Technology and business
Richard Parris and Etienne Greeff 17 Aug 2017 04:10pm

Why biometric security may not be as safe as you think

Is TSB’s use of retina ID as a means of authentication for its customers a step in the right direction for cybersecurity? The question on many people’s lips will be “is it really that secure?”

Biometrics is fast becoming the de facto security measure for a wide range of business and consumer applications. However, German hackers were recently able to trick a Samsung Galaxy S8’s iris scanner with a picture of the device owner’s eye and a contact lens. This was the same month that HSBC’s voice recognition security system was fooled by a journalist. Biometric authentication is not entirely immune to potential attack and therefore should not be relied on as the sole means of verifying a user.

The downfall of most companies that have fallen victim to attack recently was vulnerabilities at the user authentication level. Hackers can easily gain access to systems and networks with insecure passwords and personal information such as your date of birth or full name.

The premise is the same for biometrics – your personal genetic data can be stolen. Rather than use biometrics in isolation, businesses need to be looking instead at strong authentication that incorporates three distinct elements – possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, an iris scan). This allows businesses to verify that the person accessing the service is who they say they are, in addition to limiting the amount of times an individual can attempt access if any of these elements are missing or incorrect.

Biometric security is no longer the stuff of sci-fi films; as consumers flock to scan their faces to unlock their phones, or use their fingerprints to pay for items in a shop. The onus is on the business to provide the appropriate security to protect the customer, and the consumer needs to be aware of the data they are sharing and how they can better protect themselves from the prying eyes of cyber criminals.

Richard Parris, CEO, Intercede


The general perception is that biometric security – iris scans, fingerprints and voice recognition – is inherently secure because it’s taking something you are, something that never changes, and using it as a means to access your accounts to verify your identity. While this is significantly more secure than using passwords, which has been shown to be a very poor form of authentication, a few caveats apply.

The person using the authentication data has a big responsibility to store the data in a secure fashion. If we think about a normal breach, for example when a password is hacked, it’s easy to reset your password or change the security settings. It’s also relatively easy to recover from one of these threats. If you’ve lost money from your online bank account at the hands of opportunistic cyber-criminals, it’s likely you’ll be able to claim it back from your bank.

But what happens when your biometric security settings are hacked? You can’t change your voice, you can’t replace your eyes, you can’t reset your fingerprints. Those things are constant, permanent and contain genetic data that is unique to you. The implications of biometric security hacks can be much more severe as a result, and businesses are being forced to consider how they are protecting consumers’ genetic data through the imminent GDPR initiative.

It’s good to see businesses such as TSB looking to replace passwords, which are flimsy and easily breached, but hackers are wise to biometrics and it won’t stop them from trying to get their hands on your data. Biometric security has been hacked in the past and there are countless examples of fingerprints being copied, voices being mimicked and iris scanning software being tricked.

With board directors to soon responsible for complying with GDPR, more consideration needs to be had for security techniques deployed today and how we can better protect consumers.

Etienne Greeff, CTO and co-founder, SecureData