By Damien Hugoo
Video killed the radio star. Will biometrics do the same for passwords as the technology takes the security onus out of the hands of end-users? The answer—and what it means to the banking and financial sectors—may surprise you.
As technology plays an increasingly larger role in our daily lives, there has been chatter comparing movie scripts with real life. Star Trek, for example, introduced the idea of phasers, communicators and universal translators. Today, we have Tasers, smart phones and voice recognition. Some 20 years later, “Back to the Future” predicted hover boards—which proved to be a mixed blessing over the holidays. And more recently, the 2002 hit movie “Minority Report” finds the protagonist John Anderton (played by Tom Cruise) walking into a GAP clothing store only to have his eyes scanned and a holographic sales associate say: “Hello Mr. Yakamoto, welcome back to the Gap. How did those assorted tank-tops work out for you?” It’s then that Anderton, who has recently had a black-market eye transplant, discovers the identity of his donor. Is this yet another Hollywood script that’s destined to come true?
For starters, biometric scanners have been around for at least a decade, and are here to stay. But they are likely to take a more defensive posture than they are to be predatory and on every street corner as in the movies. The biometrics of today protect sensitive data, grant or deny access to restricted areas, and help law enforcement track down people who might be involved in terrorist activity or cybercrime. This last use is especially germane for anyone involved in the financial and fraud security arenas where talk of “killing the password” is the latest catch-phrase among security industry analysts.
Lines of defense
For banks and companies that do business online, an end-user-generated password is the first, albeit imperfect, line of defense. That’s why firms on the cutting edge have enacted two-factor, or “push,” authentication, where a prompt is sent to an end user’s mobile device when logins are deemed suspicious. These security measures, used in conjunction with other types of fraud protection, have proven effective in greatly reducing and even eliminating malware attacks against some companies. But not even the best laid-out fraud protection strategy is 100 percent secure.
Financial institutions and online transaction businesses can’t protect customers from themselves. Some anti-fraud measures are circumvented by sophisticated phishing scams in a process known as “social engineering”—a term for tricking the end user into handing over their login credentials to cyber criminals. These slick phishing attacks—everything from malware-injected login pages and phishing sites disguised as legitimate company pages to emails that look like they’re from your bank—can compromise the strongest password and get around two-factor authentication. For this reason and a host of others, many banks are looking to add biometrics as another authentication factor for increased security.
Biometric data solutions are as varied as there are needs for them and, for the most part, measure something unique to the user. Fingerprint and facial recognition, voice recognition, iris or retina scanning, ear scanning, finger geometry recognition, hand geometry recognition, signature recognition, typing recognition, and even DNA analysis are some of the more commonly used biometric solutions.
Advantages and drawbacks
From the perspective of a financial organization, there are many advantages to biometrics:
- Ease of identification.
- It greatly reduces—if not eliminates—the chances of identity theft.
- It’s extremely difficult to duplicate.
- Enjoys a high perception of security among its users.
- Is received positively by users as it means no passwords to remember and no one-time-password (OTP) token to be carried.
However, like any technology that has not yet been thoroughly tested in a real-world environment, biometrics does have drawbacks. Some types of biometric data can be easy to steal (like in the case of fingerprinting scanners) and if a user’s biometric data is compromised in any way, it can never be replaced.
Another factor that can hinder wider deployment of biometrics is cost. Though the technology can often pay for itself in the long run through saving the costs of issuing swipe cards, data badges and other physical security gizmos, the initial investment can be high. And biometric technologies can be seen by users as invasive. Placing your chin in some sort of contraption that scans your eyes and then stores the results in another’s database can leave many people offended by the invasion of their personal privacy.
Despite these obstacles, the growth potential of biometrics is massive, and many tech giants are moving full-speed-ahead with deployment. This year, Google will roll out what it’s calling Project Abacus—Google’s attempt to replace the “legacy” password security with the collection of a number of biometric data readings. Abacus would lock or unlock devices and apps based on a cumulative “trust score.” This is built as your mobile device continuously monitors and recognizes your locations, voice and speech patterns, how you walk and type, and your facial features. With all of these data points, your device will just know that it’s you operating the device, and not a phone thief or a cybercriminal.
In an article published on the tech website engadget.com, former Google exec Chris Messina mused that Abacus would be more secure and come to be preferred over two-factor authentication, which is considered the current “gold standard.” But others are not so sure. What if you were involved in some unfortunate accident that affected one of the biometric data features that make up your trust score? Would the software’s set of algorithms become suspicious of you and lock you out of your own mobile device? This is a valid concern, and one that Google will have to address.
Will biometric technology be the final nail in the coffin for the user password? Probably not. At least not in the foreseeable future. For one thing, a password is secret, while your facial features are not. Passwords are random and can easily be changed and replaced if they’re compromised, while there is no “reset” button for your fingerprints, eyes and face. If a fraudster gets their hands on your fingerprints, the only thing that may keep him or her from gaining unauthorized access to your company building or your bank account may be that trusty old user password, or two-factor verification tool.
Still, financial institutions and other organizations are attracted to biometrics for its increased security, smoother user experience and the fact that the presence of biometric security is off-putting for hackers, who are more likely to move on to an easier target knowing that “Bank X” and all its customers are protected with biometric technologies. Some banks will seek out anti-fraud protection companies that offer biometric technologies for fraud protection, but organizations looking to further secure their systems and protect their customers are advised to opt for multi-modal authentication as part of their fraud protection strategy.
No matter where you fall on the subject of biometrics as fraud protection, organizations will be smart to seek out a flexible and comprehensive multi-layered approach for end-to-end fraud protection with biometrics being one of several in an effective anti-fraud strategy.
Online training in digital, mobile and social media from ABA.