Biometrics' 'evil twin' problem is not a real problem

Two recent hacks by researchers have highlighted vulnerabilities in biometric systems used in banking and payments.

The first was a breach of HSBC’s voice biometrics phone banking system by a BBC reporter and his non-identical twin brother. The second, a hack of Samsung’s Galaxy S8 iris scanning authentication by taking a picture of the subject's face, printing it on paper, superimposing a contact lens, and holding the image in front of the camera of a locked Galaxy S8. While somewhat embarrassing for both companies involved, it is worth putting these breaches into context as omitting the bigger picture: These so-called vulnerabilities are way more convoluted than stealing a password or PIN.

The advantage of biometrics (what you are) over passwords and PINs (what you know) can be distilled to a single factor — what you know can be easily shared.

A 2013 study by Opinion Matters highlighted that 72% of office commuters ‘shoulder surf’ fellow passengers. Perhaps more disturbing, a 2016 study by the University of Luxembourg updated the classic ‘passwords for chocolate’ research to show that consumers are still vulnerable to basic social engineering attacks, with 48% of people offering up their passwords if given chocolate immediately before the question. While it is unlikely that all interviewees divulged their actual passwords, the sample of over 1,200 participants means that some probably did. Further compounding the issue, according to Sophos, 55% of people use a single password across multiple websites.

Clearly, in banking and payments, there are degrees of required security dependent on the types of networks being accessed.

The checks and balances for accessing a high street checking account need not be as stringent as those needed for seven figure wire transfers. While the above hacks demonstrate that fraudsters can theoretically infiltrate voice banking and mobile payments, the difficulty of procuring a twin or a close-up photograph of the intended victim’s eyeball are probably beyond the means of the generic petty criminal. For higher-value transactions, these vulnerabilities may be worth addressing, but these attacks are outliers and simply don’t come into play for everyday banking and payment transactions, such as those where the HSBC and Samsung solutions are most likely to be applied.

The HSBC and Samsung hacks are less like a stolen PIN and more like fraud committed by a friend or family member. These forms of fraud are already on the radar of many banks and merchants, which know that a relative is more likely to be able to answer challenge questions or guess passwords than a complete stranger would be.

This is a separate category of fraud, and it doesn't negate the value of challenge questions for the general population.

Another benefit to biometrics is that a compromised biometric trait is not the same all-or-nothing risk as a stolen PIN or password.

Biometrics are an algorithmic grey scale. If a more accurate biometric is required, then the number of identifying characteristics can be dialed up. There may be a tradeoff in speed and security which may impact the time it takes for authentication to occur, but in high risk environments, the number of biometric identifiers needed can be ramped up beyond what a fraudster may have been able to duplicate with a photograph or a compliant twin.

Biometrics clearly aren’t infallible, and they’re not designed to be. As their usage becomes mainstream, increased attention from unwelcome guests is likely to heighten. Nonetheless, the advantages over incumbent forms of authentication are abundant.