Countering Cyber Criminals with Biometrics

Image result for financial fraud action biometrics

The growth in online banking and electronic payments has made it easier for criminals to target banks and their customers and is prompting the financial services sector to invest in new security measures. 
 
Banking fraud is a problem as old as banks themselves. Frauds against UK online banking customers netted £60 million in 2014, a 48 per cent increase on losses in 2013, according to Financial Fraud Action UK, an industry body. The organisation warns that individuals are leaving themselves open to fraudsters, by falling victim to phishing e-mails asking for account details or by failing to install effective anti-virus software.

And, with more than half the adult population now using online banking, fraud is likely to grow. Rising losses and the distress caused to customers are prompting banks to look at more robust security measures, including biometrics.
A problem banks face is that online fraud has grown as banking and financial services have become more anonymous and automated.

As one expert in the sector points out, in the days of personal banking and local branches, we had a very effective form of biometric security: a bank manager who recognised their customers. If a bank teller became suspicious of a customer, he or she could call on the manager, who would vouch for the customer or raise the alarm.
 
Online banking takes away that personal relationship, forcing banks to rely on passwords and other electronic security measures. Unfortunately, passwords are easy to forget and also easy to crack.
“Banks have been overly reliant on PINs and passwords since mainframes first came in, in the 1950s,” says Mike Wood, a director at IT firm Unisys. “Banks then moved to PINs and ‘memorable’ information. Unfortunately that information is often instantly forgettable and people can’t recall it when they need to. It is flawed.”
To help us remember PINs and passwords, we write them down on sticky notes, store them in spreadsheets or reuse the same passwords over and over. All this makes life harder for the customer, but easier for the fraudster.
Banks’ attempts to bolster security, though gadgets such as PIN readers or security dongles, only add to the inconvenience. “These things are complicated, so often we just won’t use them,” says Mr Wood.

The problem is becoming worse as consumers start using cards and mobile phones for contactless payments on the move. In the UK, contactless payments have no authentication at all if they are less than £20; it is sufficient for someone just to have the credit or debit card.

Phone-based payments could, potentially, support higher-value transactions, but only if security can be addressed. Anything more complicated than entering a standard, four-digit PIN probably will not appeal to consumers trying to pay with a smartphone. Requiring them to enter a strong password – even if they could remember it – might make them abandon the transaction.

This is prompting banks to look for alternative security measures, ideally those that are both hard to hack and easy to use.
 
Biometrics are, at least on paper, hard to hack, but also convenient to use. Coupled with smartphones with fingerprint readers or computers with webcams, they might not even need banks to give their customers additional hardware.
“Any reliable mechanism that is easier than a password is a good thing,” says Dr David Chismon from security consultancy, MWR InfoSecurity.

Already, some banks allow their customers to authorise transactions with a fingerprint and fingerprints are also under consideration as a way to secure smartphone payments. Unfortunately for advocates of biometric security, as well as for banks’ anti-fraud departments, biometrics is neither completely secure, completely reliable nor as easy to set up as they might hope. Of the dozens of biometric security trials carried out by banks, only a handful have led to successful, large-scale deployments.

The first challenge banks face is enrolling customers in biometric programmes.
The last few years have seen plenty of new biometric tools join fingerprints and iris recognition. These include advanced voice biometrics, and palm and finger vein readers, systems that read heartbeats, breath sounds, and even the way we write or type, a science known as “behavioral biometrics”. As Steve Silberstein, chief technology officer at tech firm SunGard, points out: “The body is full of interesting ‘fingerprints’.”
But to make these systems work, banks have to capture the customer’s biometric ID, as well as check they are who they claim to be. This process is time consuming, expensive and often disliked by customers.
And biometrics, despite the way they are portrayed in science fiction or detective novels, are rarely completely accurate.
Factors as diverse as background noise to the sweatiness of a palm, can affect a biometrics’ accuracy. Banks have to decide whether to accept a lower score – and a higher risk of fraud – or a tougher biometric and the risk of inconveniencing genuine customers, and forcing them back to passwords or memorable words.
 
It is even possible to fake some biometrics, such as smartphone fingerprint scanners, using little more than sticky tape and glue, warns Candid Wueest, a researcher at security firm Symantec. “That means you can unlock the device, unlock online banking and start a transaction,” he says.
This means, at least in the short term, banks look set to use biometrics alongside other checks, such as background checks on transactions, smart cards or phones, and even the humble password. “It has to be seamless, but also allow the customer to keep control,” Accenture Technology Labs’ Emmanuel Viale concludes.
PayPal is one of the best-known names in online payments and is used for thousands of transactions every day, especially on eBay.
But PayPal is also trying to build an offline payments business, for example by supplying card readers to small businesses and retailers. In addition, PayPal customers can use the company’s app to pay for goods and services, including meals at the Pizza Express chain.

Last year, though, the company went a step further and added fingerprint approval to its app. The service was set up initially to work with selected Samsung smartphones and tablets because they have built-in fingerprint readers.
The system is designed to replace user names and log-ins, otherwise, anyone wanting to pay by PayPal would have to remember their sometimes complicated computer-based PayPal credentials in a retail store.
The scheme was originally planned for roll out in 25 countries, and was supported by an authentication scheme called FIDO, which was also backed by Google, Microsoft and MasterCard.

However, although other firms have since turned to smartphone fingerprint readers to authorise transactions, including Apple’s Apple Pay in the US, security researchers claim the fingerprint system on the Samsung S5 – the launch device for PayPal’s scheme – was allegedly easily hacked.

Researchers were able to photograph a fingerprint on a user’s phone and create a false print to unlock the handset. However, given the sophisticated tools hackers would need to do this and that they would need to capture the user’s fingerprint in the first place, the risks to users could still be minimal. Halifax, part of the Lloyds Banking Group, became one of the first companies to use customers’ heartbeats as a biometric identifier earlier this year.

The bank has tested out a device called a Nymi band, to capture heartbeats and use them instead of PINs or passwords.
The Nymi band is similar to wristbands worn by athletes to monitor their heart rate for sports training, but it has been developed specifically to create a heartbeat-based authentication system, which the company calls HeartID. This uses the customer’s electrocardiogram, or ECG, which is unique to each of us. The band itself communicates wirelessly with a computer, smartphone or other device.

Raconteur:  

 

« Predictions for cyber-crime in 2015 and how the Security Industry is Responding
US Colleges Open Networks in a Cyberwar »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Pyramid Computer

Pyramid Computer

Pyramid Computer provides custom enterprise solutions for Industrial PC, Imaging, Network, Security, POS, Indoor Positioning and Automation.

TechInsurance

TechInsurance

TechInsurance is America's top technology insurance company offering a range of technology related products including Cyber Liability insurance.

InAuth

InAuth

InAuth Security Platform delivers advanced device identification, risk detection, and analysis capabilities to help organizations limit risk and reduce fraud.

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

Uniscon

Uniscon

Uniscon is a leading provider of cloud security solutions in Europe.

National Institute of Information and Communications Technology (NICT)

National Institute of Information and Communications Technology (NICT)

NICT is Japan’s sole National Research and Development Agency specializing in the field of information and communications technology.

Medigate

Medigate

Medigate is a dedicated medical device security platform protecting all of the connected medical devices on health care provider networks.

Penacity

Penacity

Penacity, LLC provides strategic consulting technology services and Information Security Services to commercial and government organizations.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for SaaS companies. Our purpose is to source exceptional talent in areas including cyber security for leading SaaS companies in the UK and Ireland.

Securden

Securden

Securden provide an all-in-one Platform for Next-Gen Privileged Access Governance, helping you to prevent identity thefts, malware propagation, cyber attacks, and insider exploitation.

Sertainty

Sertainty

Sertainty enables developers to mix intelligence into data files for active risk mitigation and data control. Discover the impact of Data: Empowered.

Safetech Innovations

Safetech Innovations

Safetech Innovations is a team of cyber security experts, always at your service. We use human and cyber intelligence to help your business in uncertain times.

Bechtle

Bechtle

Bechtle is one of Europe’s leading IT service providers offering a blend of direct IT product sales and extensive systems integration services.

Tetra Defense

Tetra Defense

Tetra Defense is a leading incident response, cyber risk management and digital forensics firm.

Panther Labs

Panther Labs

Panther’s mission is to make security monitoring fast, flexible and scalable for all security teams.

Mobilicom

Mobilicom

Mobilicom is an end-to-end provider of cybersecurity and smart solutions for drones, robotics & autonomous platforms.