ATMs facing potential cyber threat with biometric skimmers – expert comments
September 2016 by Robert Capps, VP of Business Development at NuData Security
Kaspersky Lab has investigated how cybercriminals could exploit new ATM
authentication technologies planned by banks. While many financial organisations
consider biometric-based solutions to be one of the most promising additions to
current authentication methods, if not a complete replacement for them,
cybercriminals see biometrics as a new opportunity to steal sensitive information.
Commenting on this research, Robert Capps, VP of business development at NuData
Security said "We couldn’t agree more with Kaspersky Lab’s comments around the
importance of protecting your physical biometric data from theft and misuse.
Although the security world is desperate for new and improved authentication
techniques, Olga Kochetova is absolutely right that physical biometrics have the
added persistent risk of lifetime vulnerability attached to the method that other
authentication methods simply do not have.
Fingerprints, irises and faces cannot be changed, but can easily be reused in a
non-face-to-face authentication. How better to illustrate this example than a
WikiHow step-by-step guide on how make fake fingerprints. As Kaspersky correctly
states, facial recognition can be spoofed from social media, and it won’t be long
until retinal skimmers are recording your eyes. If physical biometric authentication
becomes widespread online, the skimming of physical biometric data will become big
business – with far greater impact to consumers.
Physical biometrics has value as a single-touchpoint in a face-to-face transaction
where we can leverage additional authentication tests. However, the persistent risk
to the consumer is enormous compared to the value of the transaction. Would you
trade a lifetime of risk associated with your facial scan or thumbprint to transfer
$50 into your savings account through online banking? It’s this type of risk
evaluation these verification systems are asking customers to make – often without
the consumer being fully aware of what’s at stake. For those that might have the
foresight to try and protect their identity, credit monitoring or identity
protection services just aren’t enough when it comes to physical biometric
The good news is, there is technology that can decipher the difference between
fraudsters and real customers. Banks and FI’s using behavioural biometrics stop
fraudsters in their tracks by identifying suspicious activity even before
transaction, and do it in a way that doesn’t upset customers. As opposed to
physical biometrics, behavioural biometrics can’t be spoofed or mimicked because
it uses hundreds of unconscious behavioural signals amassed over time to build a
risk profile of the user.
Behavioural biometric systems know who is a legitimate user by how they behave, in contrast to a potential fraudster with the right credentials or stolen biometrics.
So, even if the fraudster has your spoofed fingerprint, facial scan and all of your
account information, banks using behavioural biometrics can determine the real actor
behind the device or fingerprint. In this way behavioural biometrics outshines
physical biometrics and leaves consumers at no greater risk."