The Future of Biometrics in Financial Services
Posted by Ryan Zagone, Lead Market Insights Analyst, Banking & Securities, Deloitte Services LP, on July 9, 2014
Apple's recent announcement that it will open Touch IDTM, its fingerprint identity sensor, to third-party developers raises the potential to expand biometrics in the mass market.
Given the financial services industry's focus on mobile applications and commitment to security, this news is of particular interest.
As this technology is set to evolve rapidly, now is a good time to reflect broadly on the future of biometrics and the three groups converging on the sector: consumers, fraudsters and technologists.
Consumers: what are they thinking?
When it comes to mobile financial services, consumers are primarily concerned about security. In a recent Deloitte survey, 64 percent of consumers said they are "extremely concerned" about security when banking on mobile devices. Further, 74 percent said security concerns impede greater use of mobile financial services. Addressing these concerns will be key to increasing adoption.
At the same time, consumers expressed frustration with the status quo. Forty-six percent of consumers said difficulty seeing and typing on smartphone screens were the most significant limitations to using mobile apps. This frustration may drive consumers to use simpler passwords that are easier to type, ultimately jeopardizing security.
For now, consumers appear interested in using biometrics to address their security concerns. In our survey, two in three respondents said biometric identification would be a valuable security measure.
As biometrics mature and expand to include more physical identifiers, financial institutions will have to stay keenly aware of consumer perceptions, experiences and concerns to ensure these features are properly integrated into mobile products.
Fraudsters: like bees to honey
As biometrics use grows, so will its attention from criminals. Their attraction to consumers' biometric data may bring the next generation of identity theft, making it essential for adopters of biometrics to fully understand and protect against new threats.
Malware and security threats are already evolving to take advantage of the growing mobile phone sector. For instance, "smishing" or SMS phishing — a scheme of sending fraudulent links and malware over popular mobile messaging applications — is a growing concern. Further, news recently broke that Svpeng, a type of malware that targets mobile devices, has migrated from Russia, where it was created, to the United States.1
As for biometrics, fraudsters have already shown the ability to extract and recreate fingerprints from a mobile device.2 These threats will continue to evolve, and those who leverage biometrics will have to stay keenly aware of new vulnerabilities. And while biometrics may offer new ways to safeguard accounts, they also present new challenges. For example, if biometric data is stolen, consumers cannot quickly change their fingerprints or biometrics as they can a password.
Such challenges may require new protocols for recovering compromised credentials and re-securing consumers' accounts. New methods of detecting stolen data, false positives, and malware may need to be created. Industry leading practices or regulatory guidance may help ensure a secure ecosystem and highlight the mutual responsibility of all involved.
Technologists: driving more change
Today, fingerprint verification is simply an alternative to a password for accessing a device. It does not provide any additional security to the back-end operations of the application — that is, the ways in which it encrypts, stores and transfers data.
Simply put, fingerprint authentication is another option to lock the front door; it does not mean the entire house is secure. For this reason, biometrics are not a substitute for secure coding practices.
However, technologists and researchers are rapidly improving the utility of biometrics. Soon they may offer more transformative security measures beyond access control. For instance, cardiac rhythms, iris identification and other biological metrics could potentially create new generations of security and user-authentication methods. To maintain the security of these applications, collaboration with the developers and understanding the technology will be essential.
Where we go from here
Biometrics are poised to evolve rapidly, forcing financial firms to ponder when and how to integrate this technology into their mobile products.
Management may have to weigh the prestige of being an early adopter of the current technology versus the benefits of waiting and leapfrogging to the next, more advanced forms of biometrics.
This decision may likely depend on risk appetites, the ability to identify and respond to vulnerabilities, and firms' individual innovation strategies. While waiting for more advanced biometrics may have some appeal, firms may risk public perception of being slow to innovate or less secure than competitors.
Each firm will have to make these decisions as they see fit, but ignoring biometrics is not an option.
While biometrics may not be the silver bullet, it does offer more ways to help secure mobile financial services and is set to be an important part of our future.
1 Penny Crosman, "First Major Mobile Banking Security Threat Hits the U.S.," Bank Technology News, June 13, 2014.
2 Nick De, "Starbug's Touch ID Attack," accessed June 13, 2014, http://vimeo.com/75324765.
As used in this document, "Deloitte" means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
This article is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple Inc. Touch IDTM is a registered trademark of Apple Inc.