Biometric Identification & usage in Banking Mobile Applications

Earlier this month, on 12th of Sept, Apple held their much awaited launch event. New iPhone came with bunch of new security features and augmented reality and then Face Recognition caught my attention (and of many others).

Biometric Identifications like Finger Prints, Iris, and face detection were distant reality just a decade ago and now they are right here on your phone. Apple already had Touch ID. Samsung launched iris scanner in Galaxy S8 in Mar’ 17, it is considered safer than Fingerprint scanning. A study says, on average, users unlock their phone around 100 times a day. It is been considered a sweet spot which opens doors of convenience for mobile phone users. Such biometric unlocking of phone will only push this number even further.

Right after high profile Apple Event, people started to evaluate good and bad in the new iPhone and other Apple products. Security experts started to analyze this new face recognition feature. I am not sure of any report that is out yet. What pushed me to pen my thoughts is — “ Your face is now your password. Face ID is a secure new way to unlock, authenticate, and pay.” Ref: https://www.apple.com/iphone-x/

This is where my worry started, how these biometric authentication techniques have started to replace conventional numeric pin or password based authentication on financial transaction related mobile apps — banking app, payments e-wallet etc. Login to a banking app, using Apple Pay or Android Pay these days is just matter of touching fingerprint sensor or looking into camera.

Are these techniques secure enough? Possibly No.

I came across this amazing article from Quincy Larson and it has just summed it all. Look at this video which I originally saw in his article, see for yourself how Samsung Galaxy S8 Iris Security was hacked just using a good camera, a high dpi printer and a pair of contact lenses. This video should be enough to take away your faith from these technologies. That said, yes Iris is unique.

Samsung Galaxy S8 — Hacking Iris Scanner

Fingerprint sensors, typical devices/softwares stores quite a few images of your fingerprint to help them find a match. A typical user will store more than one fingers. This reduces complexity of Brute Force attack on mobile phone device. A personal with criminal intentions knows the target person and has to match fake fingerprint from 20–30 (approx.) images that are pre-stored somewhere. These images are stored somewhere on your device, somewhere outside operating system. Companies like Apple, Google and Samsung never mentioned details about their technology, this adds a lot to their security.

You might want to read details of a research conducted by professors and researchers of New York University and Michigan State University.

On a lighter side but complementing research done by experts, have a look at this trick to unlock Apple Touch Id using made-up fingerprint marks. It doesn’t look very practical but knowing we leave our fingerprints everywhere it makes a point.

A fun project to hack Apple Touch Id

We are not far away from emergence of a reliable technology that could beat security provided by these biometric sensors on mobile phone.

Usage in Finance Apps

World is seeing a massive shift to bring all transactions on digital platform — from payments to currency. This has opened miracles of convenience for us. A thumb impression is capable of making transfer or payment for a purchase. With advancements & digitization in banking and payment industry, chances of cyber crime are equally high. These cyber crimes are not limited to hacking into devices or cracking a password, they also use physical & digital phishing.

Just relying on biometric identification to process transaction looks like a loop hole in digital security that we promise to users.

Are passwords more secure?

Any day. Passwords are more secure than these biometric identifications on your mobile phone. Requirement of Alphanumeric, one special character, no descending numbers etc. makes it even more hard to crack. 4 digit pin are not as secure as alphanumeric password but power of permutations & combinations makes it enough secure.

Almost every applications pushes user to change password every few months. You do not have such a luxury when your face is your password.

Conclusion

We should be bit conventional towards sensitive transactions — try multi factor authentication. Allow basic read access but before making any sensitive transaction or revealing information get user to authenticate using Password or an SMS to registered number. There is nothing new with this approach this is rather a widely used approach in banking applications across various countries.

It’s just start of an era by Apple pay, where you can pay just by scanning your Face, scares me. Two seconds of inconvenience caused in entering password will not be regretted, it is worth the effort.