Security by Sector: How Smartphone Biometric Risks Threaten the Banking Industry

Written by

The subject of how information security impacts different industry sectors is an intriguing one. For example, how does the finance industry fare in terms of information security compared to the health sector, or the entertainment business? Are there some sectors that face greater cyber-threats and risks than others? Do some do a better job of keeping data secure, and if so, how and why?

Smartphone fingerprint scanners have massively grown in use and popularity over the last few years. In fact, you’d be pretty hard-pressed to find a smartphone that does not have the functionality built in to scan your fingerprint as a means of identifying and authenticating user access.

This new tech has been introduced to help improve security for smart devices, especially given the fact that they are increasingly being used by the general public to manage and carry-out sensitive processes, such as mobile banking. However, as is often the case when such tech innovations come along, it has also given rise to new security threats with vulnerabilities that can be exploited by malicious hackers.

For example, at this year’s GeekPwn 2019 conference in Shanghai, researchers claimed they could unlock any smartphone fingerprint scanner in less than 30 minutes.

Apparently, the X-Lab researchers asked members of the audience at the event to touch a piece of glass, and then photographed the fingerprints left behind and passed them through an app that they had developed. The team did not reveal their precise methodology, but the app is thought to extract the data required to clone a fingerprint using a 3D printer, which can then be used to access a device.

Speaking on the research, Sarah Whipp, CMO and head of go to market strategy at authentication and identification company Callsign, highlighted the potentially dangerous impact such fingerprint/biometric vulnerabilities could have on the banking industry.

“The issue here is two-fold,” she explained. “The most obvious being that customers are at risk of having their accounts accessed without their knowledge, and that there should be additional layers of authentication on top of a fingerprint alone. The other issue is that it could cause a huge amount of friction for banking customers who could be forced to manually change their phone settings to boost security levels, which would be an inconvenience for them.

As mobile banking becomes increasingly prevalent and biometrics feature heavily in its security, there needs to be a way for customers to easily choose another method of authentication if something does go wrong, so they can carry on with their banking activities as normal with minimal impact, Whipp added.

“In addition, the banks themselves need to be able to turn on and off various means of authentication, in case any one of them is compromised – whether that be fingerprints, facial recognition etc. In these scenarios, they must also have the capability to add an additional layer of authentication to existing Account Takeover Protection services. That way they can begin to offer vastly improved levels of protection and ensure their customers’ digital identities remain safe.

“The best way of doing this is by setting up a policy manager, which allows banks to passively manage the security of any apps they offer. As biometrics become standard, fraudsters are becoming quick to adapt to these latest security measures. Therefore, it is also critical that banks go beyond hard and soft biometrics, as they aren’t a good enough security solution on their own and combine them with machine learning.”

What’s hot on Infosecurity Magazine?