A potential new hack nicknamed DolphinAttack has been found by researchers in China. It reportedly records and sends unauthorized commands to digital assistants at an ultrasonic frequency. Just like dolphins, such frequencies are not detectible to humans but are easily heard (transferred) by devices. Researchers found they could give high frequency commands to most digital assistants including Alexa, Siri, and Microsoft Cortana. How this plays out with all the work going on in the biometrics space is yet to be seen, but it is interesting.
As the banking world looks to biometrics as a way of eliminating passwords, pin numbers for ATMs and enhancing the security on customers' accounts, it is discovering that the new authentication methods are a bit of a mixed bag. One of the biggest issues is in the process of storing customers' individual details (such as fingerprints or iris scans), which creates its own security risks.
That's right, using fingerprints or iris scans as a security measure for ATMs, or any other device or account, creates the possibility that hackers could steal such information from the databases where it is stored. Unlike pin numbers, which can be easily replaced with new ones, the potential risks of hackers stealing people's biometric information could have longer term implications. This is particularly true as many biometric measurements such as fingerprints are permanent.
If hackers are able to steal someone's fingerprint information for example, they could easily steal their entire identity and even potentially implicate that person in a crime. While that may sound like something out of science fiction, consider this true story. In 2016 researchers from mobile security firm Vkansee were able to copy people's fingerprints with Play-Doh. They then used that children's toy to successfully fool 90% of fingerprint readers. Even though advanced infrared cameras now measure oxygen levels to validate a living person vs. a forged fingerprint, the stakes remain high for banks. After all, consider a can of Play-Doh costs as little as 40 cents each.
Beyond the complications of storing biometric information for customers is the cost of doing so. Here, costs can be very high because security must be very high. Such issues have even led major banks like Citibank to abandon past efforts to incorporate biometrics into ATMs.
To eliminate the risks of storing biometric information, some of the industry's largest banks have begun shifting the responsibility of protecting customers' biometric information to customers themselves. Most people already keep their cell phones with them at all times, so banks are realizing this provides an opportunity.
ATMs that use biometrics will rely on mobile apps and programs that will transmit a unique digital token to an ATM whenever a person tries to withdraw money. Instead of customers using their fingerprints or iris scans to access ATMs directly, people will use biometrics to access programs or apps on their phones that will then interact with the ATMs. This allows the bank to bypass direct collection of biometric data. Among the banks that have begun using such an approach at ATMs are JP Morgan and Wells Fargo.
According to biometric security company HYPR, there are already more than 2B cell phones in existence that have the capability to use biometrics and 42% of retail banking customers say they would not use a banking or payment app without biometrics. Clearly, customers at some level like biometrics.
Given the cost of creating and testing biometric ATMs, it is likely to be some time still before such ATMs become commonplace.
Still, community banks should be aware of the industry's increasing adoption of biometrics and the likelihood that customers will eventually be looking for widespread availability of such authentication.
In the meantime, keep your Play-Doh handy and your finger on the pulse of the customer.