Ah, how the mighty have fallen… Or not, as the case may be. Security researchers seem to love taking on biometrics, whether with gummy bears, handy photographs, or – in the most recent case – an evil twin. Well, evil is an overstatement, but in the most recent biometric bypass demonstration, BBC reporter Dan Simmons was able to have his non-identical twin brother successfully spoof his voice passphrase to access HSBC’s phone banking portal.
While somewhat alarming, there are still (at least) two pieces of good news. First, even with all the advantages associated with being related to the “victim,” it still took the twin eight attempts before the system accepted his voice. Second, while he was able to access HSBC’s phone banking, functionality for users logging in with voice biometrics is limited to hearing balances, recent transactions, and transferring between the user’s accounts at the banks.
Coincidentally, the infamous Chaos Computer Club reported today that they have successfully tricked the Samsung’s Galaxy 8 iris scanner, using a photo of the user’s face (printed, ironically enough, on a Samsung laser printer) and an ordinary contact lens.
Is this bad news for biometrics? Not particularly. Biometrics are undoubtedly a powerful tool in a financial institution’s arsenal, but they are no silver bullet for fraud prevention and financial institutions should immediately be wary when someone presents them as such. Of course, this also means that FI’s should not suggest to their accountholders that biometrics are an impenetrable fraud-fighting barrier. Even with acknowledged weaknesses, biometrics are still much more reliable than many alternatives, especially when dealing with fraud committed by close family members.
Knowledge-based authentication, the primary alternative, is particularly vulnerable to perpetrators who know their target. Even when dealing with conventional fraud committed by outsiders, the growth of tools such as mobile malware is opening more cracks in KBA and showing the clear value proposition for biometric authentication.
It’s also worth keeping in mind that different methods of biometric authentication have different levels of risk. With on-device authentication, as the name implies, the user authenticates against a template securely stored on the device. The device then sends a certificate to the FI’s server to verify the authentication, often using a strong cryptographic protocol like FIDO. Biometric information is never transmitted beyond the device and templates are not stored in a central location, minimizing the risk of compromise. Moreover, in this scenario, the fraudster must both be able to impersonate the victim and gain access to their phone. To put this threat in perspective, a mere 1.6% of fraud victims in the past 12 months have had their mobile phone lost or stolen during the same time period.
On-device authentication is somewhat less risky than server-side biometric authentication, where the user’s information is transmitted to a central server that matches it against the template. While this does increase usability in the sense that it does not require the user to install anything on their device, it also increases ease for fraudsters since they can target it with any device, assuming they have a suitable duplicate of the victim’s voice, fingerprint, or face.
No matter what form of biometrics is used, institutions should still implement all the same best practices that apply to all forms of authentication. Three important ones are:
Layer up, whenever possible: Every authentication solution has its weaknesses, but overlapping layers of security can ensure that fraudsters don’t have an easy task ahead of them. For instance, in call centers, phone printing and similar tools can help provide assurance that the inbound call is from a device associated with the legitimate accountholder. This may not protect against familiar fraud, since the fraudster may be able to access the victim’s phone, but it does make successfully completing fraud a much more complex process.
Use systemic safeguards: Obviously, the fact that the twin was able to succeed after seven failed attempts should raise red flags (HSBC reports that they have since limited to three failed attempts). Limiting failed attempts or instituting escalating delays between failed attempts ensure that malicious actors don’t have free rein to attack authentication systems until they find the correct response.
Use risk-based authentication: Because of the comparatively low risk level of the features within HSBC’s initial phone banking platform, they could afford to have a somewhat lower threshold of authentication. For higher-risk activities, such as initiating transfers, changing account information, or moving money, a higher level of authentication is appropriate. Biometric modalities are uniquely flexible forms of authentication in that the sensitivity can be increased or decreased depending on how much tolerance there is for falsely rejecting good customers vs. incorrectly authenticating fraudulent ones. Understanding the sensitivity of their particular biometric integration can help financial institutions determine where biometrics fits in their authentication suite.
The hype around biometrics role in security has almost certainly helped drive adoption in financial markets and acceptance among consumers, but portraying biometrics as a cure-all also helps stories like this gain traction. By contrast, the BBC’s story would have been much less compelling if the title was “Twin knows his brother’s mother’s maiden name,” for instance (or favorite color, first pet’s name, elementary school, etc.). In essence, stories like the HSBC and Samsung spoof get attention because biometrics work extremely well nearly all of the time, so it is remarkably when someone finds an edge-case workaround.