Money20/20: Settling The Spoofing Score

Money20/20: Settling The Spoofing ScoreDuring yesterday’s FindBiometrics hosted panel at Money20/20, Biometric Identity & Its Applications in Financial Services & Payments, the conversation turned inevitably to the problem of spoofing on consumer biometric devices, namely, the iPhone. When the time came for the audience to ask their questions of the identity and finance experts on stage, immediately an attendee from Chicago brought up the infamous iPhone spoofs that have shaken some users’ confidence in mobile Biometrics.

“We’re doing all the right things,” he said, “But are we doing them in the right order?”

The nascent status of biometric authentication for banking has given rise to similar concerns in the past, and there is a basis to them. The iPhone 5S and both iPhone 6 models were spoofed almost immediately after release using a good old fashioned wood glue spoof, bringing the question of integrity into the minds of potential adopters. The experts on stage, however, are not concerned when it comes to the efficacy of the current biometric solutions available for mobile banking.

Essentially, the panel’s response breaks down into three points, that centered around the classic spoofing method example of the gummy bear attack.

First, the integrity of the system. “I can spoof my own fingerprint or face – I’ve done it on my own phone,” said Rick Swenson – AVP Enterprise Fraud Prevention & Detection, USAA – leading into an example of how a standard playback attack might be performed with two phones. Swenson can record his face on one phone, then present it to the other’s facial recognition in order to bypass the biometric capture, but the key is that his phone, thanks to tokenization, is a trusted device.

“So if you steal my fingerprint and try to get into a USAA account on your device you aren’t going anywhere real fast,” said Swenson.

Second, there is the much lauded deterrent factor at play, which has long been championed by the FIDO Alliance.

“At MasterCard we’re trying to stop fraud at the business level,” explained Bob Reany – Group Head & SVP, Identity Solutions, MasterCard. “It’s a business for the bad guys. And the reason they have a business is because they can simply send an email to militarized places and get 700 million passwords and credentials and sell them on the dark web. That is the real problem we’re trying to solve. And the fact that you can take a gummy bear and make a fingerprint and stick it on an iPhone – and you have to steal his phone, break into his house, ping his location, have the same behavioral analysis that he does, then okay you win. But it really defeats the [purpose].”

Finally, there is the concept behind multifactor authentication, and here is where the very concept of biometrics wins the day. While spoofing is not scalable, biometric security on mobile devices is. And to that end Daon’s Americas Group President Connor White made a prescient point: “A fingerprint is just a piece of a human. It’s not the whole human. So if you’re worried about the risk, yes, the most important part is that you have to have the phone. And if I have the phone, and I have the fingerprint, and I’m doing the gummy bear correctly and, and, and… Then yes. If I’m worried that there is such a risk, then that’s a concern. Authenticate a human. Add in the face, ask them to speak a phrase, randomize the phrase so it can’t be recorded.”

“There are many different attributes,” said White. “Biometrics is not about fingerprint, or face or voice or iris or… you know, earlobe. It’s about all of that. And you can bring all of that together. Today, on your phone, you have GPS location you have secure keys, crypto, you have – every smartphone I know of – you have face and voice, and you have fingerprint on most of the next generation phones. In Japan you have iris. So there’s a lot more we can do around a human being.”

In the panel’s response to the question of spoofing, there is an indication of how far biometric systems have come since the high profile Touch ID spoofings of yesteryear, thanks to multifactor options and tokenization. But there is also a great deal of confidence in their words as well. There is no doubt at this point that biometric technology is ready for mainstream financial deployment, and while there is always room for measured concern in any high risk transaction, when it comes to mobile commerce, gummy bears no longer pose a threat.

October 27, 2015 – by Peter B. Counter