Go on, corporate drone, log in... We'd recognise your VEINS anywhere – Barclays Barclays is ramping up its fight against online fraud with the roll-out of a biometric scanner that uses Hitachi’s Finger Vein Authentication Technology (VeinID). Unlike fingerprints, vein patterns are extremely difficult to spoof or replicate. Barclays Biometric Reader will allow customers secure access to their online …
Exactly! I'm sure when fingerprint readers were introduced a few decades ago they were promoted in exactly the same. "Everyone's fingerprints are unique, this is the best security possible because no one can forge the fingerprint of a live human user".
Stick a VeinID reader on a laptop or smartphone and tie it to people's bank accounts, and watch how quickly ways around it are found, just as fingerprint readers have various hacks (depending on the type of reader)
"Human" body? What's wrong with the equivalent of a mini-dialysis-machine? A simple pump, two tubes and some red goop. Severed finger required.
Or a Retina display of "here's one I did earlier" Jpegs of famous fingers?
Or a finely crafted tattoo? Or several, printed onto exchangeable gloves?
"Oh", says the copper, "my scanner tells me you're Sir Goodly Ownsalot, and you own this building. Well, have a nice evening, m'lud."
Or a simple card verifier like the ones everyone has in movies.
First, fingerprint readers were the ideal of biometric verification, then iris scans, the voice prints, and now this. At hat point does some bright spark realise that biometrics are just as mcuh of an arms race as any other form of verification, but with the added advantage of an inability to withdraw or alter the factor?
I barely trust a bank with my money, I'm not trusting them with any form of my biometrics.
Of course, putting these on ATMs as the way to access your money like they've done in Brazil couldn't POSSIBLY go wrong... I'm sorry knife/gun-toting person, you want me to put my finger where?
No doubt they'll rush this out to consumers to use at ATMs as it gives them a water tight get out from having to refund the customer in all cases.
Shaken up customer: I was frog marched to an ATM and forced to withdraw all my money at gunpoint.
Bank 'customer service' wonk: Ah yes but you aurhorised with your finger.
Customer: But I was going to be shot, what do you expect me to do?
Bank: But you still authorised it so we aren't liable to refund you.
Customer: So you expect me to get shot to defend my account and your bank?
Bank: You may think that but we couldn't possibly comment.
Glad I don't bank with Barclays, if it gets introduced across the board then I guess it'll be money under the mattress time.
Biometrics are only safe where the scanner and the entire data path can be trusted. That should not be too difficult if it is part of an ATM, as those are well-defended bits of hardware. It is much harder in a device handed out to consumers.
In this case, the finger scanner would have to authenticate itself securely to the bank, encrypt all communication, and be tamper-proof to the extent that nobody could feed recorded data into it in place of the output from its own sensor. Quite hard in a cheap lightweight device...
It might be OK if the device itself is tied to the account, as then a criminal would have to modify my own scanner to access my account and I would probably notice that quite rapidly.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
