Partnership announcement between Electric Miles and Razorthorn

We’re delighted to announce that we have teamed up with Electric Miles, B2B SaaS company providing EV charging software to charger manufacturers, offering a combined service for Electric Vehicle (EV) charger manufacturers and resellers to ensure compliance with the upcoming December 2022 cyber security regulations.

EV chargers are vulnerable to cyber and physical security threats just like any connected device and these risks have the potential to threaten the stability of the grid, the charger and the user’s personal data.

To ensure regulations compliance we offer:

  • Physical Security Assessments of the EV charging points
  • Assessment of logical interfaces presented by the EV charging point
  • Assessment of WiFi and mobile network security posture
  • Hardware Security Assessment including local storage and firmware

Arun Anand, Founder & CEO of Electric Miles, stated that ‘EV charging is going through a mass transformation, and the UK Government has intervened at the right point in the market evolution to ensure that consumer data is safe and the chargers, which are often outside people’s homes are tamperproof. We’re proud that Electric Miles have been involved in every industry consultation feeding into the regulations to make them more manufacturer friendly as well as focused on consumers. The partnership with Razorthorn will ensure that we utilise their strength in cyber security and our core expertise in EVs to make a strong force to reckon with as we serve manufacturers with their compliance testing.’

James Rees, Managing Director of Razorthorn said, ‘We are delighted to partner with Electric Miles. As with many other IoT devices, it was only a matter of time before EV charging points would be required to comply with the European security standard. Razorthorn has been providing security assessments and remediation consulting since 2007 and are pleased to be able to offer our expertise to Electric Miles and ensure their clients comply with the standard before the deadline later this year.’

These regulations come into force from December 2022. Please reach out to us now on in order to guarantee compliance ahead of the deadline.

Spotlight on Technology – Identity Management

Welcome to another edition of Spotlight on Technology! In this episode, we’re joined by Tim Keeler, Founder and CEO of Remediant, to discuss using identity management and privileged access management as part of your defence in depth strategy.

Stolen account credentials are one of the most common attack vectors for malicious actors. If a hacker uses the credentials of a user with privileged access, it could be game over for that company within a matter of minutes.

Tim tells us how protecting organisations can begin with something as simple as removing 24/7 access for accounts with administrative credentials. The risk of compromise has risen significantly since the ‘working from home’ movement – how many companies are actually set up to manage accounts with privileged access in a secure way, remotely or otherwise? Tim and James discuss new security considerations for the move to cloud technologies and VPNs.

Tim discusses the attack trends he’s been seeing, including the increased risk of a ransomware attack, and attacks on service providers. He tells us how Remediant clients were able to deal with the SolarWinds attack in 2020 and how a privileged access management tool can contain and attack and stop the fire spreading.

James and Tim cover FAQs and advice for reducing the risk of attack with a PAM tool, and how to get an attack under control if it is already in progress.

Topics include:

• How to identify a malicious attacker vs a genuine user
• User behaviour that should set off alarm bells
• The need for visibility of all accounts with privileged access
• Zero standing privilege
• Are service providers taking the initiative and stepping up their cyber security?
• The concept ‘Never trust, always verify’
• Whether Multi Factor Authentication (MFA) negates the need for Privileged Access Management (PAM)
• A look into the defence in depth concept
• Preventing and controlling the spread of a cyber attack

Remediant is a leading precision privileged access management software provider that stops lateral movement and credential attacks, removing 24×7 admin rights. Do you know who has access to your endpoints and servers, when, and for how long? Remediant does.

If you want to find out more or book a free consultation with us, contact us on or call 0800 772 0625.

Spotlight on Technology – Governance, Risk & Compliance (GRC)

Today we are talking all things GRC with Megan Brown at LogicGate, including why it’s essential to have a robust GRC tool in a modern security stack. GRC is extremely useful for compliance framework management and maintaining compliance – it can be used effectively to supply a historical database of known risks, issues and security measures that can be used to continuously improve security intelligence. Join Megan and Razorthorn MD James Rees to find out how a good GRC tool can save you both time and money, while efficiently improving your security and compliance.

How to Secure Your Supply Chain

We’ve talked about supply chain security before but it’s a trend that doesn’t appear to be going away – indeed, the number of attacks on service providers only seems to be increasing. Outsourcing is always a strategic risk for any business, but knowing that these attacks are getting more prevalent, what do you need to be doing to make sure your supply chain in secure? We talk about what needs considering to ensure your data isn’t compromised by third party security issues. (Start at 7 mins 33 secs to skip to the ‘how to’).

What do you think? We’d like to know. Leave a comment on YouTube or drop us a line. And don’t forget to subscribe to our YouTube channel!

The Dangers of Open Source and Software Supply Chain Attacks

Supply chain attacks tripled in 2021, meaning a secure software development lifecycle is more important than ever. Do you know what open source software (OSS) components are in use within your organisation? Or how to find out?

Securing your software development lifecycle

Digital innovation is key to the success of businesses across all sectors. Mounting competitive pressures and continuously evolving customer behaviour means that organisations are expected to adapt rapidly, more than they ever have before. This need for flexibility, change and faster innovation coupled with the complexity of today’s applications demand efficient reuse of code and, to this end, companies are utilising large volumes of open source libraries.

In order to keep up with the pace of transformation, dependence on both third party and OSS libraries is now an integral part of the development process when writing code. Why try and reinvent the wheel every time? Effective use of open source libraries can be an efficient tool in this age of ever evolving digital solutions in a competitive market place.

OSS components make up 90% of modern applications. When such a large proportion of the fundamental building blocks of code are being taken from open source libraries and then amalgamated inside complex system designs, it is easy to see that the chances of losing track of where each of those individual blocks came from is high. But what are the risks that come with this?

Visibility is paramount when defending an organisation against security and legal risks, and this visibility includes the origins of the components in our applications. Take one of the applications that your business uses on an everyday basis: do you know what OSS components are in use? Do you know in which part of the code they reside? Can you name the licenses associated with those components? I’m going to hedge my bets that the answer is probably “no” to at least one of those questions. This means that if a new vulnerability was announced and listed in the National Vulnerability database and applications that were using that package were now open to exploitation, you would have no idea if any of the thousands of applications in use in your business were running vulnerable versions.

Businesses need to have verifiable insight into their software and the third party software that is in use within their organisations.

Software Supply Chain Attacks

As organisations continuously improve their overall cyber security posture, hackers are circumventing traditional security defences and looking for the path of least resistance and of maximum reward. Software supply chains are rapidly becoming the hacker’s attack of choice. In Sonatype’s seventh annual “State of the Software Supply Chain” it concludes that in 2021 the world witnessed a 650% increase in software supply chain attacks. These attacks can be relatively simple: corrupting a vendor’s patch site to contain malware; or far more complex: the malicious actor infiltrating a software company’s codebase to insert malware before the code is compiled and released. In the media we have seen an ongoing series of attacks on the supply chain – Dependency Confusion, Kingslayer, ASUS and SolarWinds to name a few.

The current state of practice in the software supply chain security lacks systematic integrity. A comprehensive framework that covers the design, build and delivery process is very much needed and should be implemented by the software development community and the information technology ecosystem, to reduce the risk of compromise, exploitation, exfiltration, or sabotage from software supply chain attacks.

Software Bill of Materials

As someone who suffers from a severe nut allergy, it would be completely irresponsible of me to eat a cake without knowing every ingredient that went in to making it. The benefits of eating the cake without reading the ingredients, getting to enjoy all that sugary goodness immediately rather than having to waste time checking the ingredients, is outweighed by the risk that comes with taking that shortcut, i.e. anaphylaxis. Suddenly, not taking time to research the ingredients just doesn’t seem worth it, right? This is the exact same attitude that businesses need to take regarding the components they use in their applications. It is irresponsible to use multiple OSS components in multiple systems without knowing everything about each one, doing so leaves your organisation and your customers at risk.

So, what can we do to overcome this? The benefits of using OSS and third party software are tangible and numerous, but we must negate the risk that comes hand in hand with this.

No silver bullet ever exists, we know this, but a good first step in this instance is a standardised Software Bill of Materials (SBOM). This is effectively a nested inventory of software components that describes which components have known security vulnerabilities and architectural or license risks. It enables businesses to make quick decisions, identify exposure and to take appropriate steps in response to any new vulnerabilities that arise. Knowing what open source and third party components have been used in and are flowing through your software supply chains is the first crucial step in mitigating the potential risks.

In response to the increasing number of application breaches that are occurring, standards bodies and governments are beginning to place a greater importance on SBOMs. They are also introducing laws, bills, guides and requirements to assist and hold development organisations accountable for the quality and security of the code they assemble and build.

In April 2020, The National Institute of Standards and Technology (NIST) released new standards for improving software security and in April 2021 they released a paper “Defending Against Software Supply Chain Attacks” which looks to be formalisation of software supply chain standard starting to take shape. Similarly, in January 2019, new PCI secure development standards advised organisations to generate an SBOM to track and trace the location of every single component of their software. The UK’s National Cyber Security Centre has recognised that software development practices are becoming increasingly automated and reliant on open source and third party components and, in an effort to help development teams evaluate their OSS components and reduce security risk, provided eight useful questions that organisations should consider in their resent guidance Produce clean & maintainable code – NCSC.GOV.UK.

Furthermore, Gartner states that by 2024 the provision of a detailed, regularly updated software bill of materials by software vendors will be a non-negotiable requirement for at least half of enterprise software buyers. From a security perspective, it is vital to have an inventory of every component used in your software, so that as a business you can act quickly to identify if any of the applications are vulnerable to known hacks or come from dubious sources, in order to stay ahead of adversaries and competitors.  Any time a vulnerability in OSS software components is announced, two questions need to be able to be answered rapidly: Did we ever use the vulnerable version(s) of the open source component? If so, in what applications do they reside?

OSS licences – what are the legal risks?

An OSS License allows the software to be freely used, modified and shared; it grants others permission to modify, use and distribute software under certain conditions. The OSS license is there to protect the software and allows the code to remain open sourced.

OSS components come with different licenses and a different set of terms, and if you are operating without a license or in breach of the terms of a license, you could be putting your organisation in jeopardy. You should always be aware of the terms of each individual licence. For example, some of the licences state that ‘If you use this open source and distribute it, you have to make the software publicly available’ or words to that effect. What does that mean for your company? Potentially, your company patents and trade secrets should now all be publicly available.

When we think about the sheer number of components in a software supply chain and, consequently, the number of accompanying licences, it is easy to see how issues can quickly arise if an organisation does not have insight into the types of licenses in use and the legal requirements associated with each of them.

Types of Licences

There are two main categories of licenses: Permissive or Liberal and Copyleft.

Permissive or Liberal licences essentially allow you to alter the code however you like, but you are using it at your own risk – there is no warranty – and you need to acknowledge the author(s). Examples of this type of license include MIT and Apache 2 licences.

On the other hand, Copyleft licenses have added requirements. These additional requirements include terms such as: if you distribute the binaries, you must make the source available; also, the source and derivative must be under the same copyleft terms. Examples of these types of licenses are Maozilla Public License (MPL), Affero GPL (AGPL), GPL and Lesser GPL (LGPL).

Learning from Past Experiences

Many well known organisations have fallen into the trap of licence misuse and have subsequently found themselves subject to legal action. Below are just a couple of examples of organisations that know all too well the consequences of violating open source licenses:

Both of these used the GPL code mentioned above. Versata and Samsung all lost their court cases and were forced to release their code to the general public.

Handling an organisation’s open source security and dependencies can be a taxing and onerous job; staying compliant with OSS licenses, managing open source CVEs and keeping track of what dependency version is in use is time consuming. Often organisations leave security teams to manually manage the risk of vulnerable OSS code, or worse, sweep it under the rug with the classic ‘we don’t use open source so we don’t have a problem’…

Do not be one of those organisations!

Don’t risk eating the cake without checking the ingredients. Make sure that you are aware of every OSS component that has been used in your applications and where abouts they reside. Be informed and knowledgeable about the licenses and accompanying terms. It might take a little longer in the first instance, but then you can sit back, relax and enjoy your cake without risking putting you and your business into anaphylactic shock.

6 Steps to Securing your Software Development Lifecycle

I will leave you with 6 steps for securing your software development lifecycle which can be used as a checklist to perform due diligence on third party software development companies:

  1. Secure code development training – creating security champions in the development teams is an excellent investment.
  2. Give developers the tools they need to find and fix vulnerabilities earlier on in the software development lifecycle (SDLC). Security testing tools like SAST and SCA, when integrated into the SDLC, do not hinder creativity and speed but do allow vulnerabilities, both open source and from other sources, to be found and fixed quickly. This saves you time and money in the long run.
  3. Secure access for developers – choose a privileged access management solution that enables a frictionless experience. Organisations have more privileged users (e.g. engineers, DevOps or SREs) than ever before, many operating with elevated privileges over a remote connection.
  4. Have an open source software legal partner lined up that can advise you of your OSS legal obligations.
  5. Ensure that all applications have a SBOM.
  6. Implement penetration testing: enlist an experienced, qualified penetration testing company to perform an in depth assessment prior to release of any application, as well as at least once a year minimum and after any significant changes.

Sources list –

Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) (

Produce clean & maintainable code – NCSC.GOV.UK

Hygiene for Open Source Software Is Now a PCI Requirement (

SON_SSSC-Report-2020_final_aug11.pdf (

Deliver Uncompromised: Securing Critical Software Supply Chains (

Could You Outsmart a Phishing Scam?

We’ve all had it happen. You receive an email telling you that you’ve won a prize draw you never entered or a foreign prince wants to transfer you a huge sum of money and needs your bank details. These obvious scams can be spotted from a mile away and are what we tend to think of when we think of phishing, but it’s not always that apparent.

Over the years, phishing scams have become harder to detect and many have fallen victim as a result. Research[1] has found that one in every 3,722 emails in the UK is a phishing attempt, and nearly 55% of the UK’s total email traffic is spam. In fact, around half of cyber attacks in the UK involve phishing, which is roughly 20% higher than the global average. In the Government’s 2021 Cyber Security Breaches Survey[2], this number was much higher with businesses who had experienced cyber attacks reporting that 83% of these attempts were phishing attempts.

If phishing has been around as long as we’ve had email, how is it that these stats are so high? How do we keep falling victim? Surely we should know better by now? The truth is, these scams aren’t always as easy to spot as we might assume and as we’ve wised up to these attempts, those behind the attacks have gotten smarter as well. Could you really outsmart a phishing scam if faced with one?

Top Trends in Phishing Scams

While you may be able to discern that an email containing a plea for help from a cash-strapped foreign diplomat is a scam, today’s phishing scams are becoming so complex they are often indiscernible. If you received an email from your manager asking you for information or assigning you a task, would you question it or just do as you’re told? If a retailer like Amazon sent you a message saying there was a problem with your payment method, would you click the link and update your details to ensure your Prime membership continued without a hitch? Or if a vendor you regularly work with sent a message to say your organisation had an outstanding balance, would you apologise for the oversight and sort out payment immediately?

Today’s phishing schemes may not be elaborate, but they are often effective because they so closely mimic the types of correspondence we tend to never think twice about. Attackers have begun targeting their attacks more effectively by disguising them as facets of our everyday lives. That is what makes them so much harder to spot than the scams we’ve come to know, and why so many individuals and organisations fall victim to phishing each year.

Even if you think you’d be able to outsmart an attack, you can never be too careful. These are some of the top trends with phishing scams to be aware of:

  • Business email compromise (BEC) attacks: In these scams, the attacker creates a domain similar to the company they’re targeting or spoofs their email address in order to con users into releasing information or taking some sort of action. Basic versions of these attacks that have been popular in recent years involve the attacker posing as someone in a managerial position and instructing an employee to purchase gift cards for a charitable endeavour or event. In more complex versions, BEC attackers may use the actual inbox of the person they’ve compromised rather than impersonating them, or they may pretend to be associated with a third-party contract that requires to payment. Regardless of the form they take, these types of attacks are some of the most common enterprise cyber security threats.
  • ‘Whaling’: Often, BEC attacks are facilitated by a phishing practice called whaling. These attacks specifically target high-level executives in the business to gain access to their credentials. Rather than being a request from someone else in the organisation, often the content of these scam emails will be written as a legal subpoena, customer complaint, or other issue that would be of high importance to a senior executive. This may provide the financial information the attacker is after, give access to the login details needed for a BEC scheme, or create the opportunity for a ransomware attack.
  • Payment scams: Beyond impersonating individuals within the organisation, it is becoming increasingly common for attackers to pose as the business’s vendors, which makes it easy to operate a payment-focused scam. In an invoicing phishing scam, the attacker sends an email stating that you have an outstanding balance with a known vendor or company. In similar payment scams on an individual level, the attacker may pose as a retailer you often shop with and notify you that there was a problem with your purchase. In both scenarios, the attacker will provide a link for you to remedy the situation all whilst capturing your details.
  • Spear phishing: While payment scams do require some knowledge of the business’s vendors or the individual’s shopping habits, phishing schemes can get even more personal. Spear phishing uses highly customised content to lure the target of the attack to interact. This intricate form of phishing typically requires the attacker to do a fair amount of reconnaissance work, usually by surveying social media and other information sources related to their intended target. The result is a message that seems far too credible to possibly be false, with a phishing link or malware-infected attachment included.
  • Current events-focused scams: Attackers will often take advantage of the news cycle to shape their scams. For example, Ofcom received reports of numerous scams related to coronavirus throughout the pandemic. These included calls and texts claiming to be from the Government, the recipient’s GP, the NHS, or the World Health Organisation (WHO) that usually claimed to have test results, vaccine sign up information, or even cures for the virus. Mere days after the Omicron variant began making the news in early December 2021, consumer watchdog Which? reported a scam involving messages doctored to look as though they came from the NHS offering free PCR tests for the variant. But it’s not just the news that scammers act on. It is not uncommon for phishing scams to use current pop culture trends to their advantage. For example, when Netflix’s Squid Game was released and trending, several phishing scams emerged offering targets the chance to play an online version of the series’ titular competition. While this type of scam may not work on everyone, it would certainly appeal to fans.

What to Do

Phishing scams have certainly become more realistic, but there are some very simple steps you can take to avoid them. These practices may seem a bit like common sense, but lack of attention to detail is exactly what these attackers prey on. Becoming a bit more tuned in can go a long way for protecting yourself and your organisation.

For starters, if you receive an email that claims to be from someone you know, work with, or have access to normally, it is always worth confirming that they were the true sender if they have asked you for information or to complete a task that seems a bit odd. It is also worth checking the email address of the sender when you receive emails. We tend to take the sender’s displayed name at face value without looking at the actual email address the message came from, thus letting these scams slip through the cracks. You would be surprised how many of these attackers spoof their sender name without doing anything to the email address itself.

You would also be surprised how many attackers make other simple mistakes that undermine the believability of their schemes. An email from Amazon, the NHS, or any other major organisation would never contain a typo or grammatical error, so it’s safe to assume that any mistakes like this are a red flag.

Of course, having the right security infrastructure can help make it harder for attackers to gain access. You need to have the right software in place if an attack should slip through your first line of defence. This is where Razorthorn can help. We offer various services to help build and protect your infrastructure including phishing education for staff, phishing solutions and managed phishing services. Get in touch to learn more.



Is Cryptocurrency Still the Future of Payments?

Since the introduction of Bitcoin in 2009, and as a result of the global recession during that period, cryptocurrency have been a much-discussed topic across technology, finance, and even global policy. The news is dominated by stories of its impact on our lives and businesses.

One of the most recent crypto controversies stems from China’s central bank, the People’s Bank of China (PBoC), with the publication of a memo that criminalises practically all cryptocurrency activity out of concerns about fraud, money laundering, and the facilitation of other criminal activities. This made huge waves, given that China is the highest contributor to the global GDP and the leader of the worldwide tech race. The ban came as a harsh blow, sending share prices plummeting and raising questions about the longevity of this currency form. If China, which has long been an early adopter of technological innovations, does not trust crypto, should we?

At the other end of the spectrum, we have nations and companies who are embracing these payments and building them into the future of their operations. In September 2021, El Salvador officially made bitcoin a legal tender in the country. Ukraine, Cuba and Panama are some of the most recent countries to announce their intention to introduce legislation to legalise crypto and encourage its use for payments. PayPal, one of the world’s biggest and most widely accepted payment platforms, now allows its UK users to buy, sell, and hold cryptocurrencies via the platform. If you are out shopping, dining, or travelling, then you may be able to pay using these digital currencies. Microsoft, Pavilion Hotels & Resorts, AXA Insurance, Starbucks, Tesla, Amazon, Visa, LOT Polish Airlines, Expedia, and Lush are among some of the biggest brands to allow their customers to use crypto as a form of payment in certain geographies.

It appears we are getting two very different sides of the story as one financial and technological juggernaut derides cryptocurrencies, while numerous others seem to be racing towards it. But will China’s decision shake the faith of other major players, as well as the everyday consumer? Was it all just a fad?

Is Crypto ‘Dead’?

The short answer is absolutely not, and to understand why that is, we need to think about the bigger picture.  Despite the fact that cryptocurrencies emerged over a decade ago, we are still in the early adoption phase. People tend to not trust what they do not yet understand, and we have seen that with just about every technological innovation in history.  That is why we have an innovation curve to begin with.  There are always innovators and early adopters who make the first move, but they usually make up a small portion of the population. Meanwhile, everyone else falls somewhere between a lack of awareness and deep scepticism. Even the introduction of the world wide web – or internet – witnessed this curve. It was officially ‘invented’ in 1986, made available to the public in 1991, and took several years to gradually grow in popularity. Fast forward to today, and we cannot imagine our lives without it. Considering this in relation to cryptocurrency, we are right on pace.

Is Crypto Safe?

The reason China cited for their ban was that cryptocurrencies facilitate criminal activities such as money laundering or fraud. For many naysayers, this ban comes as vindication of the popular critique that crypto is only for hackers, crackers, and criminals.’ For others, this ban has called into question whether or not crypto is safe.

The unique appeal of cryptocurrencies is that they are backed by blockchain technologies that operate via cryptography. This system is considered to be inherently more secure than other forms of encryption used in standard online banking, digital wallets, and other peer-to-peer payment services. These platforms are so secure that many have reported losing their passwords and never being able to get back into their digital wallet, unlike online banking which allows you to reset with a simple email or phone call. Cryptography adds an extra layer of protection by making these virtual currencies nearly impossible to counterfeit or double spend.

Therefore, whether or not crypto ‘safe’ depends on your definition of the term. The better word to describe these transactions is ‘secure’ for two main reasons. The first is the volatility of the crypto market itself. Much like the stock market, the value of cryptocurrency tends to fluctuate. Your bitcoin investment may be worth thousands one week and markedly less the next. We saw this in action after China’s announcement, with the value of bitcoin dropping much like a company’s stock would after a publicised scandal, for example. While many forms of crypto are valued much higher than your average stock would be, they are by no means a ‘safe’ investment due to their volatility. Traditional currency also fluctuates in value day-to-day thanks to inflation or deflation, but this is not nearly as extreme. The difference is usually pennies, if that. You are very unlikely to make or lose a vast amount of money overnight. For many, that risk is off-putting.

While the blockchain technology that powers crypto transactions does help to make these payments more secure, that does nothing to defend against nefarious intentions. Because it is still early days, there is insufficient regulation of these payments. Depending on who you talk to, this is either a blessing or a curse. On one hand, crypto payments can be processed faster and with less fees. That is one of the biggest draws for both businesses and individuals. On the other hand, the somewhat ‘Wild West’ nature of the crypto space has made it appealing for cyber criminals. The secure nature of these transactions makes them harder to trace, which is a double-edged sword in some ways. It is a draw for using these transactions, but also does make it easier to misuse this power.

However, it is fair to say that just as with traditional currency, those use cases can be considered the extreme. With traditional currency, we still see instances of fraud, money laundering, and counterfeiting, but only a small percent of the population are using it this way while the rest of us are making purchases, paying bills, dining out, and so on. Just because some forms of nefarious activity is a possibility, that doesn’t mean that that will be the default. The majority of us will use crypto without ill intentions.

Many countries are already taking steps to introduce legislation and appoint regulatory bodies at a national level. The UK has assigned the FCA to oversee it, and recent news from the US hints that the Biden administration will be ramping up their regulatory scrutiny in the coming months. We can also expect to see independent organisations begin to form dedicated to creating governance and ethical standards, as well as some related to crypto’s use in specific industries.

With all that in mind, China’s ban is not as earth shattering as it may seem. As the technology matures and develops, we may even see this overturned. Crypto is therefore not dead, provides a secure option for your virtual transactions, and still has a promising future ahead. But right now, the key is to cut through the noise and trust in the benefits that crypto can bring. Volatility is a regular feature of innovation. Innovations that break the status quo and challenge what we know today tend to ruffle some feathers. That is how you know that something great is on the horizon.

Biometrics in the Banking Industry

by David Smith, guest blogger for Razorthorn Security

Biometric technology, such as fingerprint sensors and voice recognition, has become widely popular in recent years with the boom in mobile applications. Organizations are now trying to make use of this technology and implement it to a wide range of areas. Particularly for the banking industry, biometrics can play a vital role in fraud prevention.

With the prevalence of phone and digital banking, banks require innovative ways to authenticate their customer’s identity. Moreover, though customers want their information to remain secured, they don’t like themselves to be scrutinized through an excessive authentication process for a simple transaction. Yet, it’s imperative for banks to verify their customers before they are given permission to access an account over a website, phone, or mobile application.

Conventional password and PIN codes have proven to not always be successful towards achieving security. Not only do customers forget them frequently, but the hackers also gather their personal information through various techniques such as phishing or social engineering. Thus, banks and account holders face losses worth millions every year as a result of identity theft.

When we talk about biometric in the banking industry, it simply brings together security and convenience. Biometric technology depends on a single action instead of other multi-factor authentication methods. For instance, in phone banking, a customer can be simply authenticated on the basis of their voice recognition instead of a sequence of security questions and password retrievals.

Unlike paper documents that can be forged, or passwords that can be cracked, an individual’s characteristics are unique. With voice verification software becoming more sophisticated, an industry like banking that prioritizes security can considerably benefit. Tools nowadays not only identify spoken words, but also the tone and pitch of voice.

For cash transactions, biometric technology replaces the need to enter traditional PIN code with identity verification such as facial recognition, fingerprints or iris scanning. This removes the concern of someone stealing your debit card and using it to take out your money from your account. With biometric enabled card procedure, customers will be required to verify their identity before they can cash out the money.

Benefits of Biometrics in Banking

To ascertain highest level of security, banks are now transitioning towards biometric technology. It offers numerous advantages to the financial institutions as well as consumers such as:

  • no multi-factor authentication needed
  • no PINs and passwords needed
  • low operational costs
  • inability of hackers to exploit information attained through a data breach

The last point is of utmost significance. This means that even if cyber criminals succeed in getting your credentials, they cannot use the information to their advantage. Customers also don’t have to recall multiple passwords and can authenticate themselves with only one biometric authenticator.

Types of Biometrics in the Banking Industry

Biometric technology uses measurable and distinctive human traits to identify an individual uniquely. Here, we will have a look at some of the common biometric identifiers in the banking sector.


This method is one of the widely used authentication methods in branch banking and mobile banking. Though its usage has declined in the past year as a result of pandemic-related consequences, it is still effective in mobile apps for authentication purposes.

Palm or Finger Veins

This identifies unique pattern of veins in an individual’s palm or fingers. Since it requires bigger equipment, its use is restricted to ATM or branch banking instead of mobile use.

Voice Recognition

Voice recognition is a key biometric in phone banking. It recognizes the unique audio characteristics of an individual. Integrated with artificial intelligence, voice recognition improves with capturing voice prints through regular conversations. It does not require any special equipment, passwords, or location.

Face Recognition

Face recognition deploys 3D sensors and computer algorithms to identify a face by measuring the shape, position, size of eyes, nose, jaw, cheeks, and more. Face recognition is gaining popularity but the technology behind it varies according to vendors. For instance, iPhone X uses Apple’s Face ID for logging into certain mobile apps. Face biometrics can sometimes not work in certain situations such as light intensity, glasses, or facial surgery, etc.

Iris Scan

Iris or retina scan is a live detection technology and scans complex line patterns and colors in the iris. The technology can be installed at ATMs and mobile phones.

Behavioral Biometrics

This is a relatively new area which requires machine learning and big data for analyzing a mix of behavioral patterns of an individual to create unique profile for them. These patterns include anything from how a person uses their mouse to how the keystrokes are made on the keypad. The profile also includes location and IP addresses.

Handling Biometrics Data: Avoiding Potential Limitations

Biometrics data is personal to every individual’s identity. When we talk about security, there is absolutely no room for error in keeping the data secure, or protecting it from getting compromised. Passwords and PIN can be changed, but your personal characteristics cannot.

Another important aspect to consider is false negatives. If a system fails to recognize an actual biometric which the customer has no power to change, it will result in a mistrust in the technology and lead to disgruntled customers. Hence, once a bank’s system completely relies on biometrics, it must be sophisticated enough to correctly recognize an identifier every time.

Similarly, false positives are also a possibility. This can be avoided by including “liveness” factor. It’s better if the system sees your face through a live camera or authenticates your voice with different sentences instead of scripted lines.


Biometrics is an innovative technology that is rapidly changing the way we manage banking. Over the next few years, it will be interesting to find out how it develops and adapts to the expectations of customers so that it is easily accepted and implemented by both banks and its users.

Author bio

David Smith is a Certified Information Systems Security Professional (CISSP) specialized in Network and IoT Security and has spent most of his career in the APAC region, though recently relocated from Shenzhen to San Francisco to be closer to family.

Should Paying a Ransom be Illegal?

We’re never ones to shy away from a good debate, as you’ll know if you’ve been following us for a while. It’s a popular opinion at the moment, if you follow the chat online, to make paying a ransom illegal following a hack – and in theory, this certainly has some merit.

Unless you’ve been living under a rock recently, you’ll know that ransomware attacks are on the rise and despite the hackers supposedly having certain ‘ethics’ about avoiding essential service providers, it seems that no organisation is safe from attack.

Should we be perpetuating the profitability of criminal organisations by funding them further with ransom payments? Or is it a necessary evil to protect the future of our businesses? Are these our only options, or is there a way all this could be prevented…

What do you think? We’d like to know. Leave a comment on YouTube or drop us a line. And don’t forget to subscribe to our YouTube channel!

The PCI DSS Compliance Mini Series, Ep 3

Join QSA, James Rees, for the third in our PCI DSS Compliance mini series. This time, we’re talking about the dark art of scoping. Getting the scoping right for an environment is essential and James is sharing his 3 Golden Rules that should be applied to EVERY PCI DSS project.

Love this video? Don’t forget to subscribe to our channel on YouTube!

Follow Us