Kemp Little – Biometric Security in the Financial Services Sector

You’d have to go quite a long way to find someone who likes passwords. Typically, they’re an inconvenience at best. The only time most people even think about passwords is when they are forced to hit the ‘Forgotten password?’ button, at which point they already know they’ll never get the next 10 minutes of their life back.

Here Chris Hill, Commercial Technology Partner at Kemp Little, provides an outlook on the risks involved in online security, and the potential solutions the future holds for anti-hacking & security measures and the rise of biometric technologies therein.

As well as being a user experience nightmare for bank customers, the wish to avoid this ‘forgotten password’ scenario leads customers to compromise their own security through poor password hygiene: some write down passwords so they don’t have to remember them, others use the same password across all their online services. Needless to say, both these approaches present security risks all of their own.

It’s common examples of bad security practice like these which lead some commentators to question whether passwords are even fit for purpose anymore. They can be brute-forced by determined hackers, but more commonly they are simply stolen en masse from online services. Household brands from the online world, such as Dropbox and Yahoo, have both been in the headlines recently, having been the victims of massive data breaches. In both cases, millions of sets of user credentials were stolen and subsequently made available for purchase on the dark web.

The relative ease and frequency with which user details are compromised today, combined with both the difficulty of remembering passwords for a myriad of services and the clunky user experience they routinely bring with them, has led some organisations to consider other means of authentication, contributing to the rise of biometrics as a complementary or alternative solution to enhance security standards.

Why biometrics?

The term biometrics describes the use of unique physical features, such as a fingerprint or retina as a method of authenticating a user’s identity. These systems don’t require the user to remember anything, and in the event that it is stolen, biometric data is harder to use than passwords. Generally speaking, for these reasons biometrics are perceived to be more secure than passwords, and as such we are seeing biometric authentication entering the mainstream.

Perhaps the most obvious example of this is the fingerprint scanner on the iPhone, and it’s a mark of acceptance of this technology that a number of mobile banking apps now make use of this handset feature even for highly sensitive applications.

Elsewhere in financial services, MasterCard allows users to verify their identities using a selfie, and both Barclays and HSBC plan to increase their use of voice recognition so as to speed up the security clearing process for telephone banking. As well as being more convenient for customers, this also reduces the time taken to deal with telephone queries, and therefore reduces call centre costs for the bank. In banks’ never-ending quest to improve the customer experience and reduce their cost base around customer interactions, together with the growing prevalence of biometric sensors in popular consumer hardware, it is reasonable to expect other financial institutions to follow suit with this and other forms of biometric identification.

The ‘spoofability’ of particular biometrics in banking

Although biometrics boast a number of advantages over passwords, the technology does have its downsides. In the same way that passwords can be stolen, so too can biometric data. For example, when the Office of Personnel Management was hacked in the United States, criminals stole the fingerprints of some 5.6 million US government employees. And unlike a password, you can’t change your fingerprint: those fingerprints and identities are forever compromised.

In common with other types of authentication such as passwords, biometrics compare an input (for example a user’s fingerprint or a scan of their retina) with a base document or record held on file to check whether the two match. There are several ways that such “static” biometrics can be spoofed. An imprint of the fingerprint could be stolen, and presented at the point of authentication in place of the real thing. Alternatively, if a hacker can change the base document, then the authentication system could be made to think that another person’s fingerprint is that of the authorised user.

This is where “dynamic” forms of biometrics, such as voice recognition or personal typing patterns – the modern equivalent of handwriting analysis – may well be a safer option. Whereas a fingerprint can be spoofed just by presenting it in isolation at the right time, it is far harder both to mimic a person’s voice quality and to do so in a way that is responsive to the context at the time of the security check (a recording of the same phrase over and over again is unlikely to pass muster). Similarly, it would be very difficult to accurately imitate the way another person types, and to do so accurately at a speed that would not be suspect. But even these forms of “dynamic” authentication are not impregnable: if the “yes” signal emanating from a successful comparison can itself be spoofed, then the battle is lost no matter what input is used.

Biometrics and the GDPR

The fingerprint theft example above throws into sharp focus the need to protect this source data appropriately, which is why biometric data is expressly included in the GDPR as a “special category” of personal data. The provisions around processing sensitive data in the GDPR are broadly similar to those contained in the Data Protection Directive, although it should be noted that under Article 9(4) of the GDPR, member states have the right to impose further conditions or limitations on sensitive data such as biometric, health or genetic data. It is therefore reasonable to expect that national differences on rules around the processing of such data will remain, and banks will need to pay close attention to any UK amendments in this area.

At a time when financial fraud in the first half of 2016 reached a value of almost £400 million, there can be little doubt that increasing the standard of security offered by banks has to be a major focus. With personal information exposed in data breaches increasingly being exploited as the basis for fraud, assuring the identity of customers has never been more central to the fight to reduce losses. The advent of the GDPR will place even greater emphasis on the need to process and store customer data securely: failure to do so could result in significant maximum fines, not to mention severe reputational damage and remediation costs.

Where next?

For all the advances in technology and market penetration in recent years, biometrics is still very much in its infancy. The inherent sensitivity of the data means that, in a financial services context, banks may well choose to protect biometric data by banks in much the same way as credit card data (think PCI DSS).

But even then, it is only a matter of time before there are further breaches. Security is a never-ending cat and mouse game between cybercriminals and their targets: as soon as a bank introduces a new security measure, there will be criminals attempting to crack that system. Banks and other financial institutions will remain major targets for hackers due to the value of the potential payload. At the moment the relatively infrequent use of biometrics means that fraudsters will logically be encouraged to move on to one of many softer targets still in the market; but as the technology becomes more prevalent, there will be fewer soft targets to attack, leaving biometric data as a likely focal point for their attentions.

Further, the holding of biometric data, with the regulatory and reputational risks it poses, will undoubtedly pose an administrative and compliance burden for any organisation – even banks who are used to protecting sensitive data. So, it may well be that new business models arise in the secure holding of biometric records, such that banks could outsource the protection of the data to specialist third parties, who would hold the records on their behalf and serve up tokenised, non-sensitive versions of them for authentication purposes. In time, as the use of mainstream biometrics starts to spread outside financial services to other sectors which have less experience of safeguarding sensitive data, the existence of such expertise can only be a good thing.