Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke
You can change a password. You can't change fingerprints
Around the world, banks are implementing biometric authentication systems for their customers as fraud cases increase – but experts warn biometrics should not be treated like a silver bullet for ID woes.
Earlier this year, HSBC announced the launch of Voice ID for its customers in the UK, alongside fingerprint authentication, to offer a more secure service to its mobile banking customers by allowing them to authenticate themselves with their unique biological features.
Classically the three factors of authentication have been something an individual knows, something they have, and something they are. While biometrics have come to typify the latter category, they have not done so without concern.
Something you are, rather than something you know, is capable not merely of allowing individuals to voluntarily authenticate themselves, but also exposes them to the risk of being identified, potentially covertly and without their consent, for the purposes of surveillance.*
In the already highly-surveilled world of finance, however, there is little defence of anonymity, such as in cash transactions, due to the risk posed by theft and money laundering. The use of chip-and-pin cards to provide two-factor authentication (having the chip and knowing the pin) provides security in raising the bar for fraudulent access, and also in creating a record of expenditure.
This certainly benefits victims, whose losses to cybercriminals, for instance, are reimbursed far more often than losses may be when cash is stolen from a wallet.
Particularly in play in the mobile world, biometrics are considered to offer a convenient means of authentication, as customers cannot forget their fingerprints or voice as they could forget a PIN. HSBC's head of customer contact, Joe Gordon, told The Register: "The technology is equipped to deal some illnesses, such as a common cold. This is due to the technology not just measuring the actual sounds themselves, but also the way your muscles produce a sound. In severe instances of illness or injury, a customer can be transferred to an agent to complete the security process without using voice biometrics."
Speaking at a Westminster Business Forum on Biometrics, the CESG's Head of Identity in Government, Dr Chris Allgrove, claimed that society had reached “the tipping point” at which financial and other services have started backing the introduction of biometrics for authentication, according to Allgrove, due to the mass misuse of alternative authentication methods.
In the work conducted by GCHQ's information assurance arm, Allgrove noted that “people basically use passwords that are not terribly helpful, people don’t use them well, people don’t follow rules – or the rules are so horribly complicated that there’s no point following them.”
This was “not to say they’re rubbish, it’s not to say that they shouldn’t be used,” said Allgrove, “but they need to be used wisely” – and they rarely are, he suggested.
Existing technology has underpinned the developments in alternatives, and some of it has been in existence for quite a while.
Dactyloscopy, or fingerprint identification, is largely accepted to have been first described by Dr Henry Faulds in a paper titled On the Skin-furrows of the Hand (PDF) published in Nature in 1880, while sensor technology is also “fairly well-established, fairly mature [and] fairly well understood” according to Allgrove.
He added that “there’s also huge amounts of innovation going on, and both pushing forward existing technology and developing new modalities, implementing novel ideas on these platforms. And this is all underpinned by developments of the architectures, the processes, both in terms of power and how fast they operate, and also how secure they can operate, and how reliably we can expect them to do particular tasks and look after our sensitive data.”
According to Allgrove, different manufacturers may implement different security paradigms for uploading apps or accessing information, “but they are all vulnerable.”
Biometrics are not a silver bullet to such issues, Allgrove stressed to his audience, adding that anyone who says otherwise is “either very, very naïve, or just not telling the truth.”
The CESG-man listed Cheltenham's concerns, starting “with the sensor or the biometric device where you’re capturing the sample, creating a template from that, storing the template and then using the template against its reference.”
“These are all areas that we need to be concerned about, and they will be targets,” he told the forum. However, threats and attacks will not only be targeting these particular functions, he said; concern must equally address “how the biometric component interacts with the wider world, whether it’s an application that’s using it to authenticate somebody’s identity, or the host operating system, any of the external service that the service providers will be running their service from.”
The point of this is it’s not just a spoofing tactic, it’s not just making an artefact that mimics somebody’s physical characteristic. It’s a lot more than just playing with Gummy Bears.
Not that spoofing is completely out of the question. Allgrove noted that the Chaos Computer Club in Germany had taken a German minister's fingerprints from a photograph and spoofed them during a campaign against the introduction of ID cards in Germany.
Allgrove added: "There’s a lot of research looking at things like revocable biometrics where you use a biometric as a seed for something that can be changed or given up and replaced. So you might need to develop the technology to counter those fears. The existing attacks, [if you] type in 'fingerprint spoofing' into Google, you get 150 tutorials. Whether they work, whether you can do it reliably... whether a criminal would have the confidence [to use it] is another question."
Asked if it believed that mobile devices are sufficiently secure for banking purposes, the bank answered: "HSBC has recently introduced touch ID – meaning customers can access their account by scanning their fingerprint on their Apple device's home button. Touch ID then intelligently analyses this information with a remarkable degree of detail and precision." ®
* Interested readers may note that despite being considered a knowledge factor, re-used passwords are probably a “target detection identifier” for the purposes of GCHQ's MUTANT BROTH surveillance tool.