Financial institutions increasingly are turning to technological weapons to battle cyber criminals. Biometrics, (such as fingerprinting, facial recognition, iris scanners, and palm veins) is being used in order to protect your valuable information.
"Banks are looking to replace passwords with biometrics, because passwords are dead. Passwords are not secure. They can be easily stolen or borrowed. With a password, the bank doesn’t really know if the person who is using it is the authorized user. This is why over the next couple of years, all banks will replace passwords with biometrics," predicts Hector Hoyos, CEO of Hoyos Labs. "There are already early signs. Various financial institutions are using Touch ID to enable their mobile apps. This is the first wave to bring biometrics mainstream."
Cyber attacks on major organizations are occurring frequently and make headlines seemingly weekly. "Armed with stolen data from these attacks, cyber criminals are dialing into financial institutions attempting to answer your challenge questions and extract your earnings," says Gary Davis, chief consumer security evangelist at Intel. He says major banks, including JPMorgan Chase and Wells Fargo are employing recorded voice messages to help protect people from scammers. "They are arming themselves with a biometric weapon – your voice. Voiceprinting, is aimed at detecting the bad guys (rather than confirming you are actually who you say you are)," he explains. How have banks obtained these voice samples? "It goes a little something like this: ‘This call may be monitored and recorded.’"
Davis reports that this technology has been effective at countering con artists. In fact, when combined with other fraud detection methods, banks have seen a 90% decrease in the number of calls made by fraudsters. "Voice biometric ‘blacklists’ may just be the way of the future," he says.
The challenge biometrics present
Biometrics, like fingerprint scanning, has the best chance to succeed for a few reasons, says Bill Carey, vice president of marketing for RoboForm, a password manager. "It’s already readily available on many computers and mobile devices. It’s fairly easy to use, and because people have heard and seen it before, they are likely to be more comfortable with it," says Carey.
Trouble is, biometric systems are expensive. "Fingerprint and retina scanning login technology has been around for many years, but there’s a reason it has failed to make significant inroads into everyday login processes – it’s expensive to incorporate biometrics into laptops, desktops and mobile devices," says Carey.
Another challenge is that it is not easy to revoke or change biometric login credentials. In business settings, as well as at home, it’s not unusual for several people to use the same device or for devices to change hands as users replace tablets and laptops. It’s simple enough to make a change for password-protected devices, but biometrics make it complicated, adds Carey.
Then too, biometrics can change. Fingerprints and retinas can be affected by fairly common injuries and medical conditions, which can cause access issues. "People don’t want to be locked out of their devices due to a minor cut on a fingertip," says Carey.
There are other concerns. "It is possible to acquire an image of the biometric trait of a user and then build a ‘fake’ or ‘spoof’ of that biometric trait. This can be presented to the reader and now an imposter can access the sources," warns Anil Jain, a professor in the Department of Computer Science at Michigan State University.
"What if you are a customer at a bank but the biometric enabled ATM machine or payment system does not recognize you (false reject)? What recourse do you have?" he asks.
There’s much debate about whether biometrics is safer than passwords?
"Passwords are something that you know and something that you have. Biometrics is something that you are. They can’t be stolen as easily as a password. Studies have found that one in five people use the same password for everything they access," points out Hoyos.
The onus, says Todd Inskeep, advisory board member for the RSA Conference, the big event for the info security industry, says that consumers and banks have to remember there’s a time and place for biometrics, and a time and place for passwords and other authentication mechanisms. Fingerprints in particular can be captured and duplicated as demonstrated on MythBusters a couple of years ago, he says. Using biometrics at a distance is often a bad idea, and better used for identification and authentication, he says. "The security community has always talked about gaining strong identity and authentication by using a combination of something you know, something you have, and something you are. That’s why combinations like PINS with credit cards have become popular," says Inskeep.
Finally, says Gasan Awad, vice president, Identity and Fraud Product Management at Equifax, "There is a movement towards biometrics, but they, alone, are not the ‘silver bullet’ to the authentication issues we face. Biometrics is a promising and already adopted form of authentication which, with improved false positives and technology will continue to be a viable vector to assist in authenticating consumers in a convenient and secure manner."