Biometric technologies hold huge potential for the retail banking industry. By allowing consumers to verify their identity with a fingerprint scan or a spoken word, biometrics could eliminate the need for passwords and unique user IDs – removing one of the weakest links in the security chain.
However, it’s important that financial institutions (FIs) are also aware of the risks associated with biometrics. Like any emerging technology, this form of user authentication will attract the attention of criminals looking for ways to subvert it.
Growth in biometrics
Biometric forms of user authentication – which include everything from fingerprint and iris scanning to voice recognition and behavioral analysis – have been growing in prevalence since the turn of the 21st century.
In recent years, the banking industry has witnessed a particularly notable increase in adoption of these technologies. The UK-based banks TSB and Barclays have recently enabled mobile iris scanning and voice payments via Siri, for example.
Looking ahead, we can expect this growth trend to accelerate, with consumers and FIs alike welcoming the enhanced convenience and security offered by biometrics.
According to a recent report published by Research and Markets, the global biometrics-as-a-service market – which offers capabilities such as biometric onboarding and authentication via the internet – will grow in value from US$838 million in 2017 to nearly US$3 billion by 2022.
As exciting and beneficial as these innovations might be, it’s the job of the FI to think about the potential flaws and weak points in biometric systems that could be exploited by fraudsters.
What are the risks?
Firstly, it’s crucial for your business to recognize the fact that, however watertight these new methods of biometric authentication might seem when they are first developed and implemented, fraudsters will always find weaknesses in the system.
In a webinar titled ‘Whose Biometric is it Anyway’, Al Pascual, research director and head of fraud and security at Javelin Strategy and Research, pointed out that it didn’t take long for criminals to get very good at undermining the username and password protections developed for online banking.
“Criminals are very much focused on the security tools or capabilities we’re leveraging to protect accounts,” he said. “They are getting smarter and they are getting faster, and if you think they are not going to do that to biometrics, you are absolutely dead wrong.”
When it comes to making sure that biometrics are doing their job in maximizing security – not just consumer convenience – one issue that FIs must pay attention to is the security of their initial biometric enrollment.
If biometric enrollment is only protected by a username and password, it is possible that criminals could break through that initial barrier in order to enroll their own biometric data and carry out fraudulent transactions. It’s therefore vital to have additional layers of protection and user authentication in place before biometric enrollment can occur. These might involve the use of one-time passcodes or knowledge-based authentication.
Another threat is so-called familiar fraud – when someone who is known to the customer registers their biometric data on a device such as the customer’s mobile phone. Again, it’s crucial for the bank to confirm the identity of the individual who is submitting the information.
Mr Pascual said familiar fraud is a danger the industry needs to be aware of. It is a relatively low risk at the moment, but past trends have suggested that familiar fraud becomes more common when the economy takes a downward turn.
Then there is the ever-growing threat of cyberattacks. Wherever the biometric data is stored, FIs must invest in the most effective protections against hackers who want to access and compromise it.
With the proper safeguards and processes in place, the industry can ensure that the growth of biometrics delivers major benefits for banks and consumers, while making life much more difficult for criminals.
Image credit: iStock/NicoElNino