Banks defend integrity of passcode-less TouchID login Royal Bank of Scotland and NatWest have played down claims by a security researcher that their new Touch ID banking login feature might be circumvented, arguing the hack would only be possible with jail-broken iPhones — the use of which is not recommended. Last month, RBS and NatWest became the first UK-based banks to offer …
This post has been deleted by its author
@ Tim Brown 1
How very dramatic! the first of many to come. There are probably limits on how much money can be moved by the app and even if the phone and thumb where stolen the phone could be remotely bricked. I can't see this resulting in a spike of muggings involving amputation on the off chance the owner has installed and setup mobile banking by one of these banks that uses TouchID, the risk is not worth the reward (easy to trace the destination of the money increases the chances of being caught). Hundreds of millions of iPhones and a few hundred thousand app downloads.
Often written I know, but my bank First Direct, started phoning me and then asking ME to provide my security id details to them - an anonymous person calling out of the blue - to prove who I am !!!
Whenever they have done this I ask - are you seriously asking customer to divulge security details to an anonymous caller? Adding "Really ?" At this point to compound the stupidity, they display a complete lack of understanding as to how authentication works, by suggested a number I can phone them back on !!!
Of course I could do a search to check the number belonged to them, but most customers won't be doing that.
I notice they no longer do this, but still, the fact a bank adopted this policy in the first place is beyond belief.
"by suggested a number I can phone them back on !!!
Of course I could do a search to check the number belonged to them, but most customers won't be doing that."
Do not forget the quirk of the land line telephone, the caller can keep the line up after the called phone replaces the hand set. Simple to feed a fake dial tone and get a new voice on the line to continue the scam when the victim rings the new (and researched) number.
This post has been deleted by its author
Have you seen the tailspin most people go into when they realise they've lost their phone?
Quite typically they'll be in a supermarket and decide to ring home to check on what's needed. In their agitated state, are they then going to tap up a complete stranger and ask to use their phone to ring the bank? Then, I guess they'll need to find someone with the same bank 'cos guess where they stored the number (along with all sorts of things that really should not be on such an insecure item).
When most people's idea of a 'mobile' phone was the one in the big red box on the street corner nobody was particularly dependent on them, but now many can't function rationally at all without them.
This post has been deleted by its author
There's a limit to how much you can pay in one transaction to an unverified contact (i.e. Someone you've not set up to pay through other channels)
There's a limit to how many unverified payments you can make in one day.
There's a limit to how much you can transfer in one day.
If someone takes you to a hotel and renders you unconscious I think you've got more important "assets" they're going to be after.
"I can imagine the situation in which a fraudster meets someone in a bar..."
... and says "Hi, didn't we meet at blahblah last year," buys them a drink, and gets their fingerprints off the glass. And then uses it not just for accessing bank accounts, but for identity theft in general, since more and more organisations are relying on biometrics like fingerprints these days.
The problem then becomes obvious: biometrics can't be changed like stolen cards and tax file numbers. So once someone has your fingerprints, retina scans, voiceprint, whatever, and is using them to commit criminal acts, you're fucked for the rest of your life.
Ah yes, I see: "Other banking institutions across the world are also using this technology with their customers" so it must be OK. In 2000-2005 "other banking institutions across the world" were busily selling subprime mortgages. So that meant it obviously had to be just a fine thing to do, didn't it?
Security by bandwagon.
For biometrics to displace the password for security, it must stop relying on a password registered in case of false rejection. Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.
We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.
Biometric solutions could be recommended to the people who want convenience rather than security but should not be recommended to those who want security rather than convenience.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
