back to article Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke

Around the world, banks are implementing biometric authentication systems for their customers as fraud cases increase – but experts warn biometrics should not be treated like a silver bullet for ID woes. Earlier this year, HSBC announced the launch of Voice ID for its customers in the UK, alongside fingerprint authentication, …

  1. Anonymous Coward
    Anonymous Coward

    Biometrics are the username. Too many Hollywood films seem to have led people to think otherwise.

    1. Zippy's Sausage Factory
      Black Helicopters

      I'd also add

      That biometrics are the username, tattooed on your forehead.

    2. Christian Berger

      The bizarre point is...

      ...that in many Hollywood films it is shown how to break biometrics. In many cases even rather realistically.

  2. Charles 9

    Problem is, what if that's all you have (bad memories and no phone or other second factor present)?

  3. Anonymous Coward
    Stop

    Biometrics are very popular among the technically less-educated

    I can't blame them, because who wants to live with remembering 15-20 different passwords for all the online services you use. However, the idea that just because somebody must be me because they can transmit my iris scan is just terrifying.

    1. SuccessCase

      Re: Biometrics are very popular among the technically less-educated

      It's a good point, but still I'm willing to bet the proportion of those who consider themselves "technically well educated" and who also like to demonstrate "superior" knowledge by decrying biometrics (even for e.g. smaller financial transactions) but then blithely enter a pin code without checking if there is a security camera trained on the POS terminal, is greater than 90%.

      Which I think illustrates the point it's all about risk management, not absolute security (which is a Chimera) and biometrics is probably currently, practically speaking, more secure than PIN entry whilst being one hell of a lot more convenient. One day, the techniques for and practice of lifting fingerprints to commit card fraud might be common enough that us security pragmatists pragmatically evolve a new pragmatic solution. But even where finger print scanning tech is concerned, the need for that change is certainly not today.

    2. Jeffrey Nonken

      Re: Biometrics are very popular among the technically less-educated

      15-20 online accounts? Is that all? Let's see...

      Bank

      CC

      Phone

      Internet

      Cable

      Email

      Utilities

      DMV

      IRS

      Insurance

      WiFi

      Home computer

      That's 10 right there. Some could be combined, some may have multiples. The banks probably include cards whose PINs you must choose and remember. Now, what else...

      Amazon

      EBay

      Paypal

      Netflix

      Hulu

      Redbox

      Twitter

      Facebook

      Google

      Apple

      Starbucks

      Work email

      Work computer

      Work WiFi

      Skype

      Any typical person might have some or all of those. Now let's add a few that I also have...

      Steam

      Yahoo

      Newegg

      Tigerdirect

      Hosting service (Eapps)

      Dating site

      Tumblr

      Cypress Semiconductor

      Texas instruments

      Digikey

      Work phone system

      Work server admin logon

      Work development server logon

      Root for above

      Killing Floor dedicated server

      USPS

      UPS

      Fandango

      Logitech Harmony

      Dropbox

      XDA

      The Register

      Slashdot

      Techdirt

      Reddit

      Wikipedia

      Wikia

      Tvtropes

      IMDB

      IMFDB

      WordPress

      Teamviewer

      Firefox

      Glyde

      Freedompop

      Franchise tax board

      Daily Steals

      ...That's just a few of the top of my head, and doesn't count old accounts nor the fact that in some cases I have multiple accounts. Nor that my wife and I sometimes have separate accounts but know each other's information.

      I use Keepass. Of course, I also have an elaborate password I have to remember.

  4. Anonymous Coward
    Anonymous Coward

    Tiresome..

    I'm getting a bit tired of the "do not use biometrics because you cannot change them" meme because it's far from universally applicable, but gets trotted out every time someone talks about it. Well, big fat yawn.

    The only time that is an issue with biometrics is if they are used in a big database, which is what you should never do with biometrics in the first place, hence my intense dislike of the HSBC voice print idea (but as HSBC is a bank I wouldn't trust with a wet flannel let alone my money that's not a real problem - anyway, that's off topic). You use biometrics exactly BECAUSE they don't change otherwise there would be no point.

    Biometrics are best used as a means to salt a password has before it is submitted (usually as a hash), so PIN "1234" plus biometrics of Bob don't give you the same hash as PIN 1234 plus biometrics of Alice. This means that biometrics are best stored as a local hash, not as full data in some distant database.

    This is also why I don't like voice control systems such as Siri and its Google equivalent - it's like giving the ECHELON people the best voice print they could possibly obtain: locally recorded, possibly repeated for clarity (if Siri doesn't work) and in high quality rather than within the normal phone frequency band.

    I don't think I'm spectacularly paranoid, but I do believe that prevention is better than mopping up the mess afterwards. Biometrics are a good factor, especially when used in combination with others provided they are used intelligently.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tiresome..

      If they want our voice prints they have all the phone calls we've placed over the past decade (at least) as they've been capturing them all since 9/11. Believing that your voice something you can and should keep secure from the authorities is the height of folly. Nothing biometric can be kept away from them, because it has to be easy to collect to be useful in a device.

      I know the US government has my fingerprints on file, since I previously had a security clearance and had to submit them (and was arrested a long time ago, but that predated TIA style collection of 'everything' and probably isn't even in my state's computer files) I assume they have my voice. They probably don't have my iris, but consider that when I renew my license I have to look into that little thing that tests my vision. I suppose theoretically it could make an iris image. Also I have a yearly checkup with my eye doctor, and they take very detailed pictures of the iris that show all the blood vessels inside. I doubt they have very good security, and probably use some standard system sold to eye doctors - bet the NSA could break into all of them pretty easily if they wanted.

      No matter what someone comes up with, from elbow prints to DNA extracted from blood to microscopic X rays of my wrist bones, once it is done and used in some sort of device, that information is no longer under my sole control.

    2. a_yank_lurker

      Re: Tiresome..

      The problem that biometrics has is they cannot be changed easily if at all. Mythbusters did an episode were they spoofed a fingerprint reader rather easily a few years ago. Passwords can be changed very easily and as often as you like (or forced to change them).

      Biometrics are more akin to a username than a password. Someone who knows me probably can guess my username for many sites but my passwords not so easily. Biometrics are just harder to spoof/guess usernames.

      1. Charles 9

        Re: Tiresome..

        But some people have terrible memories for passwords. They couldn't even remember "correcthorsebatterystaple" to save their lives (meaning they can't recall something they KNOW). Plus they may be partial Luddites and against having an electronic device on their person (so there's nothing they HAVE). So how do you do security when the ONLY thing you can work with is something you ARE?

      2. Anonymous Coward
        Anonymous Coward

        Re: Tiresome..

        Mythbusters did an episode were they spoofed a fingerprint reader rather easily a few years ago.

        Yes, but they did ONE episode with ONE set of evaluations and are unlikely to know about the whole market. Don't get me wrong, I love their shows but they are not covering the whole picture because some of this stuff is restricted access. Without a degree of insight, all cars are basically boxes with propulsion and 4 wheels, but that doesn't mean they're all alike. Actually, let me update that: to a politician, all cloud services look alike, but that doesn't mean they are (I'm trying to give up car analogies :) ).

        I've been knee deep in this for several years, from police forensics to very high grade access control. As I indicated a while ago in a fairly lengthy post, the reliability of fingerprint readers depends on the techniques used inside the reader to scan your ridges and the post-scan analysis, and that is more than just a matter of resolution.

        The ultimate decider here is not the reader, but how much you are prepared to spend. As demonstrated in another post I saw about ProtonMail, there is this weird expectation that despite paying next to nothing you get top quality. Logic dictates that if something is "free" and the company offering it is making a healthy profit regardless, you are paying in a different way and corners have been cut with vigour, and the world of biometrics is no different. It is up to you if you want to take that risk when it is about financial transactions or personal information.

        For that last item I have a closing remark: I have lost count of the number of people who would "never use biometrics" for fear it would leak, yet these same people happily continue using Gmail and Facebook...

        1. Anonymous Coward
          Anonymous Coward

          Re: Tiresome..

          Well sure maybe it is possible to build an NSA approved fingerprint reader that can't be spoofed for $50K, but how does that help use of it on a phone or to unlock your front door?

  5. Justicesays

    More recently

    Banks have been looking at finger vein patterns instead of (or as well as) fingerprints.

    This would be used to approve card transactions for instance.

    The idea behind this is that you don't leave copies of your vein patterns behind on everything you touch, so it cant be easily copied...

    They don't seem to have figured out that if this catches on people will be constantly sticking their fingers into devices specifically designed to capture this information , the security of which are unknown to the user.... At least if you stick your PIN into a compromised POS system you can get a new PIN. Good luck getting new fingers.

    This of course applies to *any* biometric that would come into common use!

    1. Charles 9

      Re: More recently

      Well, you have EIGHT of them (plus your thumbs). Plus how do you go about reproducing a vein pattern that relies on having particular qualities of mass and so on in place as well. I would think the technology to create an artificial finger right down to the veins and bones is something beyond current medical science.

      The thing about biometrics is that thery're basically the ONLY authentication system that's ALWAYS on you, regardless of whether or not you have electronic accessories and/or a good memory (basic requirements for the two other branches of authentication).

      1. TeeCee Gold badge

        Re: More recently

        The problem here is that to be usable and secure it doesn't have to be beyond current medical science. It has to be beyond medical science forever[1].

        'Cos you can't bloody change it and thus, if it is ever compromised, you are completely fucked in perpetuity[2], that's why. Basing security on something that cannot be changed at the drop of a hat is insanity with gilt knobs on.

        [1] And if you take that bet you are a tit.

        [2] Maybe once broken, some things will be changed to a completely different system immediately. Most won't and quite a few never will be.

        1. Charles 9

          Re: More recently

          "The problem here is that to be usable and secure it doesn't have to be beyond current medical science. It has to be beyond medical science forever"

          No, it only has to be beyond medical science until technology marches on and we develop a new authentication method and start switching to it, making the old stuff stale.

          "Basing security on something that cannot be changed at the drop of a hat is insanity with gilt knobs on."

          EXCEPT it's the ONLY thing that's practically guaranteed to be present all the time regardless of circumstances. People may have bad memories and may not carry a second factor with them. That's important because these kinds of people still need to be screened.

          PS. And believe me, I have lost count of the number of people who go about their business without their ID cards or keys (and then start begging because of that lack).

    2. Anonymous Coward
      Anonymous Coward

      Re: More recently

      Banks have been looking at finger vein patterns instead of (or as well as) fingerprints.

      This would be used to approve card transactions for instance.

      The idea behind this is that you don't leave copies of your vein patterns behind on everything you touch, so it cant be easily copied...

      That too is not exactly a new idea (and even that article called it "not new" :) ), but the problem with those readers is that they are complex and the signal processing after a read is so demanding that separate companies have sprung up in that sphere just for the backend software. This creates issues for, for instance, access control, because the users expect an instantaneous response and it already takes seconds for the reader itself to process its own reading, let alone do a lookup in a database. All of that takes power and computing resources.

      Compare this to fingerprints which are relatively easy to scan (with varying degree of reliability), not too complex to process and relatively quick to match, and keep in mind that evidence from the security world suggests that banks will only ever seek to do the bare minimum required to escape liability in case something goes wrong.

      Call me a cynic, but I can't see this really happening in the banking world.

  6. Anonymous Coward
    Anonymous Coward

    Biometrics should be the username, never the password.

    Used in this way is surely two factor authentication, yes?

    1. Charles 9

      Re: Biometrics should be the username, never the password.

      That's assuming there's a second factor available to be used. What if this person doesn't bring a cell phone?

  7. JeffyPoooh
    Pint

    For Security, the biometrics should be using different body parts...

    Not faces. Not fingers. They're too public.

    Use an area of the body that's got a better record of privacy for most people.

    "Sit Here To Be Authorized."

    1. JeffyPoooh
      Thumb Up

      Re: For Security, the biometrics should be using different body parts...

      In the context of my suggestion, the '1 thumb up' is a bit disturbing.

    2. Allan George Dyer
      Pint

      Re: For Security, the biometrics should be using different body parts...

      Are bums that distinct?

      How about the nipple? Normally concealed, but we need an extensive study on their uniqueness.

      1. Anonymous Coward
        Anonymous Coward

        Re: For Security, the biometrics should be using different body parts...

        Are bums that distinct?

        How about the nipple? Normally concealed, but we need an extensive study on their uniqueness.

        That's not going to be very reliable. The scanner will often go .., well, you get the idea.

        :)

    3. Anonymous Coward
      Anonymous Coward

      Re: For Security, the biometrics should be using different body parts...

      Use an area of the body that's got a better record of privacy for most people.

      "Sit Here To Be Authorized."

      You made me think of the Monsters vs Aliens clip..

  8. Allan George Dyer

    Biometrics needs a trusted reader... so that pretty much rules it out for online commerce.

  9. heyrick Silver badge

    Two thoughts...

    Firstly, why are the banks making a big deal out of this fancy new way of authenticating ourselves when A, chip and PIN is protected by a lousy four digit PIN (come on, we're expected to know eleven digit phone numbers, can't they offer us the option to have a longer PIN if we want?) and B, we are expected to take it on trust that the little keypad connects to a proper secure device for the purposes of completing the transaction. I, personally, do not believe the so-called security one bit. There is no way to tell if the device isn't harvesting card numbers and PINs. In today's world of instant communications, it strikes me as odd that inserting your card can't open a secure connection to your bank, with the bank passing a special security phrase that can be shown on the LCD (an improbable passphrase of YOUR choosing known only to the bank such as "Duck! Duck! The turd is shiny giraffe!") so you know it is supposedly safe - this being an encrypted channel between the device itself and the bank. All the till will ever see is a yes/no response and some gibberish passing to and fro.

    Secondly, I know Sneakers is an old film, but it is perhaps the best example in cinema of how to pwn voice based authentication systems. Do not forget that if this is done on a computer or smartphone it will likely require specific software (which is a whole other trust level - such as NatWest's constant demands for me to install Trusteer Rapport on my computers) and if it is done over the phone you'll be subject to the limitations of POTS, which may well mean that the authentication could be able to be fooled by a cassette tape recording of your voice.

    So, sorry, call me cynical, but I'm wondering what this development is really intended to address. I'm wondering how it could be (ab)used to push more liability onto the end-user (who, helium balloons and singing aside, don't usually get the ability to change their voice...or other biometrics).

    1. allthecoolshortnamesweretaken

      Re: Two thoughts...

      SETEC ASTRONOMY... yup, good film, and what a cast.

  10. allthecoolshortnamesweretaken

    Time for some pedantery... IIRC, CCC campaigned against the use of biometrics in combination with ID cards, in other words ID cards including finger prints - not ID cards per se. Germany has had ID cards 'since always', just like most of the rest of continental europe.

  11. Jin

    Biomatrics ruins password security

    This short video explains how biomerics make a backdoor to password-protected personal secrets.

    https://youtu.be/5e2oHZccMe4

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon