6% of fraud victims in the past 12 months have had their mobile phone lost or stolen during the same time period, according to our data at Javelin.
Server-side biometric authentication — where the user’s information is transmitted to a central server that matches it against the template — is somewhat more risky than on-device authentication. While server-side biometric authentication does increase While this method does increase usability in the sense that it does not require the user to install anything on his device, it also allows fraudsters to use their own device to target a user (assuming they have a suitable duplicate of the victim’s voice, fingerprint or face).
No matter what form of biometrics is used, institutions should still implement all the same best practices that apply to all forms of authentication. These include:
Layer up whenever possible
Every authentication solution has its weaknesses; however, overlapping layers of security can ensure that fraudsters don’t have an easy task ahead of them. For instance, in call centers, phone printing and similar tools can help provide assurance that the inbound call is from a device associated with the legitimate accountholder. This may not protect against familiar fraud since the fraudster may be able to access the victim’s phone. However, it does make successfully completing fraud a much more complex process.
Use systemic safeguards
Going back to the example of the HSBC penetration, the fact that the twin was able to succeed after seven failed attempts, obviously should raise red flags. (HSBC reports that the company has since limited failed authentication attempts to three.) Limiting failed attempts or instituting escalating delays between failed attempts ensures that malicious actors don’t have free rein to attack authentication systems until they find the correct response.
Use risk-based authentication
Because of the comparatively low-risk features within HSBC’s initial phone banking platform, the bank could afford to have a somewhat lower threshold of authentication. For higher-risk activities, such as initiating transfers, changing account information or moving money, a higher level of authentication is appropriate. Biometric modalities are uniquely flexible forms of authentication in that the sensitivity can be increased or decreased depending on how much tolerance there is for falsely rejecting good customers versus incorrectly authenticating fraudulent ones. Understanding the sensitivity of their particular biometric integration can help financial institutions determine where biometrics fits in their authentication suite.
The hype around biometrics’ role in security has helped drive adoption in financial markets and acceptance among consumers, but portraying biometrics as a cure-all invites contradictory stories like the twin brother’s HSBC bypass. That story would have been much less compelling if the title was, “Twin knows his brother’s mother’s maiden name,” for instance (or favorite color, first pet’s name, elementary school, etc.). In essence, stories like this one or the Samsung eye scanner deception get attention because biometrics work extremely well nearly all of the time and it is remarkable when someone finds a workaround.