- Feature has been installed by Royal Bank of Scotland and NatWest
- Banks say around 880,000 of their customers can use Touch ID on iPhones
- One expert compared it to 'leaving your house keys under the door mat'
Two High
Street banks are letting customers access their money by using
fingerprint technology that security experts warn ‘almost anybody’ could
crack.
Royal
Bank of Scotland and NatWest have installed the feature so that users
of their mobile banking apps merely have to press a finger on to their
smartphone to get into their accounts.
But
Professor Mike Jackson, a cybersecurity expert at Birmingham City
University, claims the technology offers about as much security as
‘leaving your house keys under the front doormat’.
‘It is not something I would do – put it that way,’ he added.
The
banks’ apps utilise Apple’s Touch ID feature, which lets owners of an
iPhone 5, 6 or 6 Plus access their device by touching the button under
the screen.
If
the fingerprint matches one they have stored previously, the screen is
unlocked. On earlier models, users must enter a numerical code instead.
RBS
and NatWest, both part of the Royal Bank of Scotland Group, say around
880,000 of their customers have the newer iPhones so can now get into
their bank accounts using Touch ID.
They simply activate the technology first by inputting their usual security information.
Almost
anybody, given enough chance, would be able to break it. If you can get
hold of a good finger print, it is very easy to fool [the technology]
Professor Mike Jackson, a cybersecurity expert at Birmingham City University
But experts claim these people may be putting their money at risk as Touch ID only examines the look of fingerprints.
So
criminals could easily break into someone’s bank account by using a
high-quality photograph or clear image of the phone-owner’s fingerprint.
Such
an image could even be gleaned from the phone’s screen itself. More
sophisticated fingerprint-recognition systems can detect the warmth and
veins within fingers.
Ben
Schlabs of the German think tank SRLabs said: ‘Fingerprints are not fit
for secure local-user authentication as long as “fake fingers” can be
produced from these pervasive copies. It is a very different risk to
something that is inside your brain [such as a PIN code].’
And
Professor Mike Jackson said: ‘Almost anybody, given enough chance,
would be able to break it. If you can get hold of a good finger print,
it is very easy to fool [the technology]. It is that insecure.’
When
Touch ID was launched, a group of hackers got around it by making a
fake finger from a photograph of a fingerprint. They showed how
criminals could present the photograph to the iPhone’s button or use it
to fashion a latex model to hold against the smartphone.
RBS
and NatWest yesterday said they were confident the fingerprint
technology was safe to use, pointing out it was already popular with
banks in the US and other countries.
‘We
do everything we can to make banking secure for our customers and we’ve
tested this to make sure it was safe before launch,’ they added.
Mobile banking users whose iPhones are stolen can deactivate their Touch ID by calling the bank.
Source;
MailOnline
MailOnline