nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

The eyes have IT: TSB to roll out iris-scanning tech for mobile banking

Biometrics, certificates combo to shore up security

By John Leyden, 20 Jul 2017

TSB has announced plans to roll out iris-scanning technology for its mobile banking app from September.

The move will make the UK high street bank the first in Europe to debut iris-scanning tech.

TSB's iris recognition tech [source: TSB]

Biometric authentication for banking, in general, has become commonplace over recent years with fingerprints among the preferred method, thanks in large part the inclusion of fingerprint reader technology in higher-end smartphones, particularly since the launch of Apple's TouchID back in 2013. Voice recognition is used elsewhere in the banking industry, particularly in call centres.

The TSB tech is based on technology from Samsung and only customers with the latest Samsung Galaxy S8 will be able to use iris recognition to access their TSB accounts. The bank already supports fingerprint recognition-based logins.

TSB told us: "Customers with a Samsung Galaxy S8 or S8+ smartphone will have the option, from September 2017, to unlock their TSB mobile banking app using the Samsung Pass iris scanner. TSB’s consumer customers will be able to access their banking using either the fingerprint (an existing feature) or the iris scanner, without any need to remember lengthy IDs or passwords.

TSB's chief information officer, Carlos Abarca, said iris recognition was more secure than other forms of biometrics. "It takes advantage of 266 different characteristics, compared with 40 for fingerprints," he said.

“Iris recognition allows you to unlock your TSB mobile app with a simple glance, meaning all of those IDs, passwords and memorable information become a thing of the past."

The tech offers a blend of security and convenience, according to the bank. Once customers log in after going through an iris scan app, they will need to enter a password or secret number, a TSB spokesman explained. Use of the tech is optional and other account access options will continue to be offered.

German hackers from the Chaos Computer Club were recently able to trick a Samsung Galaxy S8's iris scanner with a picture of the device owner's eye and a contact lens. TSB said it was relying not only on biometrics but on a digital certificate pushed onto the phone during the enrolment process, so would-be hackers would need not only a high definition image of their target's iris but their smartphone in any serious attempt to circumvent the bank's authentication controls.

Security experts gave the move a cautious welcome, noting that biometrics are useful but far from invulnerable. Biometric security is no longer the stuff of spy or sci-fi films. The technology is more secure than password alone but by no means a panacea.

Etienne Greeff, CTO and co-founder of SecureData, commented: "It's good to see businesses like TSB looking to replace passwords, which are flimsy and easily breached, but hackers are wise to biometrics and it won't stop them from trying to get their hands on your data. Biometric security has been hacked in the past and there are countless examples of fingerprints being copied, voices being mimicked and iris-scanning software being tricked."

Multiple attacks on fingerprint scanners have been recorded over the years. HSBC's voice recognition security system was recently fooled by a BBC journalist and his brother.

"Biometric authentication is not entirely immune to potential attack and therefore should not be relied on as the sole means of verifying a user," said Richard Parris, chief exec at Intercede. "Rather than use biometrics in isolation, instead businesses need to be looking at strong authentication that incorporates three distinct elements – possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, an iris scan).

"This allows businesses to verify that the person accessing the service is who they say they are, in addition to limiting the amount of times an individual can attempt access if any of these elements are missing or incorrect."

Companies storing authentication data have a greater responsibility to safeguard it because it's harder to recover from breaches. Fingerprint or iris patterns can't be revoked and changed, unlike password or credit cards. "With board directors to soon be responsible for complying with GDPR, more consideration needs to be had for security techniques deployed today and how we can better protect consumers," SecureData's Greeff concluded. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing