Most big high street banks are beginning to use biometric authentication to give customers a more convenient way to check their account balance or make payments. However, one big question remains unanswered: is it safe?
A cyber security expert from consultancy NCC recently visited the Financial Times to give a demonstration of how to hack into a smartphone’s biometric authentication software – according to an article in the FT.
The NCC research director, showed how to make a copy of his own fingerprint using wood glue, candle wax and a printed circuit board that allowed your correspondent to hack into his smartphone.
He also tricked voice-recognition software by playing back recordings of his own voice and produced a 3D-printed mask of his face based on photos of himself, which was then worn to hack into his phone.
While you cannot forget your voice or face — making them a simpler way to check your identity — they are also much harder to change than your password if they are ever stolen by cybercriminals. This means that if biometric authentication becomes the dominant form of authentication it is likely to be much more damaging if the systems are hacked.
As more financial service providers launch new biometric authentication schemes — such as MasterCard’s “selfie pay” service that lets people make mobile payments by photographing themselves, Wells Fargo’s eye vein scanning system, or HSBC’s Voice ID — experts say security will become a more pressing issue.
“Biometrics aren’t the same as passwords — they aren’t secret,” says Mr Lewis, a former technology specialist at GCHQ, the government’s electronic intelligence agency. “You need other elements to ensure fraud is prevented. If a database of fingerprints is hacked into, that could compound the problem.”