back to article Banks defend integrity of passcode-less TouchID login

Royal Bank of Scotland and NatWest have played down claims by a security researcher that their new Touch ID banking login feature might be circumvented, arguing the hack would only be possible with jail-broken iPhones — the use of which is not recommended. Last month, RBS and NatWest became the first UK-based banks to offer …

  1. Tim Brown 1
    Facepalm

    Your phone and your thumb!

    In other news, Apple's TouchID leads to a rash of muggings where the muggers steal your phone AND cut your thumb off...

    1. Calleb III

      Re: Your phone and your thumb!

      Then what?

      Hope the victim is using RBS/Natwest

      And using the mobile app

      And opted to use TouchID instead of the password.

      And for what £100ish that can be send/withdrawed without having the payee in the per-approved list

      Pretty far fetched don't you think?

      1. This post has been deleted by its author

    2. Irongut Silver badge

      Re: Your phone and your thumb!

      Or a raft of sweet shop thefts linked to muggings where the perps steal your iPhone and a bag of Gummie Bears.

    3. chris 17 Silver badge

      Re: Your phone and your thumb!

      @ Tim Brown 1

      How very dramatic! the first of many to come. There are probably limits on how much money can be moved by the app and even if the phone and thumb where stolen the phone could be remotely bricked. I can't see this resulting in a spike of muggings involving amputation on the off chance the owner has installed and setup mobile banking by one of these banks that uses TouchID, the risk is not worth the reward (easy to trace the destination of the money increases the chances of being caught). Hundreds of millions of iPhones and a few hundred thousand app downloads.

  2. Calleb III

    I'm not surprised RBS/Natwest have security gaps in their new phone app.

    I'm surprised they still have customers giving the pletoria of major IT bungles in the last couple of years.

    1. SuccessCase

      Often written I know, but my bank First Direct, started phoning me and then asking ME to provide my security id details to them - an anonymous person calling out of the blue - to prove who I am !!!

      Whenever they have done this I ask - are you seriously asking customer to divulge security details to an anonymous caller? Adding "Really ?" At this point to compound the stupidity, they display a complete lack of understanding as to how authentication works, by suggested a number I can phone them back on !!!

      Of course I could do a search to check the number belonged to them, but most customers won't be doing that.

      I notice they no longer do this, but still, the fact a bank adopted this policy in the first place is beyond belief.

      1. Trigonoceps occipitalis Silver badge

        "by suggested a number I can phone them back on !!!

        Of course I could do a search to check the number belonged to them, but most customers won't be doing that."

        Do not forget the quirk of the land line telephone, the caller can keep the line up after the called phone replaces the hand set. Simple to feed a fake dial tone and get a new voice on the line to continue the scam when the victim rings the new (and researched) number.

  3. Anonymous Coward
    Anonymous Coward

    On past form...

    "We do everything we can to make banking secure for liablity easier to pass on to our customers"

    Natwest has already pulled one app ("Get Cash" in 2012) for security failings, so I'll take a liberal dose of salt with their claims.

  4. jai

    in other news - jailbreaking is still a thing?

  5. Mage Silver badge
    Devil

    I'd change

    if the hassle was less and the others much better.

    The devil you know ...

    What's to stop someone figuring out how to use these probably badly written apps on a phone the real user has never even seen?

  6. Will Godfrey Silver badge
    FAIL

    Wunch (you know the rest)

    I like the bit about calling the bank if your phone is lost or stolen...

    Ummm. how?

    1. Def Silver badge
      Facepalm

      Re: Wunch (you know the rest)

      I think the only person who could legitimately ask this question was Bell, but he'd never have to because banks didn't have phones in those days.

      Fortunately these days, other phones exist and can be used for the purpose.

      1. Will Godfrey Silver badge

        Re: Wunch (you know the rest)

        Have you seen the tailspin most people go into when they realise they've lost their phone?

        Quite typically they'll be in a supermarket and decide to ring home to check on what's needed. In their agitated state, are they then going to tap up a complete stranger and ask to use their phone to ring the bank? Then, I guess they'll need to find someone with the same bank 'cos guess where they stored the number (along with all sorts of things that really should not be on such an insecure item).

        When most people's idea of a 'mobile' phone was the one in the big red box on the street corner nobody was particularly dependent on them, but now many can't function rationally at all without them.

  7. djack

    Ahh.. the Lemming defense..

    "Other banking institutions across the world are also using this technology with their customers."

    I've heard similar things to this from software vendors on multiple occasions.. often just before I demonstrate a whopper of asecurity flaw.

  8. This post has been deleted by its author

    1. Velv
      Gimp

      There's a limit to how much you can pay in one transaction to an unverified contact (i.e. Someone you've not set up to pay through other channels)

      There's a limit to how many unverified payments you can make in one day.

      There's a limit to how much you can transfer in one day.

      If someone takes you to a hotel and renders you unconscious I think you've got more important "assets" they're going to be after.

      1. Mark 85 Silver badge

        If someone takes you to a hotel and renders you unconscious I think you've got more important "assets" they're going to be after.

        Ah.. the variation of "Hit me, kick me, beat me. Make me write bad checks" perhaps?

    2. Steven Roper

      You don't have to render anyone unconscious or take them to hotel

      "I can imagine the situation in which a fraudster meets someone in a bar..."

      ... and says "Hi, didn't we meet at blahblah last year," buys them a drink, and gets their fingerprints off the glass. And then uses it not just for accessing bank accounts, but for identity theft in general, since more and more organisations are relying on biometrics like fingerprints these days.

      The problem then becomes obvious: biometrics can't be changed like stolen cards and tax file numbers. So once someone has your fingerprints, retina scans, voiceprint, whatever, and is using them to commit criminal acts, you're fucked for the rest of your life.

    3. Anonymous Coward
      Anonymous Coward

      "It's all very well sprouting on about the security..."

      Not aware that anyone has bean sprouting...

  9. Anonymous Coward
    Facepalm

    Sheep

    Ah yes, I see: "Other banking institutions across the world are also using this technology with their customers" so it must be OK. In 2000-2005 "other banking institutions across the world" were busily selling subprime mortgages. So that meant it obviously had to be just a fine thing to do, didn't it?

    Security by bandwagon.

  10. Jin

    The gate of a fallback password is open to criminals.

    For biometrics to displace the password for security, it must stop relying on a password registered in case of false rejection. Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.

    We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

    Biometric solutions could be recommended to the people who want convenience rather than security but should not be recommended to those who want security rather than convenience.

    1. Anonymous Coward
      Anonymous Coward

      Re: The gate of a fallback password is open to criminals.

      Presidential authority is confirmed for change of test procedure.

      Dummy warheads will be replaced by W80 thermonuclear device.

      Have a nice day.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022