Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke

You can change a password. You can't change fingerprints

Around the world, banks are implementing biometric authentication systems for their customers as fraud cases increase – but experts warn biometrics should not be treated like a silver bullet for ID woes.

Earlier this year, HSBC announced the launch of Voice ID for its customers in the UK, alongside fingerprint authentication, to offer a more secure service to its mobile banking customers by allowing them to authenticate themselves with their unique biological features.

Classically the three factors of authentication have been something an individual knows, something they have, and something they are. While biometrics have come to typify the latter category, they have not done so without concern.

Something you are, rather than something you know, is capable not merely of allowing individuals to voluntarily authenticate themselves, but also exposes them to the risk of being identified, potentially covertly and without their consent, for the purposes of surveillance.*

In the already highly-surveilled world of finance, however, there is little defence of anonymity, such as in cash transactions, due to the risk posed by theft and money laundering. The use of chip-and-pin cards to provide two-factor authentication (having the chip and knowing the pin) provides security in raising the bar for fraudulent access, and also in creating a record of expenditure.

This certainly benefits victims, whose losses to cybercriminals, for instance, are reimbursed far more often than losses may be when cash is stolen from a wallet.

Particularly in play in the mobile world, biometrics are considered to offer a convenient means of authentication, as customers cannot forget their fingerprints or voice as they could forget a PIN. HSBC's head of customer contact, Joe Gordon, told The Register: "The technology is equipped to deal some illnesses, such as a common cold. This is due to the technology not just measuring the actual sounds themselves, but also the way your muscles produce a sound. In severe instances of illness or injury, a customer can be transferred to an agent to complete the security process without using voice biometrics."

Speaking at a Westminster Business Forum on Biometrics, the CESG's Head of Identity in Government, Dr Chris Allgrove, claimed that society had reached “the tipping point” at which financial and other services have started backing the introduction of biometrics for authentication, according to Allgrove, due to the mass misuse of alternative authentication methods.

In the work conducted by GCHQ's information assurance arm, Allgrove noted that “people basically use passwords that are not terribly helpful, people don’t use them well, people don’t follow rules – or the rules are so horribly complicated that there’s no point following them.”

This was “not to say they’re rubbish, it’s not to say that they shouldn’t be used,” said Allgrove, “but they need to be used wisely” – and they rarely are, he suggested.

Biometrics security

Existing technology has underpinned the developments in alternatives, and some of it has been in existence for quite a while.

Dactyloscopy, or fingerprint identification, is largely accepted to have been first described by Dr Henry Faulds in a paper titled On the Skin-furrows of the Hand (PDF) published in Nature in 1880, while sensor technology is also “fairly well-established, fairly mature [and] fairly well understood” according to Allgrove.

He added that “there’s also huge amounts of innovation going on, and both pushing forward existing technology and developing new modalities, implementing novel ideas on these platforms. And this is all underpinned by developments of the architectures, the processes, both in terms of power and how fast they operate, and also how secure they can operate, and how reliably we can expect them to do particular tasks and look after our sensitive data.”

According to Allgrove, different manufacturers may implement different security paradigms for uploading apps or accessing information, “but they are all vulnerable.”

Spook security

Biometrics are not a silver bullet to such issues, Allgrove stressed to his audience, adding that anyone who says otherwise is “either very, very naïve, or just not telling the truth.”

The CESG-man listed Cheltenham's concerns, starting “with the sensor or the biometric device where you’re capturing the sample, creating a template from that, storing the template and then using the template against its reference.”

“These are all areas that we need to be concerned about, and they will be targets,” he told the forum. However, threats and attacks will not only be targeting these particular functions, he said; concern must equally address “how the biometric component interacts with the wider world, whether it’s an application that’s using it to authenticate somebody’s identity, or the host operating system, any of the external service that the service providers will be running their service from.”

The point of this is it’s not just a spoofing tactic, it’s not just making an artefact that mimics somebody’s physical characteristic. It’s a lot more than just playing with Gummy Bears.

Not that spoofing is completely out of the question. Allgrove noted that the Chaos Computer Club in Germany had taken a German minister's fingerprints from a photograph and spoofed them during a campaign against the introduction of ID cards in Germany.

Allgrove added: "There’s a lot of research looking at things like revocable biometrics where you use a biometric as a seed for something that can be changed or given up and replaced. So you might need to develop the technology to counter those fears. The existing attacks, [if you] type in 'fingerprint spoofing' into Google, you get 150 tutorials. Whether they work, whether you can do it reliably... whether a criminal would have the confidence [to use it] is another question."

Asked if it believed that mobile devices are sufficiently secure for banking purposes, the bank answered: "HSBC has recently introduced touch ID – meaning customers can access their account by scanning their fingerprint on their Apple device's home button. Touch ID then intelligently analyses this information with a remarkable degree of detail and precision." ®


* Interested readers may note that despite being considered a knowledge factor, re-used passwords are probably a “target detection identifier” for the purposes of GCHQ's MUTANT BROTH surveillance tool.

Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022