In a headline-grabbing move, Barclays bank has launched a finger-scanner for its customers to use when identifying themselves on-line. It’s not an easy-to-fool fingerprint scanner; this one examines the veins in the user’s finger to determine a match.
Like most biometric identity verification methods, I think this is anything more than a gimmick – at least as it’s being reported (encouraged by Barclays) as some kind of future for consumer banking. They’re actually launching it for corporate users, where it probably does have a niche.
The problem with biometric identification is that it’s just as susceptible attack as a password, but a lot more expensive. In fact, if someone uses a secure password, fooling biometrics is often quite easy in comparison.
Imagine how it works: The scanner examines the finger and passes metrics to the bank – just like a password. Because fingers are squishy and organic, the metrics will vary each time so the bank’s computer is only looking for a “close enough” match. Passwords have to be spot on.
So how can a vein scanner be fooled? Well, I’m sure they’re encrypting the data end-to-end to make a replay attack difficult (sending the same scan data twice). At least I hope they are! But at some point the data is unencrypted – it’s coming from analogue sensors looking at the finger. Hack the sensor and you’re away.
Barclays may have done something very cleaver, and I will watch to see if this is true with interest, but however it works, I can’t see it being any more secure.
So why bother? Simple – it’s more convenient. If you’ve got a load computers in a corporation with different employees wandering around making bank transfers, you really want to know who’s doing what. Passwords in the public are one thing, but within an organisation, they get passed around. Usually the employees do this willingly, but someone with crooked intent can find they by other methods.
You can use smart-cards to identify employees, but these can be “borrowed” too. Using a finger makes sense. Vein scanners don’t work on dead fingers, so you an be fairly confident that the user is who you think it is. Weighed against the cost and reduction in total security, it’s probably a good thing.
As an ID form for the public, I think not! A corporate environment is controlled; it’s not the Internet. I would hope that companies can avoid having thousands of criminals trying to defraud them 24/7 working on the inside, but that’s exactly what you have on the wider Net.
(more to come)