The death of the password: biometric banking

Many banks around the world, large and small, continue to experience major security failures. At this year’s Kaspersky Security Analyst Summit (April 2 – 6, 2017), Kaspersky Lab analysts explained their investigation of the takeover of a bank for several hours in Brazil by cybercriminals.  The takeover of the bank started with a spear phishing attack.  Next, the cybercriminals used a Domain Name System (DNS) redirect attack.  While Kaspersky Lab did not name the bank, other security analysts have identified the bank as Banrisul and have suggested mistakes that the bank made with its security systems.  For example, banks should be using at least the registry lock option provided by some DNS registrars and should be using two-factor authentication.

Voice ID biometric authentication

In 2016, HSBC introduced voice and touch ID security sytems to its millions customers in the United Kingdom.  Barclays had tested voice systems in 2013 by introducing the systems to its 300,000 wealthiest customers first.  Barclays reported that the time required to verify an identity dropped from 90 seconds to 10 seconds.

HSBC used Nuance Communications technology for its voice system.  Nuance uses more than 100 unique voice identifiers, such as: speed, cadence, and pronunciation.

Unfortunately, with respect to public confidence in new systems, a BBC reporter and his twin brother fooled the voice system.  Instead of providing alternate methods for authentication, HSBC’s system permitted customer many attempts to become authenticated.

Palm vein pattern authentication

Fujitsu’s Palm Vein Authentication Technology has been used by banks for customer confirmation since 2004:  Suruga Bank (2004), The Bank of Tokyo-Mitsubishi (2004), The Hiroshima Bank (2005), The Bank of IKEDA (2005).  More banks have adopted the technology following the passage of the “Act for the Protection of Personal Information” (effective May 1, 2005).

Palm vein pattern authentication has the advantage of using data from inside a person’s body.  Customers and employees do not touch the scanners.  This keeps the scanners clean.  From a test of 140,000 profiles of 70,000 individuals, Fujitsu reported a false acceptance rate of less than 0.00008% and a false rejection rate of 0.01%.

Suruga Bank stores the vein patterns on a server in its client-server system, enabling the bank to manage vein patterns.  The Bank of Tokyo-Mitsubishi stores vein patterns in IC (smart) cards, enabling users to control access to the vein patterns.

Banks can use the Fujitsu technology also for door security and for login authentication.

On November 22, 2016, Fujitsu announced the availability of PalmSecure bioLock for securing SAP ERP systems and the HANA platform.  Fujitsu partnered with bioLock AG, the pioneers of biometric fingerprint systems with decades of experience in providing controls for SAP enterprise resource planning (ERP) systems.  Unlike banks using biometric systems to identify only customers, banks using PalmSecure bioLock will be able to mitigate employee fraud.  As Fujitsu noted:

“With PalmSecure bioLock, in addition to log-on protection, customizable security checkpoints can be established based on management policies and business rules on a user-by-user basis. These re-authentication checkpoints can be set at very granular levels such as tables, transactions, info types, fields, field values, buttons or whenever a critical activity is performed within SAP. Actions such as exporting data, printing data, saving data, changing data and viewing data can all be controlled.”

In Brazil, Banco Bradesco has reported more than 700 million ATM transactions without fraud using Fujitsu’s PalmSecure biometric readers in its ATMs.  Customers can use a card or codes plus hand identification.  By contrast, banks using passwords, PIN numbers, or identification cards have experienced fraud problems.  The Brazilian social services agency accepts having persons receiving pensions via Banco Bradesco ATMs without presenting paper documents to the agency to prove that pensioners are still alive.

Lessons to be learned from banks

The continuing major bank security failures experienced by banks around the world show that many persons responsible for bank security do not understand how to use security options available in current systems and are failing to use the best biometric security systems.  While this was a review of palm vein pattern, fingerprint, and of voice biometric systems, the same principles will apply to other biometric technologies.  It was a mistake to rely upon only passwords, PIN numbers, or upon identification cards.  It would be a mistake to rely upon any single solution.

Banks are rushing to overcome the weaknesses of using only passwords.  A large percentage of bank customers use the same password for many accounts and do not like to change passwords.  Adding biometric systems will make banks more secure with respect to their customers.  However, some banks focus upon the speed and ease of authentication at the expense of customers finding ways to beat the systems.

While some banks have rushed to implement biometric systems to reduce ATM fraud by customers, banks must not ignore the importance of employee fraud.  It is imperative that banks use biometric systems providing granular control over which employees can read, change, save, and print accounting data.

366 views

Related reading