Card Payments at Your Fingertips
Can passwords and PINs really be replaced by fingerprints?
Mastercard has begun biometric trials in South Africa for transactions at selected stores, replacing PINs with fingerprint readers. It’s hailed as providing “additional convenience and security. It’s not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected”. We think these claims are dangerously overblown.
If your non-profit organisation is hearing about biometric developments and you are considering if fingerprint or other types of biometrics are suitable for your organisation, this article is for you.
People have been repeatedly shown to be poor at creating PINS and passwords. In one study researchers were able to guess 11 out of 18 PINs if they had access to a victim’s date of birth. Passwords have similar problems, and the promise of the end of passwords has been on the horizon for many years. Biometrics are regularly touted as the solution, and their use is becoming more popular: the iPhone can use your fingerprint, iris scanning has been introduced by Samsung, and Microsoft has rolled out facial recognition in Windows 10. Even dumb phones can get in on the action: Barclays will be using voice biometrics for its telephone banking system.
When authenticating, there are three factors you can use:
1.Something you know (e.g. PIN, password, safe combination)
2.Something you have (e.g. bank card, mobile phone, RSA token)
3.Something you are (e.g. fingerprint, retina, iris, voice, heart rate)
Using two different factors such as logging into your Gmail account with a password and code from your phone app is referred to as two factor authentication or “2FA”. Multifactor authentication, “MFA” can be two or more factors. It is important to note that using 2 or more of one factor (e.g. two passwords) does not give you 2FA: each factor needs to be from separate groups. Paying for items with a bank card in a shop is traditionally not only something you have (the card) and something you know (a PIN) but also uses a form of biometric: our behaviour. Many of us have had cards temporarily blocked when abroad, or receive a phone call from the bank when we make an unusual series of purchases.
A major concern is the misconception that your fingerprint biometric record is unique and nobody else can authenticate as you. It is impractical to perfectly match up your fingerprint with what is recorded on a biometric system. What if you have a greasy finger? What if you have a cut or abrasion? Is the sensor perfectly clean? Have you used a hand cream? These and other factors can force the system to reject valid users: we call this a False Rejection Rate (FRR). Having a high number of valid users stopped from authenticating with the system will reduce availability of it. Availability is a key principle of security, without it we do not function…and you will have many frustrated users. To overcome this, biometric systems need to be made less sensitive (i.e. less secure) to reduce false rejection rates. If the sensitivity is reduced too much you will allow many people to authenticate that should not have access: we call this a False Acceptance Rate, or “FAR”. To find an appropriate balance between FFR and FAR we need to find where they intersect. This is referred to as the Equal Error Rate (EER).
It is then necessary to determine if the EER is acceptable for your organisation. As you can see, the marketing claims that biometrics ensure that only a stated individual can authenticate is misleading, and yet the market for biometric systems grows. Facial recognition is becoming popular in airports giving a false sense of security. In one example, it was found that Osama Bin Laden’s face could authenticate as Winona Ryder’s.
Before anyone can use the system they need to be enrolled into it. To generate a password or PIN is quick and routine. For the Mastercard fingerprint enrolment, it is necessary to go into a branch and have your fingerprint processed there. In a medium size organisation you commonly have a range of workers who are office based, home workers or even abroad. If access to your systems involved visiting the IT department to be enrolled you will likely encounter complaints. This may lose some precious good-will points.
User acceptance is a major problem with fingerprint readers and biometrics in general. Fingerprints are associated with crime and many may not feel comfortable with an employer having their personal information to hand. “Mission creep” may be an issue, where once an organisation starts using your biometric data for one use they may end up using it for more contentious reasons. Users may feel this is an invasion of privacy, again eating away at the warm fuzzy feelings you wish your systems gave. In addition, the regular stories of passwords being compromised and published by hackers will create fear. It is one thing to have your password exposed to the world, quite another to have your fingerprints out there.
To what ends will a criminal go to get your fingerprint? One example of this is a Malaysian man who drove a Mercedes that required a fingerprint to start his vehicle. Criminals who wanted to steal his car had to kidnap him too. After a while they got frustrated with having him in tow. So they chopped his finger off, for convenience.
This brings us to possibly the biggest problem with biometrics – revocation. If you have a password compromised the simple thing is to change your passwords to prevent further access. What happens if your fingerprint is compromised? How easy is it to change your fingerprint? Your helpdesk may not have a quick solution and surgery may be beyond their skillset. Any good system should encode your stored biometric information, so it is much harder to work out what the original is (we call this process hashing and salting) but how do we know the people running these systems are adhering to appropriate standards?
Back in 2002, a Japanese hacker successfully attacked fingerprint readers using a combination of some cheap kitchen supplies, a camera and motivation. He lifted a finger print, enhanced it and created a fake finger in gelatine that attained around an 80 percent success rate. In recent years, German hackers have compromised a leading politician who promoted biometric use. They obtained his fingerprints from a glass he used at a press conference, then distributed a usable fingerprint of the unwitting minister to magazine readers. 3D printers now have the potential to make this process much easier. In 2016 police contacted an academic to 3D print a suspected murdered man’s finger, so they could access his iPhone. The academic was unable to help, as the material used in 3D printing does not conduct as a real finger would, but this could have easily been resolved using a coating of conductive material. PINs can be hidden in the back of your mind but fingerprints are not so easily concealed. To keep them private, will your users be willing to perpetually wear gloves? Would you like to propose this at your next meeting? Fingerprints are vulnerable to targeted attacks by criminals or even by an abusive partner. If you’re a journalist, a human rights activist or other campaigner you may have adversaries that can pose such a threat.
Finally, don’t be fooled into thinking that if banks are starting to use fingerprint readers as an alternative to PINs that it would be appropriate for a non-profit organisation to replace passwords with them too. Banks don’t just use 2FA (something you have, a bank card and something you are, a fingerprint) to authenticate users. Banks use complex rules, backed by years of experience to find suspicious behaviour with bank card use.
We will likely see a greater use of biometrics in coming years. This will be catalysed by the desire for novelty and new widgets plus a perception of the security of biometrics. Ill informed Government ministers will promote policies enforcing biometric use about which they have only a tenuous understanding.
We need to make independent, objective decisions on the merits and costs of biometric use in our organisations. Secure Active believes current technologies are some way from what would be considered an appropriate cost for the implementation of biometric authentication in most non-profit organisations. We recommend the use of 2FA for all internet facing systems, in the form of something you know (i.e. a passphrase) backed up by something you have (e.g. a hardware RSA token or smartphone app). The costs of these tried and tested controls are much lower than using bleeding edge biometrics that give the illusion of being secure. For cash-strapped non profits, they are a much better choice.
Want to discuss this further? Please contact us!
UPDATE: Some chief police officers in the UK have authorised the use of wildly inaccurate facial recognition systems in public spaces with extreme levels of false positives of up to 98%. This level of false positives is not authenticating to any acceptable level it is an excuse to arrest and harass people of their choosing, often people of colour. After reading this article you will be more knowledgeable of biometrics than many of the chief police officers authorising facial recognition. If you feel this needs to be stopped consider contributing to Big Brother Watches crowd funder: https://www.crowdjustice.com/case/face-off/
Secure Active C.I.C.
Information security services for the non-profit sector by the sector.
Secure Active C.I.C. is a Community Interest Company limited by guarantee registered in England and Wales (no. 10746897) at 62 Beechwood Road, London. E8 3DY