BY JENS KASTNER, in Hamburg GERMAN banks pride themselves on their reliability and safety, but they too are vulnerable to hacking and are exploring biometrics to boost their security. But ensuring these systems are truly safe will be no easy task, Jens Kastner reports.

Late last year (2018), Germany’s most-known hacker, Jan Krissler, aka Starbug, showed a video at December’s Chaos Communication Congress, in Leipzig, on how he has tricked vein matching scanners of Fujitsu and Hitachi as used in ATMs across Asia. The vulnerability was not sophisticated. He used a mock wax hand, with printed representations of veins. In real-life conditions, the victim’s vein pattern could be obtained with an infrared LED and a camera hidden in hand dryers that are commonly used in public restrooms, Krissler said.
It was the same Krissler who in 2017 hacked an iris-scanner in Samsung’s Galaxy S8 and who in 2013 outsmarted iPhone 5’s Apple Touch ID.  

So, it does not come as a huge surprise that the Association of German Public Banks (VÖB – Bundesverband Öffentlicher Banken Deutschlands) is now saying that German banks’ usage of biometrics is still at the first stage of implementation, although clearly on a trajectory for acceleration.

“On the one hand, we want to avoid that the client needs any additional hardware in order to use biometrics, but on the other hand we are limited in making clients’ smartphones undergo security checks controlled by bank background systems, meaning we must rely on certain certification by international standardisation organisations,” said Michael Rabe, head of payment services and information technology, VÖB.

“Meanwhile, the rise of biometrics applications means that banks have to commit significantly more resources for the internal training of bank staff in terms of customer interaction,” he added.

Rabe added that any customer-focused biometrics technology inappropriately implemented appropriately by a bank could trigger many customer inquiries, overwhelming call centres.

The roll out has been made more complicated by last May’s (2018) coming into force of the EU’s General Data Protection Regulation (GDPR).

The GDPR stipulates that biometrics data subjects must give explicit consent and define the scope of purposes for which processing of biometric data is permitted – making customer-facing administration a tougher task, compliance-wise.  

Similarly, the National Association of German Cooperative Banks (BVR – Bundesverband der Deutschen Volksbanken und Raiffeisenbanken) has noted that although biometrics have yet to play a major role for most of its members due to the technologies’ immaturity, progress is coming, fuelled by the growth of smartphone payment.

“The new technologies bring about that biometric templates are no longer sent via internet to data centers but instead are authenticated by the safety chips in users’ devices, with only a cryptographic seal containing information whether authentication succeed or failed being transmitted,” explained Dr Olaf Jacobsen, a payment security expert with BVR.

“Although the result will then be tied to the transaction order, it constitutes only one security layer, with other layers potentially still capable stopping a suspicious transaction, for example until a human analyst looks at its during banking hours. If something looks suspicious, say, a customer remitting money in the middle of the night to Romania, the bank will still be giving him a phone call the next banking day before clearing the transaction,” he added.

Such integrated systems are the aim of the FIDO Alliance, an open industry association with members spanning from ING Bank, MasterCard and Visa to Amazon, Facebook and Google, who together are developing authentication systems that are either integrated part of the end-user’s device or external hardware, such as an USB stick.

The FIDO system entails that during registration with an online service, the user’s client device creates a private key and registers a public key with the online service.
Authentication is undertaken by the client device proving possession of the private key to the service by answering a security question in writing.

The local user verification required to unlock the private key is then accomplished by a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, or pressing a button.

FIDO wants to move from unsecure username/ password authentication and onetime passwords, such as TANs (transaction authentication numbers) and SMS OTPs (one-time passwords).

“If a one-time password is intercepted by a fraudster, the owner will have hardly any chance to prevent loss,” said Rolf Lindemann, Senior Director Products & Technology at US-based Nok Nok Labs and founding member of the FIDO alliance.

“Because FIDO succeeded in separating the protocol from the device and the online service from user verification, only public keys are shared with the server, so even a successful hacking of a server will not lead to a fraudster obtaining millions of passwords or other secrets sufficient for user impersonation,” he added. Lindemann said this would deter hackers, for sure.

Looking ahead, behavioural biometrics are likely to make systems more secure. Baden Baden, Germany-based Arvato Financial Solutions provides banks and other businesses with tech able to analyse customer finger movements, finger pressure on smartphones as well as the smartphone’s tilt to identify unique user patterns and establish a profile accordingly.

“Behavioural biometrics are convenient for the user, and they rule out presentation attacks with mock masks, wax hands, finger tips and so on because the fraudster has no way of understanding with what finger pressure the device’s owner usually types his emails,” said Andreas Czermak, managing director, vice president fraud management, Arvato Financial Solutions.

“Another strong selling point is that the behavioural biometrics’ profile we send to the banks is completely anonymous to us. Only the bank can then link this artificial identifier to an actual person,” he added.

The importance of such systems will become clearer as standard biometrics display their vulnerabilities – with Czermak stressing how
the opening of a new bank account in Germany, and consequently the setting up of an initial biometrics profile, is done after presenting a national ID or a passport.

“German passports can be bought on the darknet for a few hundred euros. I would not risk using one to enter to cross any national boundary but to sign a rental contract or open a bank account, it would most likely do,” he said.

That said, André Nash, a division manager responsible for cyber-/it-security and new technologies at the Association of German Banks (Bundesverband deutscher Banken), pointed out that progress in artificial intelligence (AI) will assist and enhance banks when conducting know your customer (KYC) checks, with more data being analysed in a much shorter time. With AI combined with biometrics, maybe banks will finally get a real edge on hackers.