Bank regulators urged to address security of biometric data

Andrew Tryie, the chair of the UK government's influential Treasury Select Committee has called on banking industry regulators to develop action plans and policies to protect consumer interests in light of the increasing use of biometric technology to access accounts.

  24 2 comments

Bank regulators urged to address security of biometric data

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

In letters to the Prudential Regulators Authority and the Financial Conduct Authority on the resilience and security of bank IT systems, Tyrie raises concerns about the growing trend for biometric access to customer accounts.

The letter says that the Committee has heard evidence that biometric data can be "relatively easily obtained by fraudsters".

Noting that compromised biometric data cannot be changed by the customer, Tyrie writes: "Banks and regulators will need to plan for what they will do if biometric details are lost and/or illegally obtained by third parties. They will also need to consider how affected customers will be compensated; they may be unable to persuade their banks to release all the technical details needed to pursue their claim in court. Are you concerned about this? if so, what is being done?"

The letter comes to light just days after Kaspersky Lab said it had uncovered evidence that members of the criminal undergound are offering to sell ATM skimming devices capable of stealing victims’ fingerprints. Several other underground crooks are also researching devices that could illegally obtain data from palm vein and iris recognition systems, says the firm.

Thieves are also discussing how to fool facial recognition biometrics, looking into the development of mobile applications based on placing masks over human faces and imposing photos taken from social media.

Olga Kochetova, security expert, Kaspersky Lab, says: "The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image.

"Thus, if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way."

In September last year, the US Office of Personnel Management warned that hackers who breached its systems over the summer made off with the fingerprint records of 5.6 million individuals, raising questions over the security of biometrically-protected identities.

Sponsored [Webinar] Operational Resilience in the age of DORA

Comments: (2)

A Finextra member 

You can change your finger-print a few times - nine times in most cases.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

For a frictionless login process, many fingerprint scanners encourage enrolment of *all* fingers at one time e.g. iPhone, Lenovo ThinkPad laptop. And many users, including me, accept the suggestion to do so in order that we can swipe any finger without having to remember which finger we enrolled on which reader. If fingerprint creds are stolen - creepiness alert! - another hand is the only choice for many people.

New Event Report – Natural Capital FinanceFinextra PromotedNew Event Report – Natural Capital Finance