Barclays banks on biometrics…but should it?
According to Verizon’s 2015 Data Breach Investigations Report (DBIR), the retail and financial services industries are the two markets most frequently attacked by cyber criminals. This makes total sense when you consider that most cyber attacks are conducted for direct financial gain – either by stealing money directly, or stealing personally identifiable information (PII) that can be sold – and that financial service companies and retailers are where the most money changes hands.
There have been multiple, recent, high-profile security breaches that have impacted companies in the financial services industry. The largest was most likely the breach that impacted global banking giant, JPMorgan Chase. That attack was disclosed in October of 2014 and involved the compromise of information that impacted approximately 76 million households and 7 million small businesses.
Even more recent was the breach of Scottrade, a Saint Louis-based retail brokerage firm. The company announced earlier this month that a cyber attack could have compromised the contact information and social security numbers of as many as 4.6 million customers.
In light of these recent cyberattacks and security breaches impacting the financial services industry, banks are working diligently to secure their networks, customer accounts and information. In fact, one bank recently made the news for putting the security of customer accounts into their customer’s hands…or fingers.
In late September, Barclays Bank – a bank based out of the UK – announced that they were launching an iPortal Banking Hub for their corporate accounts that would allow account holders to sign-in using Hitachi’s Finger Vein Authentication Technology (VeinID). This technology scans a user’s finger and its blood flow, which then is used to identify the individual and initiate the session.
This is an exciting development and an impressive step from an organization that is clearly taking the security of their customers and their customers’ accounts seriously. Especially in light of the recent high profile security breaches. Unfortunately – like other biometrics tools – this new system could still be vulnerable to attack.
Although the VeinID technology is supposed to be more secure than traditional fingerprint scanners, many of the same concerns remain. First, there’s the issue of malware and sophisticated cyberattacks.
Today’s attackers have tools that enable them sit in the middle between a user and the server doing the authentication. Any information sent between these two parties can be monitored and recorded. There are also tools that today’s hackers can use to keep online banking sessions open following the authentication, thus giving them full access to accounts and information within.
Using biometrics doesn’t necessarily reduce the effectiveness of these attacks. All it really does is keep the user from having to remember a password, and make it harder for brute force attacks and credential theft. And this brings up another problem with biometrics – permanence.
You can change a password. Granted, it might be annoying and force you to remember another arbitrary sequence of uppercase letters, lowercase letters, numbers and special characters – but passwords can be changed. You can’t change your fingerprint. And you can’t change the blood flow in your finger (at least we’re pretty sure…). Even if you change from one finger to the next, your options are limited to ten different “passwords,” assuming you don’t eventually move on to using your toes.
Ultimately, biometric factors are really just a replacement for a password. They’re harder to figure out and can’t be easily stolen, but they’re essentially serving as a user’s password. This means they have many of the same vulnerabilities and issues as traditional passwords. The authentication process is still done in-band. The session can still be hijacked and malware can still be used to steal the authentication information. And the “password” can’t be changed if it’s compromised.
So, what should financial institutions be looking for instead? First, it’s essential that the authentication process move out-of-band to eliminate the ability for man-in-the-middle and other attacks to steal authentication credentials. Next, banks should look for solutions that gauge more than a user’s identity. They should be embracing solutions that authenticate the user on more than just who they are, but also on where they are and what their intentions are. This is the only way that they can ensure that customer accounts are protected.
Financial services companies have huge bullseyes on them. They hold the world’s money, and that will always make them the top target for cyber thieves and hackers. I applaud Barclays Bank for taking the security of their corporate accounts seriously and for looking at a new and exciting security solution for authentication. But if they truly want to secure their accounts, they’ll look to learn a lot more about the individual logging in – such as their intent and location – than just the blood flow in their finger.