Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
As previously discussed, cybersecurity has come a long way since the days of a simple password being the sole line of defence to protect your data. Innovations in the field have led many companies to investigate how feasible and useful biometric protection really is, leading many to question: is biometric technology the future of cybersecurity?
Creating a new target for hackers
In theory, fingerprint security is very secure, as should someone find your lost phone, they won’t be able to access it due to the security measures in place. However, when looking at the bigger picture, a hacker is more likely to breach the storage facility of this data, rather than targeting one individual user. A fingerprint or face scan cannot be changed, so should one of these features be compromised by a bad actor, there could be serious consequences. Ted Wagner, CISO, at SAP NS2, comments, “Biometric authentication methods can use two methods to uniquely identify a person – morphological or behavioural traits. Common morphological techniques include fingerprints, retina scans, or facial mapping/recognition. Behavioural traits include a written signature or a combination of keystrokes.
“Morphological techniques tend to be more secure than behavioural traits. However, there can be privacy concerns when fingerprints, retina scans and facial mapping data are stored centrally. A database where these attributes are stored is a very attractive target for bad actors. Unlike more common credentials, like usernames and passwords, which can be reset, the loss of a fingerprint or unique trait of a person, which can never be reset, can have serious ramifications if stolen by a bad actor.”
Pure and simple inconvenience
There are many ways we can criticise biometric authentication, especially when looking at the intricacies of how the data is protected from hackers. But on a much simpler level, biometric authentication only works if an exact copy of what is registered is shown. Michael Crompton, Founder and CEO of Forghetti, explains:
“Biometrics have certainly made it much quicker and easier for us to all login to our phones, services etc… the security behind these is brilliant and enables users to login to systems, verify their identity without entering any information. The problem occurs when the biometrics do not work… for example when a fingerprint is corrupted because of peeling skin or a blister, or indeed wearing a face mask blocks facial recognition.
“The reason this causes a weakness is that the fall back solution to our biometrics is, on the whole, a four or six digit PIN number. We then fall back into the trap of human behaviour. Our PIN numbers are dates of birth, dates of anniversaries etc. So therefore predictable and thereby vulnerable.”
The whole purpose of biometric authentication is to make users feel more secure, but if they are unable to use this, the added protection is made void.
Andersen Cheng, CEO of Nomidio and Post-Quantum took a different approach to biometric authentication. Looking past its accessibility, and how data is stored, the technology itself is not immune to attacks. Spoofs and hackers can still imitate users to access data:
“Biometrics have been the cornerstone of progress in identity management and stronger cybersecurity in recent years – there’s no escaping the fact that we are more secure now than when using password-only identity systems. However, as when any new technology is widely adopted, so does the intent to ‘break’ it and new cybersecurity challenges arise.
“For example, a key issue gaining momentum is deepfake technology. A few years ago criminals impersonated a chief executive’s voice and demanded a fraudulent transfer of €220,000. This was just an early warning sign, with other security firms reporting seeing an uptick in attempts to defraud using the technology in the last few years.
“Although the technology is in its infancy, we shouldn’t be surprised to see criminals using deepfake tech shifting their focus to the biometric systems that we’re becoming so reliant on, particularly in high security industries like banking and government. Some government agencies today are using voice recognition for proof of identity, while banks use voice and facial recognition to register new users and facilitate online banking. A good quality deepfake will likely become the primary way that criminals can develop the fake biometric identifiers needed to bypass biometric-based fraud prevention solutions that are supposed to enhance our cybersecurity posture.
“Although a long way off in being able to do this systematically in real time, this threat is coming as the technologies used to create deepfakes are becoming more prevalent and easier to use. Using a traditional multi-factor authentication (MFA) method definitely helps, and it can be further enhanced by introducing multi-factor biometric (MFB) authentication. In other words, rather than just using one biometric identifier, we urge our customers to ensure they use a combination of voice biometrics, speech recognition, context-dependent data, and even behavioural analysis in a single authentication system.
“Finally, there is also the security vs. privacy trade-off. While the use of biometric technology is not intended to be malicious or used for the invasion of privacy, the way our biometric data is now so easily captured, stored, analysed and compared raises questions around the blurring of privacy and security. We really need a wholesale review of how biometric data is being captured, stored, governed and regulated. One food for thought is to segregate the biometric custody and verification process from the merchants, who in most cases only need to attest the validity of the person logging in rather than knowing each customer’s biometric data. This will go a long way to alleviate a user’s concern that some companies have a complete record of their identity profile.”
Companies collect more data than we’re aware of
The final viewpoint comes from Dr Christopher D McDermott, a lecturer in Human-centred Security and Privacy at Robert Gordon University. He weighs up both sides of the argument in whether biometric authentication is foolproof or just prolonging the inevitable. Looking at it from an ethical point of view, he explains how some do not like the extent that their data is being collected, and how this unchangeable data, can be cloned if it falls into the wrong hands:
“A conflict exists between an individual’s right to privacy and control of their biometric data and the moral responsibility to protect the security of society. Privacy advocates are quick to highlight unethical uses of facial recognition for identification and social scoring, arguing that in many cases personal data is collected and used without the consent or knowledge of the target. Sceptics also point to the challenges biometric systems face and the ease by which they can be tricked. For example, fingerprints were shown to be cloneable at a Black Hat cybersecurity conference. Also, researchers at the University of North Carolina at Chapel Hill demonstrated how facial recognition systems can be potentially evaded using 3D models of a face constructed from photographs taken from an individual’s social media account.”
McDermott summarises the views of the above concluding that, “In the end, the question of whether biometric use within the fintech industry is foolish or foolproof may depend on which side of the fence you are looking from. In reality, biometric use within the industry will continue to grow and when used as part of a two-factor authentication strategy offers some of the strongest security available today.”