Thursday, 19 February 2015

Bank App That Lets You Log In With Fingerprint 'Can Be Hacked By Almost Anybody': Security Expert Says System Is As Safe As 'Leaving House Keys Under The Door Mat'

Users merely have to press finger to smartphone to get into their accounts
  • Feature has been installed by Royal Bank of Scotland and NatWest
  • Banks say around 880,000 of their customers can use Touch ID on iPhones
  • One expert compared it to 'leaving your house keys under the door mat'
Two High Street banks are letting customers access their money by using fingerprint technology that security experts warn ‘almost anybody’ could crack.

Royal Bank of Scotland and NatWest have installed the feature so that users of their mobile banking apps merely have to press a finger on to their smartphone to get into their accounts.

But Professor Mike Jackson, a cybersecurity expert at Birmingham City University, claims the technology offers about as much security as ‘leaving your house keys under the front doormat’.

‘It is not something I would do – put it that way,’ he added.
The banks’ apps utilise Apple’s Touch ID feature, which lets owners of an iPhone 5, 6 or 6 Plus access their device by touching the button under the screen.

If the fingerprint matches one they have stored previously, the screen is unlocked. On earlier models, users must enter a numerical code instead.
RBS and NatWest, both part of the Royal Bank of Scotland Group, say around 880,000 of their customers have the newer iPhones so can now get into their bank accounts using Touch ID. 

They simply activate the technology first by inputting their usual security information.

 Almost anybody, given enough chance, would be able to break it. If you can get hold of a good finger print, it is very easy to fool [the technology]
Professor Mike Jackson, a cybersecurity expert at Birmingham City University 
 
But experts claim these people may be putting their money at risk as Touch ID only examines the look of fingerprints. 

So criminals could easily break into someone’s bank account by using a high-quality photograph or clear image of the phone-owner’s fingerprint.
Such an image could even be gleaned from the phone’s screen itself. More sophisticated fingerprint-recognition systems can detect the warmth and veins within fingers.

Ben Schlabs of the German think tank SRLabs said: ‘Fingerprints are not fit for secure local-user authentication as long as “fake fingers” can be produced from these pervasive copies. It is a very different risk to something that is inside your brain [such as a PIN code].’

And Professor Mike Jackson said: ‘Almost anybody, given enough chance, would be able to break it. If you can get hold of a good finger print, it is very easy to fool [the technology]. It is that insecure.’

When Touch ID was launched, a group of hackers got around it by making a fake finger from a photograph of a fingerprint. They showed how criminals could present the photograph to the iPhone’s button or use it to fashion a latex model to hold against the smartphone.

RBS and NatWest yesterday said they were confident the fingerprint technology was safe to use, pointing out it was already popular with banks in the US and other countries.

‘We do everything we can to make banking secure for our customers and we’ve tested this to make sure it was safe before launch,’ they added.
Mobile banking users whose iPhones are stolen can deactivate their Touch ID by calling the bank.

Source;
MailOnline