Biometrics in the Banking Industry

by David Smith, guest blogger for Razorthorn Security

Biometric technology, such as fingerprint sensors and voice recognition, has become widely popular in recent years with the boom in mobile applications. Organizations are now trying to make use of this technology and implement it to a wide range of areas. Particularly for the banking industry, biometrics can play a vital role in fraud prevention.

With the prevalence of phone and digital banking, banks require innovative ways to authenticate their customer’s identity. Moreover, though customers want their information to remain secured, they don’t like themselves to be scrutinized through an excessive authentication process for a simple transaction. Yet, it’s imperative for banks to verify their customers before they are given permission to access an account over a website, phone, or mobile application.

Conventional password and PIN codes have proven to not always be successful towards achieving security. Not only do customers forget them frequently, but the hackers also gather their personal information through various techniques such as phishing or social engineering. Thus, banks and account holders face losses worth millions every year as a result of identity theft.

When we talk about biometric in the banking industry, it simply brings together security and convenience. Biometric technology depends on a single action instead of other multi-factor authentication methods. For instance, in phone banking, a customer can be simply authenticated on the basis of their voice recognition instead of a sequence of security questions and password retrievals.

Unlike paper documents that can be forged, or passwords that can be cracked, an individual’s characteristics are unique. With voice verification software becoming more sophisticated, an industry like banking that prioritizes security can considerably benefit. Tools nowadays not only identify spoken words, but also the tone and pitch of voice.

For cash transactions, biometric technology replaces the need to enter traditional PIN code with identity verification such as facial recognition, fingerprints or iris scanning. This removes the concern of someone stealing your debit card and using it to take out your money from your account. With biometric enabled card procedure, customers will be required to verify their identity before they can cash out the money.

Benefits of Biometrics in Banking

To ascertain highest level of security, banks are now transitioning towards biometric technology. It offers numerous advantages to the financial institutions as well as consumers such as:

  • no multi-factor authentication needed
  • no PINs and passwords needed
  • low operational costs
  • inability of hackers to exploit information attained through a data breach

The last point is of utmost significance. This means that even if cyber criminals succeed in getting your credentials, they cannot use the information to their advantage. Customers also don’t have to recall multiple passwords and can authenticate themselves with only one biometric authenticator.

Types of Biometrics in the Banking Industry

Biometric technology uses measurable and distinctive human traits to identify an individual uniquely. Here, we will have a look at some of the common biometric identifiers in the banking sector.

Fingerprints

This method is one of the widely used authentication methods in branch banking and mobile banking. Though its usage has declined in the past year as a result of pandemic-related consequences, it is still effective in mobile apps for authentication purposes.

Palm or Finger Veins

This identifies unique pattern of veins in an individual’s palm or fingers. Since it requires bigger equipment, its use is restricted to ATM or branch banking instead of mobile use.

Voice Recognition

Voice recognition is a key biometric in phone banking. It recognizes the unique audio characteristics of an individual. Integrated with artificial intelligence, voice recognition improves with capturing voice prints through regular conversations. It does not require any special equipment, passwords, or location.

Face Recognition

Face recognition deploys 3D sensors and computer algorithms to identify a face by measuring the shape, position, size of eyes, nose, jaw, cheeks, and more. Face recognition is gaining popularity but the technology behind it varies according to vendors. For instance, iPhone X uses Apple’s Face ID for logging into certain mobile apps. Face biometrics can sometimes not work in certain situations such as light intensity, glasses, or facial surgery, etc.

Iris Scan

Iris or retina scan is a live detection technology and scans complex line patterns and colors in the iris. The technology can be installed at ATMs and mobile phones.

Behavioral Biometrics

This is a relatively new area which requires machine learning and big data for analyzing a mix of behavioral patterns of an individual to create unique profile for them. These patterns include anything from how a person uses their mouse to how the keystrokes are made on the keypad. The profile also includes location and IP addresses.

Handling Biometrics Data: Avoiding Potential Limitations

Biometrics data is personal to every individual’s identity. When we talk about security, there is absolutely no room for error in keeping the data secure, or protecting it from getting compromised. Passwords and PIN can be changed, but your personal characteristics cannot.

Another important aspect to consider is false negatives. If a system fails to recognize an actual biometric which the customer has no power to change, it will result in a mistrust in the technology and lead to disgruntled customers. Hence, once a bank’s system completely relies on biometrics, it must be sophisticated enough to correctly recognize an identifier every time.

Similarly, false positives are also a possibility. This can be avoided by including “liveness” factor. It’s better if the system sees your face through a live camera or authenticates your voice with different sentences instead of scripted lines.

Conclusion

Biometrics is an innovative technology that is rapidly changing the way we manage banking. Over the next few years, it will be interesting to find out how it develops and adapts to the expectations of customers so that it is easily accepted and implemented by both banks and its users.

Author bio

David Smith is a Certified Information Systems Security Professional (CISSP) specialized in Network and IoT Security and has spent most of his career in the APAC region, though recently relocated from Shenzhen to San Francisco to be closer to family.

Should Paying a Ransom be Illegal?

We’re never ones to shy away from a good debate, as you’ll know if you’ve been following us for a while. It’s a popular opinion at the moment, if you follow the chat online, to make paying a ransom illegal following a hack – and in theory, this certainly has some merit.

Unless you’ve been living under a rock recently, you’ll know that ransomware attacks are on the rise and despite the hackers supposedly having certain ‘ethics’ about avoiding essential service providers, it seems that no organisation is safe from attack.

Should we be perpetuating the profitability of criminal organisations by funding them further with ransom payments? Or is it a necessary evil to protect the future of our businesses? Are these our only options, or is there a way all this could be prevented…

What do you think? We’d like to know. Leave a comment on YouTube or drop us a line. And don’t forget to subscribe to our YouTube channel!

The PCI DSS Compliance Mini Series, Ep 3

Join QSA, James Rees, for the third in our PCI DSS Compliance mini series. This time, we’re talking about the dark art of scoping. Getting the scoping right for an environment is essential and James is sharing his 3 Golden Rules that should be applied to EVERY PCI DSS project.

Love this video? Don’t forget to subscribe to our channel on YouTube!

Coffee with Jim – Colonial Pipeline Chaos

Following the hack on the Colonial Pipeline in the US, join Jim as he reviews the situation one week on. We talk about what we know about the hack, what have been the effects, who are the perpetrators and what do we know about them and – most importantly – what can we learn from this and how can we protect ourselves from similar attacks?

As always, we’re here to answer any questions you might have so leave a comment or drop us a line. And don’t forget to subscribe to our YouTube channel!

The Interview Series: Corey Williams, CyberArk

Grab a coffee and join us for a chat with CyberArk’s Head of Identity Security Marketing, Corey Williams. If you don’t know them already, CyberArk are leaders in identity security and access management. We talk about how the pandemic has changed the way businesses can (and should!) adopt technology to improve business processes and the challenges that come with this, including how to tackle a lack of understanding and improving communication within your organisation.

Corey tells us about why we should be focusing on accelerating digital business initiatives and using changes in the way we use identity to make better decisions and identify – and mitigate – risks. We talk about cyber security trends and what processes we need to adopt for success in this digitally focused way of working.

Finally Corey shares his thoughts on the best way to progress in a career in infosec, certifications to work for and the key skills to work on.

As always, we’re happy to answer your questions – just drop us a line, and don’t forget to subscribe to our channel!

Watch: The Art of Digital War

Following our blog about The Art of Digital War, join Jim to find out what we need to do to protect ourselves in a war against hackers and cybercrime. Attacks today are getting more sophisticated and we need to take a fresh look at the way we build our security baselines.

We take a look at:

– understanding more about the threats we are facing
– changing our focus on the types of security solutions we use
– the technology we are using vs what we SHOULD be using
– what new areas we need to focus on – our recommendations

Read the blog here: https://www.razorthorn.com/the-art-of-digital-war/

The PCI DSS Compliance Mini Series, Ep 2

Welcome to episode 2 of our PCI DSS mini series, where we’re talking about selecting a QSA. QSAs are not (or shouldn’t be) cheap, so making sure you employ the right person to successfully get your business through the audit is really important.

Find out what you need to know to make sure your QSA is the right fit for your sector, has the required level of experience, how to check they are certified and their training is up to date.

Jim shares his tips for interviewing and vetting QSAs and then working with your chosen QSA to make the auditing process as pain-free as possible.

As always, we’re here to answer any questions you might have so leave a comment or drop us a line. And don’t forget to subscribe to our YouTube channel!

The Art of Digital War

by James Rees CISM, PCI DSS QSA, ISO 27001 LA
Managing Director, Razorthorn Security

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”

Sun Tzu, The Art Of war, 5th Century BC

There are few books in history that are still considered to be as valuable today as when they were written and “The Art of War” is one of them. Written in 5th Century BC, it is still considered today to be essential reading in many fields, including business. It has been quoted in a ton of movies, books and media more times than you can probably count. As you can probably see, I am a huge fan of the manuscript and have studied it numerous times both for my work in the field of information security and for my own medieval battle interests outside of my working life. It is an excellent read and I’d recommend getting yourself a copy as soon as you can.

I was interviewing Richard Cassidy from Exabeam for our YouTube channel recently and he mentioned that we are fighting a never ending digital battle, us information security people, IT people and business people, against the malicious actors looking to compromise systems and networks for their own gain. He was absolutely correct and after some thinking, this article was born.

Since the internet became widely available back in the 90s, we have been seeing an ever-increasing demand for technological advancement. Many of the systems and services that we rely on today are all connected to networks, which are connected to other networks and so on and so forth until you reach the internet. Applications and software run everything. The last 25 years have seen more advancement in technology than ever before in the history of our species and the rate of development and advancement is increasing and getting faster and more efficient every year. It is a fantastic time to be alive.

But for all the huge benefits we have in today’s world, we are totally reliant on that same technology to run our lives, our businesses and our governmental institutions. It’s hard to remember a world where information was not instantly available, or services available at our fingertips. Whilst this provides us the comfort to concentrate on other matters to previous generations, it has led to a level of reliance that means if that same access to technology gets taken away, in whole or in part for any length of time, there would be serious social, mental and real-world implications. All our financial and critical infrastructure now runs digitally in some form or another – it has made us both strong and weak as a species.

So now I have set the scene, what has this got to do with cyber security and digital war?

Everything.

Information security people have for a long time now been working as hard as possible to secure infrastructure, systems and services from being compromised or rendered unavailable due to some form of software error or outage. Us old timers call this the AIC Triad, which stands for Availability, Integrity and Confidentiality. In the early days, we spent a lot more time securing against software outages, downed comms links and similar such issues. IT back then was very much a young discipline and innovation in that space was based around the development of better, more efficient systems and redundancy to ensure critical systems and services remained available. There was a lot of innovation in moving the older paper-based systems over to fully digital versions that were built to be able to evolve and change as well as be refined as required.

Then we started moving to ecommerce over traditional high street shopping. And with that, the world of information security changed forever.

As is historically proven time and time again, once a system is in place to take payment for services, or a system for the movement of money is created, or anything to do with money is put in place, shortly after you will get the criminals sniffing around. And with the rapid rise in popularity of internet shopping, more and more followed. Today, cyber crime is considered to be one of the fastest growing criminal industries on the planet, eclipsing even the global drugs trade in profitability.

Thus we hit where we are today, after that brief history lesson. 20 – 25 years ago we were worried about a virus causing havoc, or a system falling over etc. Today, we are worried about ransomware, data loss, credit card theft, cryptocurrency theft, etc. The list grows each day. As I have mentioned in my video blogs, there is currently the seriously disturbing trend towards compromising key service providers and software solution providers from alleged state sponsored hackers who are targeting these institutions to introduce backdoors and malicious code into their software, which, when installed onto their customer systems, provide access for those malicious groups to undertake covert operations.

Information security professionals are in great demand at the moment. Malicious activity has grown to epidemic proportions in the last few years and it has caused many a board of directors and shareholders of organisations of all sizes serious concern about whether they will be the next targets. But for every information security professional trying to protect an organisation, there is another trying to find new ways to compromise everything the information security professional is trying to protect. In essence, this is a huge digital battle raging on the internet that you only really see when one or more of the malicious groups compromise the systems of an organisation and the news gets out. Unfortunately, you rarely hear about breaches if there is the possibility of a coverup. The difficulty in this never ending battle is that information security professionals are usually underfunded and the malicious actors can make a lot of money and thus are in essence overfunded. Other than what these individuals or groups take for themselves, they usually plough the remainder into increasing their ill-gotten yields.

There is a whole Dark Web cyber criminal community where they sell their gains as well as access to systems, malicious code, targeted attacks, vulnerabilities and all kinds of supporting services and technologies. This cyber criminal ecosystem mirrors that of the ethical system in reverse. There are coders paid to create malicious software, there are initial access brokers selling access to systems, there are hackers for hire and many, many other services that can be procured for those with the right contacts, the right money and the right determination.

The unfortunate truth is that cyber crime is never going to go away. Cyber attacks and state sponsored attacks are going to get more and more widespread as time goes by. We are constantly having to adjust and change our defensive tactics to keep up with our counterparts in the darker side of cyber security because if we don’t, the average cost of cyber crime per year will rise even faster than it is now. It is a real balancing act – by keeping the cyber criminals on their toes, we are keeping the rate of cyber crime damages increasing at a lower rate, yet they are keeping us information security people on our toes by coming up with ways to circumvent the security countermeasures we put in place… it’s an endless dance that is never going to change.

This is a war that can never be won and will only ever continue.

Organisations, both public and private, will have to rethink security in order to efficiently and effectively maintain a semblance of balance. Security can no longer be the bolt on at the end of the process, it needs to be carefully baked into the beginning, the middle and the end of every part of an organisation’s DNA. An organisation needs to have a baseline for basic security, then build levels of defence in depth on top in the form of policies, processes, standards and awareness training. Software developers need to undertake secure coding and strict DevSecOps along with security testing of code and products. IT professionals need to secure infrastructure, perimeters and ensure adequate testing of all infrastructure at least annually or after any significant change, and information security teams need to carefully manage and support the business with governance, risk and compliance to pull it all together in a way that provides consistent, effective and evolving security and risk management as the organisation itself evolves and changes.

There are so many components to information security in today’s world that it’s hard to list them. The list I just mentioned is in no way complete and hardly does it justice, but it’s a good base to start from, I could spend several days talking about cyber security and tooling alone, let alone security governance, risk management and incident response, but I don’t think I have quite that much time.

Trust me, there is a lot to go over.

To conclude, let’s revisit the quote I used at the beginning. I think one of the biggest problems we have as an industry is the limited knowledge we have of both ourselves and of the enemy, hence why we are stopping some attacks, but falling foul of others. We have a good knowledge of low to mid-level attacks, as well as the types of malicious software the lower end of the cyber criminal spectrum use. We put countermeasures in place to deal with these and they are pretty effective.

However, we have very little knowledge of the malicious actors higher on the spectrum, especially in the state sponsored side. It is a fact that governmental security institutions have been reported to have backdoors and knowledge of vulnerabilities in key technologies that they can use to compromise systems, and with all the reports of “state sponsored hackers” actively attacking key organisations, we are starting to see an evolution of the battle entering into a new level.

We need to take a step back and re-evaluate the battlefield and the defensive methodologies we are using to protect our organisations and institutions. It is apparent that protecting our organisations is down to us alone, as our own government’s state sponsored teams are more concerned with waging their own cyber wars, with little regard for protecting commercial concerns, who are being left to defend themselves. This is never going to change, so we need to spend more time talking as a community, helping one another out, advising one another and pooling our resources so that we can mount a collective defence posture that can protect our commercial institutions from this ongoing war.

This all sounds very grandiose, I fully appreciate that. But I firmly believe the information security industry needs to carefully return to the basics and rebuild for a modern information security world, rather than returning to the same old systems that quite frankly are very hit and miss at the best of times. If you don’t believe me, just look at the last 2 years’ worth of attacks and do the research.

It is time for us to get to know ourselves and re-evaluate our situation and research and re-review our enemy and their goals.

Watch: Interview with Richard Cassidy

Today we take a fascinating dive into the psychology behind cyber security with Exabeam’s Senior Director of Security Strategy, Richard Cassidy.

From how to deal with negative attitudes and passive aggressive behaviour at work to challenging the negative stereotypes of infosec staff, Richard shares his approach to creating positive and productive working relationships.

As we all know, ransomware is rife at particularly at the moment, and Richard tells us about the psychology behind the attacks, what tactics to watch out for and why they are so successful. He also tells us about the importance of story telling when it comes to an attack or a breach – a security incident never happens in isolation, so what are the most important things we must consider when it comes to mitigation?

We also take a look at how to make use of successful security strategies from other industries when improving our own and Richard gives his advice for a successful career in infosec and what he looks for in new candidates.

As always, we’re happy to answer your questions – just drop us a line, and don’t forget to subscribe to our channel!

Watch: Interview with Duncan Moore

We’re really looking forward to sharing this interview with you – meet Duncan Moore, Group Head of Information Security GRC at a well known gambling company (that must remain nameless, for additional intrigue).

Duncan tells us his thoughts on the most significant challenges facing the infosec industry in 2021 as well as the key learnings from the SolarWinds breach and which new security tools will make a difference to securing organisations as we face the new, post-pandemic, way of working.

For those of us looking to progress in our careers within infosec, Duncan shares his thoughts on the key skills and certifications required and his secrets for success. As always, if you have any questions for either Duncan or Razorthorn, drop us a line and don’t forget to subscribe to our channel!

The PCI DSS Compliance Mini Series, Ep 1

Whether you’re new to PCI DSS compliance or looking for ways to improve the process, join us for the first in a series of vlogs on the subject, presented by James Rees, QSA. With over 15 years’ experience helping organisations achieve PCI DSS compliance (and over 25 years in the industry), Jim is one of the most experienced QSAs in infosec.

This episode covers:

– An overview on the need for compliance
– The golden rules for scoping
– Tips for redoing the certification
– The importance of up to date technology

If there is anything in particular you would like us to cover in future episodes, please leave a comment or drop us a line.

Don’t forget to subscribe to make sure you don’t miss future videos in this series!

Watch: Interview with Ian Murphy, CEO, CyberOff

We’ve had some excellent feedback on our interview series on our YouTube channel, thank you! Today, we’re excited to bring to you a chat with the incomparable Ian Murphy, CEO of CyberOff. Known for his hugely entertaining videos on LinkedIn, we chat with the self proclaimed cyber security gangsta who injects some much needed humour and light heartedness into cyber security awareness. We talk about how, as a semi professional football player, he ended up following his passion for electronic engineering and landed a job that lead to a varied and exciting career. Ian shares some great tips for progression for those in the early stages of their careers and his opinions on key skills and certifications. He gives some great advice on getting around the barriers to the role you want as well as the things he wishes he’d know when he started out.

Don’t forget to subscribe to our channel and visit Ian’s page for some quality (educational) entertainment, including an unforgettable rap about passwords… 

Watch: Coffee with Jim – the Bonus Episode

You lucky things, welcome to the second Coffee with Jim of the week! Join us for a meander through this week’s infosec news, including a warning about initial access brokers, additional news on ransomware following our vlog earlier this week, advice on sourcing security products and outsourcing CISOs for SMEs, establishing secure remote working and – importantly – news on where we’re taking our Razorwire vlog this year! As always, we love hearing your thoughts and opinions so leave us a comment or drop us a line

If you have any questions or want some advice about anything we’ve discussed, get in touch.

Watch: How to Protect Against Ransomware and Why You Need To

Following the news that hackers have stolen game source code and other information from CD Projekt Red (the studio behind RPGs Cyberpunk 2077 and The Witcher 3), grab a coffee and join Jim as we discuss protecting your organisation from ransomware and the advice and security we recommend to ensure your private data remains secure.

Ransomware attacks have grown in sophistication and incidents have increased by a reported 715% in 2020 – it’s a very real threat that could affect your organisation at any time and needs to be considered seriously.

If you have any questions or need advice in this area please leave a comment or drop us a line.

Like our content? Give us a follow on YouTube!

Watch: Thoughts on Blockchain Security

Today we’re talking about cryptocurrency and the announcement that Tesla will now be accepting it for payments. With rapid adoption from some of the world’s largest organisations, what should we be doing to improve the security of the transactions, storage wallets and third party facilitators? We’ll be talking about misconceptions, insights and regulation in the start of a new series on the adoption of cryptocurrency.

We’d love to hear your opinions on the future of cryptocurrency – leave a comment or drop us a line.

Watch: Security & Third Party Management

In this episode, we talk about why monitoring and building a relationship with your third party providers is essential to your security programme. Your organisation is only as secure as your weakest link so how do you ensure that your service providers have the policies and procedures in place to protect you to level you expect? As always, if you have any questions or would like to talk to us about anything we discuss in this vlog, we’d be more than happy to have a chat. Drop us a line on hello@razorthorn.com.

Watch: Interview with Jag Bains, CTO at DOSarrest

Today we chat with Jag Bains, CTO at DOSarrest, about what life is like working for industry-leading DDOS mitigation specialist, DOSarrest.

As usual with Jim’s interviews, we cover a variety of topics – we hear from Jag about the reason DDOS protection is SO important and the damage attacks cause targeted organisations, to the importance of having the correct infrastructure to deal with attacks and what he suggests.

Jag tells us his advice for people wanting to make the transition into DDOS mitigation, the attitude and skillsets required and importantly, the tips he would give to anyone wanting to work in this field.

As always, if you have any questions for Jag (or Jim), leave us a comment or drop us a line: hello@razorthorn.com.

Follow Us