Following the news about the Lloyds Banking Group has launched selfie technology to enable Bank of Scotland customers to open a current account seamlessly online. As the ID verification technology is web based customers can use a web browser on their smartphone or tablet to submit images.
Cyber security experts from MIRACL, AlienVault, Lieberman Software, Redscan and ESET commented below.
Brian Spector, CEO at MIRACL:
“The volume of financial fraud has risen dramatically in the past year as hackers have become more sophisticated and are managing to bypass traditional methods of security with alarming ease. A range of tactics which once seemed secure – such as identity verification via text message – are become easier for hackers to exploit.
As the payments market has become more open, with a plethora of third parties now sitting between banks and their customers, it has become paramount to accurately verify the identities of people accessing the data and systems involved. Fortunately, the European payments market is on the cusp of a radical change. Rather than being just a swathe of red tape, the revised Payment Services Directive (PSD2) is a much-needed attempt to prevent our entire banking system from being exploited by hackers.
Real digital security requires the complete elimination of centralised security technology. By distributing trust across multiple locations, the web can continue to grow and expand more securely to meet its needs for the future.”
Javvad Malik, Security Advocate at AlienVault:
“The use of a selfie as an authentication mechanism may seem like something that a millennial cooked up whilst browsing Instagram one night.
However, payments have always been about risk management. Banks have typically been good about walking the line between convenience and security.
From a security viewpoint, financial fraud will never be completely eradicated, and increasing security too much will inconvenience users – so for banks it’s a fool’s errand. Rather, the controls needed should be sufficient to keep fraud within tolerances whilst providing customers with a convenient experience.
This is where selfie pay seems like it is trying to bridge the gap between a fully authenticated method, such as chip and Pin – and an unauthenticated method such as contactless.
The issues that are present are similar to any of the issues that exist with any biometric technology, in that there will be a number of questions users and privacy advocates will be asking. Such as how will the pictures be used; will they be saved? Will the data be shared with advertisers, or other online channels?”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Lloyds’ selfie technology is a good marketing name for all established biometric security. Apple introduced biometrics in the iPhone years ago with the fingerprint reader and Microsoft’s “hello” uses facial recognition, similar to what Mastercard has just rolled out and now Lloyds is doing the same.
Calling it a selfie is genius because it’s skipping right past technology to a concept most users will immediately understand. From a security standpoint, biometrics like selfie pay have many advantages over passwords. Though not impossible, it’s much harder to steal someone’s face than to guess their password. Users can’t forget their face like a password, or use an insecure face because they’re lazy. These biometrics are essentially very complex, unique passwords – the kind of pharos experts have begged users to create for years.”
Robert Page, Lead Penetration Tester at Redscan:
“User passwords are typically the easiest point of attack in computer systems and this is driving increased adoption of biometric authentication systems. These systems, whilst typically more secure, can pose their own set of issues however.
For instance, if biometric information is captured and used by an attacker, it’s not possible for a user to change his or her imprint as they would a password. The effectiveness Lloyds’ new solution is yet to stand the test of time however.”
Mark James, Security Specialist at ESET:
“Biometric security will appeal to the public because it enables and often encompasses their mobile technology. If done correctly it can offer a level of security far above that given by a simple password. It accomplishes two goals; the first is not having to remember your password each time you want to access those services (we encourage unique fairly complicated passwords but also want the user to remember them for daily use). Secondly they also negate the need to enter them onto small mobile devices that may be easily seen by others.
As for risks we need to pair them side by side with the risks of using simple passwords. Anything in my opinion that encourages uniqueness should be embraced, if biometrics encourage or even force users to have a much more secure password as a base then that’s a good thing right?
We are seeing more and more companies embrace different methods to help the end user with their security. Fingerprints and face recognition is easily integrated into our mobile devices that have now become an integrated part of our daily lives. As long as we encourage multi-layered security those could include passwords, passcodes, security questions and answers plus biometrics, all together forming a much more secure environment for the user to access what they want to access on the move, we will definitely see more and more options to integrate forms of biometrics into our mobile digital world.”