back to article Brits: Can banks do biometric security? We'd trust them before the government

Brits have more faith in their banks than government agencies to roll out authentication technologies based on biometrics, according to a new survey from Visa. Consumers are nearly twice as likely to trust banks to store and keep their biometric information such as fingerprints and iris scans safe (60 per cent), than they are …

  1. Henny

    Trust a bank prescribed security system?

    So, the banks that have recently admitted that they have no way to cancel a stolen contactless card until it actually expires, now want us to trust them to implement a biometric security system?! Gee, why not? What could possibly go wrong?!? :-/

    I look forward to watching criminals using stolen cards using a jellybaby to provide the fingerprint! ;-)

    1. Dan 55 Silver badge

      Re: Trust a bank prescribed security system?

      Well if your bank won't give you a normal card you can cut 1cm into the card opposite the chip end to disable contactless. I wouldn't like to try that for my finger.

  2. frank ly

    Am I too cynical?

    "... according to a new survey from Visa."

    “Visa is already supporting a number of institutions in the development of emerging forms of authentication,”

    Are there any independent surveys? I wonder what governent surveys have to say.

    1. wolfetone Silver badge
      Paris Hilton

      Re: Am I too cynical?

      What would a company like Visa have to gain from promoting the idea that banks are more trustworthy with biometric data than our own Governments?

    2. Nick Ryan Silver badge

      Re: Am I too cynical?

      This is the same Visa that has the totally waste of time and annoying "Verified by Visa" "security" program? Quite apart from the lack of real security where the entire password is stored in plain text somewhere (otherwise asking for character 1, 2 and 3 of the password wouldn't be possible) for one of my accounts I don't think I've ever entered the password this way as it's far quicker and easier to just reset the password. This password change doesn't require any more information than an even moderate information scrape would require beyond the card details which an attacker would require at this point anyway. Then, of course, for "security" (I've yet to figure this one out) where they try to insist that adding alternative, but insecure, credentials to an account such as "mothers maiden name", "place of birth" or "first pet's name" actually adds to security rather than reducing it significantly.

      1. druck Silver badge

        Re: Am I too cynical?

        Nick Ryan wrote:

        This is the same Visa that has the totally waste of time and annoying "Verified by Visa" "security" program? Quite apart from the lack of real security where the entire password is stored in plain text somewhere (otherwise asking for character 1, 2 and 3 of the password wouldn't be possible)

        I've never seen Verified By Visa ask for anything other than the full password, where as several of my bank do ask for single characters

        What Verified By Visa would do is silently ignore anything after the 10th character when setting up the password, but then fail verification if more than 10 characters were entered. I didn't realise this was why my 12 character passwords were failing, so I used to just do a password reset every time too.

  3. Unep Eurobats
    Big Brother

    “Unlike passwords, physical biometrics can’t be changed"

    But you can easily change your bank if you don't like their authentication protocol, or what they're doing with your biometrics. Your government, not so much. And even then it's the same bureaucratic machinery that's got your fingerprints ... forever.

    1. PJ H

      Re: “Unlike passwords, physical biometrics can’t be changed"

      It's another one of those "using biometrics as authentication instead of identification" situations.

      And they keep doing it. Why do they think using something that a 3rd party can trivially observe/see/copy as a proxy for a password is ever a good idea?


      > according to a new survey from Visa

      Clearly it will have been impartial and not a single leading question in sight.

      > Nearly two-thirds of consumers (64 per cent) want to use biometrics as a method of payment authentication.

      Then nearly two-thirds of consumers are ignorant and/or stupid, or the wrong question was asked, or the wrong answer assumed.

      > Consumers favour fingerprint authentication (88 per cent) as the most secure form of payment

      Sorry, make that nearly 9 in 10 consumers (that were questioned.)

    2. Halfmad

      Re: “Unlike passwords, physical biometrics can’t be changed"

      That's fine, except banks are highly inter connected, trust one, trust all in some cases especially when it comes to your personal data. Yeah they'll keep the numbers safe but expect your data to be handled by intermediate companies for transactions etc.

      The banking system is a muddle, it's no better than government.

    3. Ken Hagan Gold badge

      Re: “Unlike passwords, physical biometrics can’t be changed"

      I thought one of the problems with fingerprints was that they *can* be changed, all too easily, to the detriment of anyone using a (crap) system that assumes they can't.

  4. adnim

    I wouldn't expect

    the banks would cross check a fingerprint against a crime database.

    I expect the government would encourage the police to do that.

    1. WibbleMe

      Re: I wouldn't expect

      The one thing crims don't do is use bank accounts that's already the norm

      1. BebopWeBop

        Re: I wouldn't expect

        Not all of them - for example

        If you can disguise it as a legit business it is easier to deal with than cash

      2. Pascal Monett Silver badge

        @ WibbleMe

        I suspect you've never heard the term "money mule", nor ever gotten spam offering an easy, stay-at-home job that will make you thousands per week ?

        And you certainly missed this article as well.

    2. druck Silver badge

      Re: I wouldn't expect

      The banks will claim that cross referencing against the police database isn't possible as they only store a hash of the fingerprint, and not the full data*. However, there is nothing to stop the police taking their full fingerprint record from the database and performing the same hashing operation on it, then matching against the banks hashes.

      * The company implementing fingerprint verification for to replace library cards and meal payments at my wife's school also tried to peddle nonsense, so it's pretty widespread in the industry.

  5. Chris G


    The problem with propaganda is that whichever way people tend to lean there is something to support their inclination. Look at the the Stayers and Leavers in the Brexit vote, whichever way anyone voted, the majority were basing their votes on populist propaganda.

    Anyone who trusts a bank and has a memory is clearly in need of a grey matter transfusion but the banks are keen on rolling out biometrics 'cos it's easier for them' so they are funding PR to support the case.

    The banks own the money you put in them, not you, the banks in the event of another crash decide how many pennies in the pound you get after they have been bailed out and the banks are not cuddly wuddly friends who are interesed in your security, they are only interested in their own.

    When it all goes horribly wrong, they will be saying 'But we had to give the public what they want and they wanted biometrics', and that after they have foisted it on everybody ( except me and a few otherswho are awake).

    I am waiting for the rollout for DNA authentification, that's when everybody will have to be dressed in hazmat suits to keep all their stray samples in to avoid any body obtaining their ID, if CSI is to be believed a cigarette end is enough to give away your DNA to the baddies.

  6. ritey

    Technology vs.Politics AKA Science vs. Religion

  7. Number6

    Setting a Low Bar

    Saying you trust someone more than you trust government (unless it's the ability to screw up bigtime) doesn't really say much because the bar is set very low.

    1. chivo243 Silver badge

      Re: Setting a Low Bar



      I was going to say I'd trust neither, but you've put it nicely!

  8. Nick Kew

    A rational explanation ...

    Surveys rarely ask exactly the question their published results suggest. Even if they do, there's likely to be a subtext.

    A very plausible explanation of this survey result is that the measured difference actually represents fear of abuse by an organisation. That is, not incompetence, but malice. A bank might spam you with unwanted crap, but isn't going to send the spooks or the taxman to blight your life. And if the banks mess up, you probably stand a better chance getting redress than if government thinks you've been visiting the wrong websites.

    1. Doctor Syntax Silver badge

      Re: A rational explanation ...

      "A bank might spam you with unwanted crap"

      Unfortunately the banks' spam resembles phishing spam quite closely. They're training their customers to be robbed. The disconnect between their marketing and any staff with an inkling about security makes it difficult trust any scaheme the former come up with.

  9. fruitoftheloon

    My f'ing derriere...

    'Verified by Visa', 'nuff said.

    As to me EVER supplying any insitution with my biometrics info without a court order in close proximity, no chance matey!

    Slow news day much???


  10. Kevin Johnston

    It's all in the people you ask

    "Nearly two-thirds of consumers (64 per cent) want to use biometrics as a method of payment authentication"

    Like most surveys (and as mentioned above) this is simply 2/3s of those questioned but they will have no qualms in scaling it up to whatever volumes required to justify some PHB's latest unicorn tears moment. Until they actually put real numbers at the forefront of these quotes they should be ignored. How do we know they didn't just ask the first 100 people who bought a copy of the Daily Mail from Walford Mini-Mart and 36 got the answer wrong?

  11. Ian Ringrose

    I would like biometrics to be used whenever someone opens a new account, or gets a new credit card, so as to make it very hard for one person to have accounts in more than one name. Accounts that you can’t trace back to a person are used as part of most banking theft.

    Biometrics is hard to use for ATMs or internet banking as a copy of someone’s finger could be used, but would be great if I lost my cards and passwords etc but needed to prove to a bank who I was to get emergency cash out.

    1. Nick Ryan Silver badge

      This is an example of a good use of biometric identification. Duplicate matches will happen but because it's a controlled environment and a relatively rare process these can be dealt with.

      Compared to using biometrics for authentication, which is daft because it's something that happens regularly and away from controlled environments. As a result the errors that occur generally need to either err on the side of success which naturally introduces security problems the alternative is erring on the side of failure which will piss people off and they will try and avoid the use of the technology.

  12. Richard Jones 1

    Banks + Security

    Next we will hear that foxes make good chicken herders.

    They are the people who served with court orders believe that the instructions do not apply to them.

    Or based on no evidence at all will black list people from ever having an account.

    Yet with no fanfare at all will allow criminals to open accounts to syphon off other people's cash.

    However expect those who cannot travel to come into a branch 30 miles away to be up-sold crap, sorry verify their identity.

    Yes we all trust banks... screw up like the rest of the mindless, thoughtless, computer button pushers.

  13. Gomez Adams

    Tell me the banks are not storing the biometric data in plain or even encoded as that is extremely bad practise. They should be storing the result of hashing the data with a secure key stored only locally on the device.

  14. inmypjs Silver badge


    "Consumers are nearly twice as likely to trust banks to store and keep their biometric information such as fingerprints and iris scans safe"

    I expect that mostly due to different concepts of safe,

    Bank safe means only the the bank uses it. Government safe means everyone from GCHQ to the local lending library gets to use it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Safe

      Biometrics don't lend themselves well to hashing because they don't 100% match the reference data. You have to put it through a matching algorithm that determines how close the two are. And since hashes of two values that differ by a single bit are as different as ones that differ in all their bits, the hashes can't really be used for comparison.

      But most feature biometrics like fingerprints don't rely on images. They extract features from the print and store only those (a template). If someone steals the template then they don't have your fingerprint, just a way of assembling a print that is very different from yours but happens to have some features in common. It's like taking an overlay of a city map and tracing all the roundabouts. You can use it to verify that the map (finger) matches the overlay (template), but you can't redraw the city map accurately from the overlay. There's too much data missing.

  15. Steve Davies 3 Silver badge

    Most banks are crap at this

    I was looking at this site only yesterday.

    RBS/NatWest comes out top simply because they have implemented Apple TouchId very well.

    There are some good apps but don't implement biometric/fingerprinting.

    The worst? HBOS.

    Entering all sorts of codes and passwords and pass phrases on smartphone is a faff of the biggest order.

    I don't know about really how secure AndroidPay is but by all reports the Apple implementation is very secure.

  16. John Smith 19 Gold badge

    Banks more trusted than governments. Not much of a choice really.

    Like choosing a babysitter (since they will be babysitting your very personal data) from a choice of a convicted rapist or an RSO.

    I think the real preferred answer (by anyone with half a brain) is "None of the above."

  17. Anonymous Coward
    Anonymous Coward

    My plan

    is to be the last weirdo using that old tech physical currency stuff. They'll get my biometrics over my cold, dead body.

    (some years later...)

    Oh wait, some crims have thought of that - 'ere, come back with my fingers, yer grave-robbing wossnames!

  18. Aodhhan

    Of course 2/3rds say this...

    Most of the public is ignorant to the pitfalls of using biometrics. They see Hollywood movies depicting the US government using biometrics to access the most secure places (which of course, isn't the case), so they believe this is the way to go.

    Once Hollywood comes out with a movie showing how hackers can take advantage of biometrics, then perhaps things will change. :)

  19. Jin

    Widespread Misinformation on Biometrics

    It’s really worrying that so many people are so tragically misinformed. The authentication by biometrics comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon