Go on, corporate drone, log in... We'd recognise your VEINS anywhere – Barclays

Vein recognition biometric tech rollout for biz banking

Barclays is ramping up its fight against online fraud with the roll-out of a biometric scanner that uses Hitachi’s Finger Vein Authentication Technology (VeinID).

Unlike fingerprints, vein patterns are extremely difficult to spoof or replicate. Barclays Biometric Reader will allow customers secure access to their online banking accounts by simply scanning their finger using the device.

The compact device can read and verify the users’ unique vein patterns in the finger, helping to combat identity fraud that become a growing problem for businesses both in the UK and overseas over recent years.

The technology will initially be available to Barclays Corporate Banking clients from 2015. Corporate banking customers will be able to authorise payments within seconds, without the need for PIN, passwords or authentication codes.

The scanned finger must be attached to a live human body in order for the veins in the finger to match the correct pattern, we're told. Barclays will not hold the user’s vein pattern and there will be no public record of it – instead the pattern is stored encrypted on a SIM card that must be inserted into the reader.

Hitachi’s VeinID is already used by banks for password replacement, single sign-on and ATM machines in Japan, North America and Europe. However, the combination of vein biometric and digital signature technology in the Barclays Biometric Reader for online banking is claimed by Barclays as a financial sector first.

El Reg has covered Hitachi’s VeinID biometrics in the past. Hitachi reckons vein pattern-based authentication can offer higher accuracy rates than finger print recognition, with the added benefits that unlike fingerprints, vein patterns are extremely difficult to spoof or replicate.

The technology seems like a well-thought out means to protect corporate banking accounts which and indisputably a target for cybercriminals.

The use of a vein-based biometric offers a better potential for a secure systems than fingerprint-based biometrics without imposing any additional inconvenience for users. Security researchers have for many years uncovered security weaknesses in fingerprint-based biometrics, most famously using Gummi Bears to defeat sensors way back in 2002. Fingerprint technology has improved over the years but even so vein-based biometrics may still offer advantages.

"At the very least, people don't tend to leave a copy of their vein-pattern on random surfaces they touch. So, there's that," Sean Sullivan, a security advisor at security software firm F-Secure told El Reg.

Professor Mike Jackson from Birmingham City University’s Business School praised Barclay's use of finger vein technology, as it's more reliable than fingerprint biometrics, we're told.

"The most well-known biometric method is fingerprint recognition which can be implemented very cheaply. It’s reasonably accurate and fast, however, it’s open to forgery and fingerprints can deteriorate over time," Prof Jackson said.

"Finger vein technology is definitely the way forward as it can be quickly and accurately recognised. It’s also resistant to forgery because veins are located inside the body rather than on the surface. Finger vein patterns even differ between identical twins and don’t alter as you get older," he added.

Barclays suggested there may be a potential to roll out vein pattern-based biometric technology to consumers at some point, but the bank made no firm commitment on this front.

The launch of the Barclays Biometric Reader follows on from the introduction of voice biometrics for its Barclays Wealth customers to identify themselves on phone calls, removing the need for passwords or security questions. ®

Similar topics

Other stories you might like

  • Venezuelan cardiologist charged with designing and selling ransomware
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading

Biting the hand that feeds IT © 1998–2022