Biometrically challenged: three-factor authentication systems too weak for web banking
Despite new adoptions by RBS and Natwest, even three factor authentication may not be enough to adequately defend online banking against attackers according to experts
Biometric technology isn't all its cracked up to be according to some.
The Internet banking industry is at something of a sensitive inflection point with the resilience of even the most cutting edge security practices for end users now being questioned.
While banks such as NatWest in the UK still rely on nothing but numeric passwords to access online web services, organisations such as HSBC insist on the use of a random number device generator for all logins i.e. essentially a two-factor authentication approach.
To clarify, NatWest and parent bank RBS have offered higher level fingerprint services for smartphone banking for a year now. This option is available to iPhone 5S, 6 and 6 Plus users with an iOS8 or higher operating system.
HSBC is now pushing even further and is launching voice recognition services for customers in the UK. HSBC UK's head of retail banking Francesca McDonagh has called this the largest planned rollout of voice biometric security technology in Britain.
Biometrics and 3-factor authentication
The use of biometric security systems essentially takes us upward to the level defined as three-factor authentication.
One factor authentication is traditionally restricted to something we know – a password. Two-factor authentication is something we know and something we have – a password AND a random number device. Three-factor authentication then is something we know and something we have AND something we are - a password and a random number device AND a fingerprint or voice stamp or face image.
Commentators have pointed out that the ‘something you are' factor (although it ‘progresses' us upward to three-factor authentication) is a factor or element that is more open to theft, copying or fraud through surveillance techniques.
Fingerprint images can be scanned and copied, voice can be recorded and facial image recognition techniques can potentially be circumvented via the use of simple pictures. While skin tone texture detection techniques are being developed at the software level, the third-factor is still said to be far from secure.
Clever, but not clever enough?
Industry watchers have clarified the current state of voice biometrics, which are already impressively advanced. News portal 9to5Mac explains that the HSBC system is supplied by Nuance Communications and works by cross-checking users' voices against over 100 unique identifiers including both behavioural features such as speed, cadence and pronunciation -- and physical aspects including the shape of larynx, vocal tract and nasal passages.
The Nuance system is even clever enough to detect whether an original user has a cold. Noise cancellation technologies in most smartphones are able to filter out background ambient noise like traffic and other distractions, but is it enough?
SCMagazineUK.com followed this story up with Dr Peter Waggett, emerging technology director at IBM and chair of the Biometrics Standards Committee, British Standards Institute. "Frictionless Authentication is an approach that rates the risks around a transaction to the uncertainty in the authentication and reacts accordingly,” said Dr Waggett.
“For example, I'm in Spain, which my calendar says I shouldn't be”,and, “I'm trying to transfer my funds to solve a crisis overseas. My level of authentication recognises that I normally use a PIN, so this time it asks for an additional form of authentication. It appropriately weighs the probability of fraud and responds to the perceived risk by using methods such as biometrics to improve the protection."
Also keen to voice an opinion on this subject was Oz Mischli in his role as VP of product at Dyadic Security. Mischli spoke to SC to say that biometrics, like any other security solution, is not a silver bullet. “In many cases it does offer considerable UX and security benefits over the traditional passwords, particularly for mobile banking.”
“However,” said Mischli. “It has its drawbacks. For example, unlike passwords, your biometric features are much harder (if not impossible) to change, adding a new area of concern. Also, some common banking cybercrime schemes that involve social engineering are likely to bypass biometrics as they do with other controls: by targeting the end-user, which is the weakest link. So, (i) banks should consider biometrics as a layer with other security controls, and (ii) biometrics should be carefully implemented so users' privacy and overall security of the solution are addressed properly.”
Robert Capps, VP of business development at NuData Security also spoke to SC to clarify the story in progress here. Capps says that would question the contextual appropriateness of taking a selfie or providing a voice sample to authorise an online transaction in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, or in a culturally sensitive place).
“Beyond the social and cultural issues, there are concerns about how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day to day life,” said Capps.
“Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials - effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.”
Capps underlines the way forward and says that to provide effective security for online interactions, we need to focus on the use of non-static signals and indicators of human identity - signals that cannot be stolen and reused for impersonation.
“We've found that observing and interpreting the hundreds of distinct signals generated by a human as they interact with the physical and virtual world around them, results in a much clearer picture of interactional risk, and assurance that the human at the computer is the rightful consumer that belongs to the identity in use,” he said.
The future for biometrics
Still at the prototyping stage in most cases, future-looking forms of biometric identification include software intelligence systems capable of analysing the way a human user moves their mouse or the way users behave with their touchscreen or keyboard. The analytics engine behind this intelligence is capable of tracking tiny variations in speed, movement pattern and, in some cases, pressure – all these factors can be combined to create a ‘unique' profile for an individual user.Other still-nascent biometric identification systems track heart-rate through wearable wrist bands. The stuff of movies up until now, iris and retina recognition is also enjoying developmental attention. Finally, we will also soon be able to include vein-pattern recognition, to detects the structure and arrangement of human veins under the skin (usually in the arm or wrist) as a means of identification.