ATMs facing potential cyber threat with biometric skimmers – expert comments
September 2016 by Robert Capps, VP of Business Development at NuData Security
Kaspersky Lab has investigated how cybercriminals could exploit new ATM authentication technologies planned by banks. While many financial organisations consider biometric-based solutions to be one of the most promising additions to current authentication methods, if not a complete replacement for them, cybercriminals see biometrics as a new opportunity to steal sensitive information.
Commenting on this research, Robert Capps, VP of business development at NuData Security said "We couldn’t agree more with Kaspersky Lab’s comments around the importance of protecting your physical biometric data from theft and misuse. Although the security world is desperate for new and improved authentication techniques, Olga Kochetova is absolutely right that physical biometrics have the added persistent risk of lifetime vulnerability attached to the method that other authentication methods simply do not have.
Fingerprints, irises and faces cannot be changed, but can easily be reused in a non-face-to-face authentication. How better to illustrate this example than a WikiHow step-by-step guide on how make fake fingerprints. As Kaspersky correctly states, facial recognition can be spoofed from social media, and it won’t be long until retinal skimmers are recording your eyes. If physical biometric authentication becomes widespread online, the skimming of physical biometric data will become big business – with far greater impact to consumers.
Physical biometrics has value as a single-touchpoint in a face-to-face transaction where we can leverage additional authentication tests. However, the persistent risk to the consumer is enormous compared to the value of the transaction. Would you trade a lifetime of risk associated with your facial scan or thumbprint to transfer $50 into your savings account through online banking? It’s this type of risk evaluation these verification systems are asking customers to make – often without the consumer being fully aware of what’s at stake. For those that might have the foresight to try and protect their identity, credit monitoring or identity protection services just aren’t enough when it comes to physical biometric identity theft.
The good news is, there is technology that can decipher the difference between fraudsters and real customers. Banks and FI’s using behavioural biometrics stop fraudsters in their tracks by identifying suspicious activity even before transaction, and do it in a way that doesn’t upset customers. As opposed to physical biometrics, behavioural biometrics can’t be spoofed or mimicked because it uses hundreds of unconscious behavioural signals amassed over time to build a risk profile of the user.
Behavioural biometric systems know who is a legitimate user by how they behave, in contrast to a potential fraudster with the right credentials or stolen biometrics. So, even if the fraudster has your spoofed fingerprint, facial scan and all of your account information, banks using behavioural biometrics can determine the real actor behind the device or fingerprint. In this way behavioural biometrics outshines physical biometrics and leaves consumers at no greater risk."