Doubts cast on fingerprint security for online banking
A new fingerprint security system could offer an alternative to remembering multiple online account passwords.
A masters student at Southampton University has developed software and an accompanying website known as FingerID that will allow users to access multiple websites without having to repeatedly register their details.
However, some argue that such a system is open to error and would face opposition in developed countries where it is seen as socially unacceptable.
FingerID’s creator, Sara Alotaibi, told The Engineer that she wanted to bring the security of fingerprint verification to the web to make it easy for anyone to use.
‘There is not any software system that does what FingerID does because it focuses on accessibility and usability as well as security,’ she said.
While fingerprint scanners are already built-in to some PCs as a security measure, biometric verification has yet to be taken up by online account services such as banks and shops.
Elizabeth Holloway, spokesperson for Barclays Bank, said: ‘It is something that we’ve looked at and we know it can be done, but the major concern is the privacy point of view.
‘We’d need to store all those customer fingerprints and have them accessible and that’s moving into a whole new ball game. It’s got different consequences from holding just data.’
FingerID may offer a solution to this problem because the fingerprint is held only on the user’s own computer by the FingerID software and is saved as data rather than an image.
Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, said banks did already use specialised security contractors on a large scale, such as the Verified by Visa scheme for online debit and credit card shopping.
But fingerprinting did have significant engineering issues, he said. ‘There are some people whose fingerprints you can’t scan, people like bricklayers and tilers whose fingers have been worn flat.
‘Old people tend to have much less distinct fingerprints than young people for similar reasons. The equal error rate in fingerprints is about one per cent if everything goes well.’
However, a much bigger issue, he said, was that fingerprinting had only been widely used in banking and general identification in developing countries, and for welfare payments in the USA, and is otherwise socially unacceptable because of its association with criminality.
‘You don’t do fingerprinting to middle-class people in developed countries… From the social point of view, fingerprinting and banks don’t mix.’
He added that there was vast inertia in the banking world when it came to implementing new ideas, pointing out that the chip-and-pin card system took many years to be rolled out.