Skip to Main Content
PCBB Banc Investment Daily October 16, 2014
Banc Investment Daily
October 16, 2014

Dreaming Of A Post-Password World

It seems like almost every week there is a new massive electronic theft. Customer data such as credit card numbers with PINs and passwords are prime targets. We listened to the earnest young technology experts on television recently as they explained that almost no human generated password is hack-proof. They suggested any login should require dual verification (like a login plus a digital code sent via text message to a different device), and that it should be used each time a person logs in. There should also be no duplication of passwords between different websites or use of any word found in a dictionary - even substituting symbols for letters is unsafe.
This advice may well be valid, but it is beyond what we personally are willing to do to transact our everyday business. We did a quick count of our most frequently used websites with logins and there are 27. Given this, we find the password situation has become ridiculous and unmanageable. No one can function without a written list of passwords. There are a number of password storage solutions available that aim to solve this challenge. Keeper ($20 per year) reviews claim it's easy to set up and use. Reviews of LastPass (free; premium service $12/yr), PasswordBox (free) and others claimed initial set up may require somewhat significant effort. Each of these products eliminates the need to remember multiple passwords by creating one super-password. Users are cautioned to be certain that this one password is very good indeed because anyone who cracks it truly has the keys to your kingdom.
This approach may help with computer logins and with apps on the smartphone, but the login that concerns banks is the ATM. A magnetic strip card is only marginally secure if the card is stolen and the PIN is guessable. The next step for ATM security may well be biometric authentication (the most common type is the fingerprint, though iris scans and voice recognition are also used).
Biometric authentication in the banking industry is primarily considered for ATM security, but it can also be used to secure internal processes such as bank vault access or employee access to other secure areas. Bio-identification is also beginning to be used for mobile debit card readers in restaurants.
Latin America has led the way with biometric authentication at ATM machines. Itau, a Brazilian bank with 5,000 branches and more than 30K ATMs, rolled out the fingerprint authentication to replace the use of PINs and ultimately, it will replace the magnetic card. In addition to being more secure than PINs or passwords, customers have found it to be generally faster and more convenient. The bank estimates a 68% reduction in fraud since the rollout in 2011. Itau has used biometric authentication for employees to log in to workstations and access controlled areas within the bank as well.
Broad adoption of biometric authentication at ATMs in the US is likely a ways in the future as it requires biometric modules that can integrate into existing ATM machines. Like any major technology upgrade, they will be expensive to install. It is the same debate as that which surrounds chip technology for cards; the losses from fraud will have to become significant enough that banks feel it is worth the effort.
Given that the bad guys are getting so adept at taking information, it is clear new security measures are going to have to be explored and implemented to protect information. Password solutions, chip cards and biometric authentication are probably only the beginning of what is likely to be a growing project area for banks.