Is biometric banking secure?


Biometric identification – which uses unique physical attributes such as fingerprints to authenticate people – has long been considered secure. The technology is very attractive to banks and their users who together create a giant target for hackers.

Many banks are testing or planning to introduce new biometric ATMs.

From an institutional point of view, the great advantage of methods such as iris scanning or vein pattern analysis  is that they reduce the rate of false rejections ( first type error ) and false acceptances ( second type error ). Users like biometrics because the technology works fast and frees them from passwords and other secret codes.

Unfortunately, fingerprint scanning technology is not only massively spread, but not as reliable as it should be. For example, users of iOS and Android devices regularly complain that their gadgets are refusing to unlock to their rightful owners – or that they accept other people.

What about ATMs?

Biometric ATMs have yet to be deployed, but our security experts Olga Koczetowa and Alexei Osipov have already found  several underground software developers selling biometric skimmers on the black market . These devices are designed to steal scanned fingerprints.

Other underground programmers are trying to create devices that can capture iris scan results and adjust the vein pattern. Moreover, using skimmers is not the only way to steal biometric data: Man-in-the-middle attacks  and the like will be just as effective as they are today using usernames and passwords.

Of course, criminals also hack servers with user data, regardless of the form of the data. Dropbox lost data from around 60 million accounts this year , and Yahoo later admitted that it had leaked the data of 500 million users – just two out of many.

Now imagine if these companies lost their customers' biometric data instead of passwords. Changing passwords can be annoying, but it’s possible – unlike DNA code (or at least not that easy).

Additionally, criminals can use source data to create a fake login sample using biometric skimmers . Banks will have to very carefully develop security standards before making biometric ATMs available.

A decline in the security of biometrics

Governments, security forces and the defense industry were the first to use biometrics, and it worked well in these areas, mainly because these institutions could afford expensive, decent equipment.

However, in the case of large-scale adaptation of biometrics, a decrease in its security level is visible. The main reason for this is popularity. First, the safety specification standards for consumer goods are lower than where it is critical. Secondly, a wide variety of inexpensive gadgets enable cybercriminals to conduct extensive tests of consumer devices and find more and more vulnerabilities – for their own benefit, of course. The rapid development of 3D printing has also contributed to increasing the vulnerability of biometrics to attacks.

Last year, people installed about 6 million mobile apps that support fingerprint authentication. According to Juniper Research, we will be using approximately 770 million of these apps by 2019 . By then, biometric authentication will become commonplace. Other experts are even more optimistic: Acuity Market Intelligence  believes 2.5 billion people will be using 4.8 billion devices using biometrics by 2020.

Hope – and recommendations – for the future

Fortunately, biometric data is not kept in its pure form: the hashed  scan results are sent to the server , making their theft less attractive. Nevertheless, criminals can still use methods such as the man-in-the-middle attacks mentioned above, where they enter the data channel between an ATM and a processing center to steal a person’s money.

Banks and users should use more restrictive measures to protect against leakage of traditional logins, as well as protect themselves against frauds using biometrics. The appearance of the ATM should be improved so that it is impossible to install skimmers and also to control the safety of the ATM hardware  and its software.

When it comes to biometric authentication technology in general, we recommend that you use it as a second protection method that complements other security features but does not completely replace them.