At this year’s GeekPwn 2019 conference in Shanghai, hackers made an incredible claim: they could unlock any smartphone fingerprint scanner in under half an hour.
The X-Lab team asked members of the audience at the event to touch a glass. The fingerprints left behind were then photographed using a smartphone and passed through an app that the hackers developed. The team did not reveal their precise methodology, but the app is thought to extract the data required to clone a fingerprint using a 3D printer most probably.
The issue here is two-fold, the most obvious being that customers are at risk of having their accounts accessed without their knowledge, and that there should be additional layers of authentication on top of a fingerprint alone. The other issue is that it could cause a huge amount of friction for banking customers who could be forced to manually change their phone settings to boost security levels, which would be an inconvenience for them.
As mobile banking becomes increasingly prevalent and biometrics feature heavily in its security, there needs to be a way for customers to easily choose another method of authentication if something does go wrong, so they can carry on with their banking activities as normal with minimal impact. In addition, the banks themselves need to be able to turn on and off various means of authentication, in case any one of them is compromised – whether that be finger prints, facial recognition etc. In these scenarios, they must also have the capability to add an additional layer of authentication to existing Account Takeover Protection services. That way they can begin to offer vastly improved levels of protection and ensure their customers’ digital identities remain safe.
The best way of doing this is by setting up a policy manager, which allows banks to passively manage the security of any apps they offer. As biometrics become standard, fraudsters are becoming quick to adapt to these latest security measures. Therefore, it’s also critical that banks go beyond hard and soft biometrics, as they aren’t a good enough security solution on their own and combine them with machine learning. When combined with machine learning, we can begin to learn and define user profiles with a 99.7% accuracy.