Brits: Can banks do biometric security? We'd trust them before the government Brits have more faith in their banks than government agencies to roll out authentication technologies based on biometrics, according to a new survey from Visa. Consumers are nearly twice as likely to trust banks to store and keep their biometric information such as fingerprints and iris scans safe (60 per cent), than they are …
So, the banks that have recently admitted that they have no way to cancel a stolen contactless card until it actually expires, now want us to trust them to implement a biometric security system?! Gee, why not? What could possibly go wrong?!? :-/
I look forward to watching criminals using stolen cards using a jellybaby to provide the fingerprint! ;-)
This is the same Visa that has the totally waste of time and annoying "Verified by Visa" "security" program? Quite apart from the lack of real security where the entire password is stored in plain text somewhere (otherwise asking for character 1, 2 and 3 of the password wouldn't be possible) for one of my accounts I don't think I've ever entered the password this way as it's far quicker and easier to just reset the password. This password change doesn't require any more information than an even moderate information scrape would require beyond the card details which an attacker would require at this point anyway. Then, of course, for "security" (I've yet to figure this one out) where they try to insist that adding alternative, but insecure, credentials to an account such as "mothers maiden name", "place of birth" or "first pet's name" actually adds to security rather than reducing it significantly.
Nick Ryan wrote:
This is the same Visa that has the totally waste of time and annoying "Verified by Visa" "security" program? Quite apart from the lack of real security where the entire password is stored in plain text somewhere (otherwise asking for character 1, 2 and 3 of the password wouldn't be possible)
I've never seen Verified By Visa ask for anything other than the full password, where as several of my bank do ask for single characters
What Verified By Visa would do is silently ignore anything after the 10th character when setting up the password, but then fail verification if more than 10 characters were entered. I didn't realise this was why my 12 character passwords were failing, so I used to just do a password reset every time too.
But you can easily change your bank if you don't like their authentication protocol, or what they're doing with your biometrics. Your government, not so much. And even then it's the same bureaucratic machinery that's got your fingerprints ... forever.
It's another one of those "using biometrics as authentication instead of identification" situations.
And they keep doing it. Why do they think using something that a 3rd party can trivially observe/see/copy as a proxy for a password is ever a good idea?
FTA:
> according to a new survey from Visa
Clearly it will have been impartial and not a single leading question in sight.
> Nearly two-thirds of consumers (64 per cent) want to use biometrics as a method of payment authentication.
Then nearly two-thirds of consumers are ignorant and/or stupid, or the wrong question was asked, or the wrong answer assumed.
> Consumers favour fingerprint authentication (88 per cent) as the most secure form of payment
Sorry, make that nearly 9 in 10 consumers (that were questioned.)
That's fine, except banks are highly inter connected, trust one, trust all in some cases especially when it comes to your personal data. Yeah they'll keep the numbers safe but expect your data to be handled by intermediate companies for transactions etc.
The banking system is a muddle, it's no better than government.
I suspect you've never heard the term "money mule", nor ever gotten spam offering an easy, stay-at-home job that will make you thousands per week ?
And you certainly missed this article as well.
The banks will claim that cross referencing against the police database isn't possible as they only store a hash of the fingerprint, and not the full data*. However, there is nothing to stop the police taking their full fingerprint record from the database and performing the same hashing operation on it, then matching against the banks hashes.
* The company implementing fingerprint verification for to replace library cards and meal payments at my wife's school also tried to peddle nonsense, so it's pretty widespread in the industry.
The problem with propaganda is that whichever way people tend to lean there is something to support their inclination. Look at the the Stayers and Leavers in the Brexit vote, whichever way anyone voted, the majority were basing their votes on populist propaganda.
Anyone who trusts a bank and has a memory is clearly in need of a grey matter transfusion but the banks are keen on rolling out biometrics 'cos it's easier for them' so they are funding PR to support the case.
The banks own the money you put in them, not you, the banks in the event of another crash decide how many pennies in the pound you get after they have been bailed out and the banks are not cuddly wuddly friends who are interesed in your security, they are only interested in their own.
When it all goes horribly wrong, they will be saying 'But we had to give the public what they want and they wanted biometrics', and that after they have foisted it on everybody ( except me and a few otherswho are awake).
I am waiting for the rollout for DNA authentification, that's when everybody will have to be dressed in hazmat suits to keep all their stray samples in to avoid any body obtaining their ID, if CSI is to be believed a cigarette end is enough to give away your DNA to the baddies.
Surveys rarely ask exactly the question their published results suggest. Even if they do, there's likely to be a subtext.
A very plausible explanation of this survey result is that the measured difference actually represents fear of abuse by an organisation. That is, not incompetence, but malice. A bank might spam you with unwanted crap, but isn't going to send the spooks or the taxman to blight your life. And if the banks mess up, you probably stand a better chance getting redress than if government thinks you've been visiting the wrong websites.
"A bank might spam you with unwanted crap"
Unfortunately the banks' spam resembles phishing spam quite closely. They're training their customers to be robbed. The disconnect between their marketing and any staff with an inkling about security makes it difficult trust any scaheme the former come up with.
"Nearly two-thirds of consumers (64 per cent) want to use biometrics as a method of payment authentication"
Like most surveys (and as mentioned above) this is simply 2/3s of those questioned but they will have no qualms in scaling it up to whatever volumes required to justify some PHB's latest unicorn tears moment. Until they actually put real numbers at the forefront of these quotes they should be ignored. How do we know they didn't just ask the first 100 people who bought a copy of the Daily Mail from Walford Mini-Mart and 36 got the answer wrong?
I would like biometrics to be used whenever someone opens a new account, or gets a new credit card, so as to make it very hard for one person to have accounts in more than one name. Accounts that you can’t trace back to a person are used as part of most banking theft.
Biometrics is hard to use for ATMs or internet banking as a copy of someone’s finger could be used, but would be great if I lost my cards and passwords etc but needed to prove to a bank who I was to get emergency cash out.
This is an example of a good use of biometric identification. Duplicate matches will happen but because it's a controlled environment and a relatively rare process these can be dealt with.
Compared to using biometrics for authentication, which is daft because it's something that happens regularly and away from controlled environments. As a result the errors that occur generally need to either err on the side of success which naturally introduces security problems the alternative is erring on the side of failure which will piss people off and they will try and avoid the use of the technology.
Next we will hear that foxes make good chicken herders.
They are the people who served with court orders believe that the instructions do not apply to them.
Or based on no evidence at all will black list people from ever having an account.
Yet with no fanfare at all will allow criminals to open accounts to syphon off other people's cash.
However expect those who cannot travel to come into a branch 30 miles away to be up-sold crap, sorry verify their identity.
Yes we all trust banks...
...to screw up like the rest of the mindless, thoughtless, computer button pushers.
"Consumers are nearly twice as likely to trust banks to store and keep their biometric information such as fingerprints and iris scans safe"
I expect that mostly due to different concepts of safe,
Bank safe means only the the bank uses it. Government safe means everyone from GCHQ to the local lending library gets to use it.
Biometrics don't lend themselves well to hashing because they don't 100% match the reference data. You have to put it through a matching algorithm that determines how close the two are. And since hashes of two values that differ by a single bit are as different as ones that differ in all their bits, the hashes can't really be used for comparison.
But most feature biometrics like fingerprints don't rely on images. They extract features from the print and store only those (a template). If someone steals the template then they don't have your fingerprint, just a way of assembling a print that is very different from yours but happens to have some features in common. It's like taking an overlay of a city map and tracing all the roundabouts. You can use it to verify that the map (finger) matches the overlay (template), but you can't redraw the city map accurately from the overlay. There's too much data missing.
I was looking at this site only yesterday.
http://www.knowyourmobile.com/mobile-phones/apple-iphone-6/22699/uks-best-and-worst-banking-apps-iphone-2016
RBS/NatWest comes out top simply because they have implemented Apple TouchId very well.
There are some good apps but don't implement biometric/fingerprinting.
The worst? HBOS.
Entering all sorts of codes and passwords and pass phrases on smartphone is a faff of the biggest order.
I don't know about really how secure AndroidPay is but by all reports the Apple implementation is very secure.
Most of the public is ignorant to the pitfalls of using biometrics. They see Hollywood movies depicting the US government using biometrics to access the most secure places (which of course, isn't the case), so they believe this is the way to go.
Once Hollywood comes out with a movie showing how hackers can take advantage of biometrics, then perhaps things will change. :)
It’s really worrying that so many people are so tragically misinformed. The authentication by biometrics comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
