The future is biometric… but is it safe?
- John Marsden , Head of Fraud and Identity at Equifax
- 17.03.2016 02:00 pm Biometric
With high profile data breaches hitting the headlines, businesses are under increasing scrutiny to enhance their cybersecurity. Data loss is no longer seen as a low-risk problem and is at the forefront of business priorities. The financial and reputational impact of falling victim to fraud is high.
Both big and small players in the financial sector have recognised passwords as a weak link in their security chains. A growing number are partnering with technology companies to implement new authentication processes, from fingerprints to iris recognition, or even full facial scans.
HSBC’s plan to introduce touch and voice ID security to access accounts by the summer is just one example of how financial institutions are embracing new technology. While the advances in biometric data certainly show promising signs for defending against fraud, will this be enough to put an end to it?
Passwords are close to becoming obsolete as a form of authentication used in isolation, partly with the growth of biometrics, but also because passwords have become too easy to compromise. Email addresses are a prime example of the flaws of passwords, and this area needs to be addressed urgently. Once an email account is breached, fraudsters have access to a plethora of information as many other authentication processes are intertwined with an individual’s account. For example, if a customer ‘forgets’ their password for online shopping, this would be reset through their already infiltrated email address.
It’s clear that multiple security layers, combining different authentication methods, are the answer to strengthening defences. HSBC, for example, has implemented a two factor approach, with both touch and voice ID security. Biometrics are revolutionising the industry, but old methods still have relevance, especially if you’re not in a position to authenticate someone on their biometrics and need to fall back on traditional methods.
Despite first appearances, implementing biometric data is not costly. In fact, smaller companies in the financial services sector have been leading the way. The larger banks are in some ways reacting to what they’re seeing from the smaller ‘challenger’ banks.
Using biometrics does raise new areas of concern. For example, what happens when the biometrics of a fraudster are added when an account is set up; how do we know the correct person is actually being enrolled in the first place? Application fraud can lead to the fraudster being authenticated repeatedly once their personal characteristics are enrolled in the system. Indeed, if we ‘trust’ a particular method of authentication, this will become the point of attack. Essentially, we are creating electronic signals from devices which could be recreated. Chip and PIN suffered such a compromise, where an intermediate layer placed on the chip meant point of sale terminals recognised any pin entered as being valid. This highlighted that the ultimate trust placed in the chip became the target for the fraudster.
Currently there is no central data bank of biometric data companies can use to confirm an individual’s identity. We may get there one day, but is this turning us into a Big Brother state? And what happens if this is breached? Questions like these will need to be addressed as biometrics become an increasingly used method of protection against external threats. Despite this, it is clear that multi-layering is the way forward if biometrics are to be effective against fraudulent activity; adding to the complexity of a trusted framework will inevitably make compromise more difficult.