Monday, 22 December 2014
Advanced search

Doubts cast on fingerprint security for online banking

A new fingerprint security system could offer an alternative to remembering multiple online account passwords.

A masters student at Southampton University has developed software and an accompanying website known as FingerID that will allow users to access multiple websites without having to repeatedly register their details.

However, some argue that such a system is open to error and would face opposition in developed countries where it is seen as socially unacceptable.

FingerID’s creator, Sara Alotaibi, told The Engineer that she wanted to bring the security of fingerprint verification to the web to make it easy for anyone to use.

‘There is not any software system that does what FingerID does because it focuses on accessibility and usability as well as security,’ she said.

While fingerprint scanners are already built-in to some PCs as a security measure, biometric verification has yet to be taken up by online account services such as banks and shops.

Elizabeth Holloway, spokesperson for Barclays Bank, said: ‘It is something that we’ve looked at and we know it can be done, but the major concern is the privacy point of view.

‘We’d need to store all those customer fingerprints and have them accessible and that’s moving into a whole new ball game. It’s got different consequences from holding just data.’

FingerID may offer a solution to this problem because the fingerprint is held only on the user’s own computer by the FingerID software and is saved as data rather than an image.

Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, said banks did already use specialised security contractors on a large scale, such as the Verified by Visa scheme for online debit and credit card shopping.

But fingerprinting did have significant engineering issues, he said. ‘There are some people whose fingerprints you can’t scan, people like bricklayers and tilers whose fingers have been worn flat.

‘Old people tend to have much less distinct fingerprints than young people for similar reasons. The equal error rate in fingerprints is about one per cent if everything goes well.’

However, a much bigger issue, he said, was that fingerprinting had only been widely used in banking and general identification in developing countries, and for welfare payments in the USA, and is otherwise socially unacceptable because of its association with criminality.

‘You don’t do fingerprinting to middle-class people in developed countries… From the social point of view, fingerprinting and banks don’t mix.’

He added that there was vast inertia in the banking world when it came to implementing new ideas, pointing out that the chip-and-pin card system took many years to be rolled out.


Readers' comments (9)

  • It's good to hear that there are no Middle Class criminals out there.

    Unsuitable or offensive? Report this comment

  • Fingerprint info can be stolen just like pins and passwords but you can change the latter.

    Unsuitable or offensive? Report this comment

  • Fingerprints stored as data will be just as open to data manipulation as any other data storage method, therefore there is no significant advantage in this system.

    Unsuitable or offensive? Report this comment

  • The only comment you can make about this is that someone really hasn't thought it through. The system is akin to walking around with your credit card pin tattooed on your forehead. Unless of course you always wear gloves!

    Unsuitable or offensive? Report this comment

  • For access to online banking and other sensitive web content, fingerprinting should be combined with other non-biometric measures such as passwords and question/image identification. No biometric identification is 100% foolproof...yet.

    Unsuitable or offensive? Report this comment

  • 1 - if developed correctly, the worry of "stealing" a stored fingerprint template isn't all that great. It's like having a lock without a key - and the key can't be created without the lock owner present. Keep in mind I said developed correctly.

    2- the greater concern would be replacing the stored fingerprint template with another.

    3 - the cost to a financial institution in relation to customer support regarding hardware (fingerprint scanners) implentation/maintenance/support will be very expensive - probably cost prohibitive.

    I work with and develop biometric based solutions. This is one area (customer facing online banking) that probably just doesn't work well. Theory is one thing, application is another.

    Unsuitable or offensive? Report this comment

  • see http://www.wavefrontbiometrics.com this technology provides a true one-time-PIN. The Brownian motion of the corneal tear film provides a random number generator allowing unique identification from corneal topography. Wavefront is looking for global partners and currently in discussions with US and other interests to commercialise.

    Unsuitable or offensive? Report this comment

  • Why do people only think of fingerprints as biometrics?

    Since 2004 banks in Japan have been using vein print technology in ATM's, a couple of years later several banks in South America, Brazil in particular, have been using both vein and fingerprint.

    I have read news releases of Iris biometrics being used in the Middle East for banking customers (I am pretty sure a UK bank did this for a while as well).

    The technology for FingerID isn't new, it isn't even the safest way to do this. There are companies that encrypt the fingerprint and compare the encrypted data only not the fingerprint itself.

    Match on Card is another technology that would work well for on-line banking (if cost wasn't an issue) as this only stores your fingerprints on a chip card which is in your possession and the decryption and matching is done with the software in the chip rather than on a PC.

    Yes, fingerprints do have a negative image to the middle classes. I would also state that the technology also has a VIP feel to it as it is expensive. I do have to agree that overall pricing may prove to be prohibitive.

    On a side note to those like Brian M, People give their biometrics every day without even thinking about it to a massive centralised database (photo's on facebook), to CCTV, fingerprints left on surfaces we touch, leave their DNA in café's and share passwords / pins with colleagues and family.

    Anyone with any knowledge of security will know you need a layered approach to combat criminal attack, biometrics is a layer in that security.

    No one should claim that it is the silver bullet, but done correctly it can add a strong layer of security with an audit trail to can trust.

    I like first point in the humanelement post, I have heard people talk for years about extracting someone's biometrics from a chip or lifting it from the glass on a biometric terminal. WAKE UP! If you use your hands to do ANY task you are leaving a full or partial print. It is easy to lift the fingerprint from the surface of the card you have been holding than break into a chip, decrypt a fingerprint template and then re-constitute a fingerprint image.

    It is amazing to see people with no knowledge of the technology claiming parrot fashion perceived weaknesses. learn about the technology, understand what is currently in use in the real world. Then form your own opinions, then tell people.

    Unsuitable or offensive? Report this comment

  • I already work in a fingerprint recognition enviroment and find nine times out of ten it dosent work

    Unsuitable or offensive? Report this comment

Have your say

Mandatory
Mandatory
Mandatory
Mandatory

My saved stories (Empty)

You have no saved stories

Save this article