If biometric authentication comes into the mainstream, security experts have warned the technology is only as good as its weakest link.
“Ultimately, it will depend on what kind of fallback mechanism these systems will have. If that fallback mechanism is easier to attack and cheaper, that’s where criminals will go,” says Tom Van de Wiele, principal security consultant at F-Secure, the financial services security company.
On March 10, NatWest announced a pilot of 200 biometric bank cards in partnership with Gemalto, the digital security company.
Biometric authentication – which Gemalto claims will increase security and convenience – will use fingerprint recognition for transactions over £30.
Fingerprint authentication relies on the storage of the relative distances between certain nerve endings in the user’s fingers. When the bank’s customer scans, the transaction is authenticated based on a predefined margin of acceptance.
However Van de Wiele believes there are still security issues.
“Any security control that is singled out will fall in space in the long run. We know how quickly we could clone someone’s fingerprints based on a latent print on a water glass, for example or bypass biometric authentication with damp toilet paper. Our record is under four hours,” he says.
“The security will depend on the enrollment process,” he adds. “How easy is it to enroll or re-enroll a finger? In other words, if I just stole your card, how easy is it to fool the bank into re-enrolling my finger onto the card. What if someone compelled you to put your finger on the card, which is easier to do than compel someone to give you their pin – maybe they’ll implement a panic finger.”
Raj Samani, fellow and chief scientist at McAfee, also highlights that central data collection will be heavily targeted by fraudsters.
“Unlike passwords you can’t change your biometrics regularly. That means that securing this data is extra important since once compromised there isn’t a way back,” said Samani, in an email.
“From a maturity point of view we have to thoroughly think about the most resilient method of securely storing biometrics and the most secure usage of biometrics for authentication. Fraudsters have a keen ability to find the weakest link,” he said.
In a recent survey, Gemalto found that 82% of consumers would embrace biometric bank cards.