[BreachExchange] The rise of biometrics is not as clear cut as may seem

[Audrey McNeil]

http://www.idgconnect.com/abstract/24928/the-rise-biometrics-cut

Advancements in technology and software have introduced new possibilities
in the security and surveillance world over the past few years. Biometric
innovation has, in particular, had a significant impact on cyber security
practices right across the world.

Biometric authentication methods are far from new, but they’ve become more
accessible and affordable in recent times. There are now devices that can
recognise fingerprints, palm veins, faces, DNA, hand geometry, retinas and
even odours for identification and access control purposes.

Tech giants such as Apple and Samsung have long integrated this technology
into their devices, while biometrics are making big waves in contexts like
security, surveillance, border control personal finance and healthcare.
Often, they speed up previously complex and timely security processes,
which is why they’ve become so popular.

But while many have called biometrics ground breaking in the security
space, others have been less positive. Some people have questioned if
they’re safe at all, while others have suggested that they won’t last. So
the question is, are biometrics really the future of security and
surveillance?

 Making waves in finance

Security is of paramount importance in the banking and financial industry.
In the past, customer identification processes have proved tiresome and
confusing, but biometrics are changing things. MasterCard has begun letting
consumers verify their identities through selfies, and banks such as
Barclays and HSBC are planning to offer voice recognition services.

Chris Hill, commercial technology partner at law firm Kemp Little, says
biometrics are gaining significant traction in the financial services
sector. Biometrics save time for consumers, and they’re also handy for
companies. By deploying them, firms can reduce the time spent having to
respond to telephone queries.

“The fingerprint scanner on the iPhone and the fact that a number of mobile
banking apps now make use of this handset feature, is a mark of acceptance
of biometrics tech in financial services. MasterCard allows users to verify
their identities using a selfies,” he says.

“And both Barclays and HSBC plan to increase their use of voice recognition
so as to speed up the security clearing process for telephone banking. As
well as being more convenient for customers, this also reduces the time
taken to deal with telephone queries, and therefore reduces call centre
costs for the bank.”

Despite the benefits, Hill says technology professionals and businesses
should take biometrics with caution. Criminals have proven they’re able to
steal biometric identities to get hold of customer and business information.

“There are several ways that such ‘static’ biometrics can be spoofed. An
imprint of the fingerprint could be stolen, and presented at the point of
authentication in place of the real thing. Alternatively, if a hacker can
change the base document, then the authentication system could be made to
think that another person’s fingerprint is that of the authorised user,” he
warns.

 Enhancing healthcare

Biometrics aren’t just introducing new possibilities in the world of
finance, though. They’re also gaining traction in healthcare. Hospitals and
other health institutions are using them to streamline patient ID, boost
financial performance and improve security.

The biggest benefit of biometrics being used in healthcare contexts is
their impact on patient record keeping. Health organisations have been able
to reduce duplicates, increase patient safety and enhance identity theft
protection. Palm vein scanners have proved to be the most popular form of
biometrics in health contexts.

Mollie Drake, former corporate director of access management at non-profit
integrated health system Scripps Health, says biometrics are helping create
more effective health systems across the world. She also believes that they
can improve trust between caregivers and patients.

“Biometrics improve patient safety, protect against medical identity theft,
enhance patient satisfaction, and improve the hospital’s financial
performance. Beyond these benefits, biometrics can revolutionise healthcare
by enabling interoperability,” she says.

“If healthcare is ever to achieve the goal of a single medical record for
every person, biometrics are the key to establishing patient trust and
allowing the exchange of patient data across disparate systems.”

Convenient security

Passwords have been the preferred security option for decades, but they
have many issues. Not only can they be hacked easily, but it’s also
possible to forget them. There’s a common assumption that biometrics are a
safer and more convenient option. It’s far quicker and easier to unlock a
device or system through a biometric scanner.

Richard Lack, managing director of customer identity platform Gigya, says
passwords and secret answers frustrate the everyday consumer. Biometrics
don’t have these issues. “Currently biometric identification is seen as the
higher standard for verifying identity. Not only is it not prone to
forgetfulness like the password; it is also more secure,” he says.

“Security risk is now a top factor driving consumers’ identity
authentication preferences, with a survey by Gigya finding that 26 per cent
of consumers have had an online account compromised in the past 12 months.

“It has been found that traditional passwords can invite trouble, as
evidenced by the many reported instances of online ID theft. To make
matters worse, 56 per cent of people tell us they use passwords that they
know are not secure, such as those that include their names or birthdates.

“You only need to look at the numerous sellers of password log-books on
Amazon to understand the inevitable paradox: the more secure a password
becomes, the greater the likelihood that it will be written down.”

Biometrics could be a fad

There’s also been a lot of interest in biometrics from governments.
Australia recently outlined a $100 million plan to allow passengers to get
through border controls without the need of human intervention. Biometric
systems will be implemented to identify travellers.

Many people have hailed this as a world first, but others have been less
complimentary. Adrian Sanabria, a senior analyst working on the information
security team at 451 Research, is sceptical about their capability,
identifying risk factors. He also questions their viability overall, citing
concerns around safety and longevity.

“I can't see an automated system replacing humans at a border control. The
argument for having humans in place goes far beyond simply verifying
identification. Trained and experienced border agents can recognise
suspicious behaviour and other indicators of threats that an automated
identification system couldn't hope to replicate,” he tells IDG Connect.

“Biometrics come with a number of challenges that make them unsuitable for
any sort of fully automated system, in my opinion. An allergic reaction or
burns can make fingerprints unreadable. Natural changes over time can
result in unreadable irises. Many people's voices change as they recover
from a bad cold, or the flu. Heck, simply returning from a sporting event
could result in a voice change after a night of shouting.

“If compromised, our biometrics can't be reset or replaced like passwords.
We can't get new irises and fingerprints, and most biometrics don't work
for some percentage of the population. I've heard iris scanning is more
reliable, but is less quick and convenient than fingerprint scanning, which
fails to work for a higher percentage of the population.”

The argument around biometric technology is balanced, it seems. There are
many companies and organisations implementing biometric systems to make
security processes more efficient and easier for consumers, but they also
have complex flaws. Companies will no doubt have to find solutions before
these systems can really evolve.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170313/6c155c81/attachment.html>