Passwords, bio-metrics and mattress banking

Cyber attacks are no longer confined to military or high value economic targets. We are all subject to them with many reports on attacks on vulnerable members of society. Many of these attacks might be considered as hybrid human/cyber attacks. Typically, a human makes contact, usually over the telephone, and might pose as a bank official or computer support in an attempt to obtain passwords usually associated with financial transactions. It is therefore all evident that securing passwords is part of the key to cyber security. For this reason, it is usually recommended that passwords are complex in nature, typically a mixture of alphanumeric characters rather than a simple easy to remember password such as a pet’s name. Sophos reports that the average user has 19 passwords but one in three uses do not make some strong enough.

Clearly, password management can be tricky since typically they have to be stored as the average user cannot be expected to remember 19 complex passwords. It has been recommended practice to change passwords periodically, a process that is commonly forced upon the user in corporate IT systems. It is interesting to note that the National Cyber Security Centre (NCSC) now recommends that organisations do not force regular password expiry since this is inconvenient to users and creates vulnerabilities, particularly in the storage of new passwords which may also be weaker to ease remembering them.

Bio-metrics are increasingly seen as a way forward to ease the password burden, since they are unique to the user and therefore cannot be shared in cases such with a rogue telephone caller.

FingerprintIn 1902, Harry Jackson  became the first person to be convicted on fingerprint evidence following a burglary as a house in Denmark Hill, London where some billiard balls were stolen!  Since that time, fingerprint evidence has been used in countless criminal cases. Over the last decade or so, fingerprints have become established as a bio-metric, sometimes backed up by a password, for access to laptops and smartphones. What was once considered sci-fi technology is now available to all enterprises, large and small, in the notebook of choice for everyday business.” IBM, 2004

More recently, facial recognition has been used for access to devices as well as access control to buildings and automated border controls. Voice recognition is a bio-metric used for banking and iris recognition, often considered to be the most robust bio-metric, is used at some automated border control locations and access to critical facilities.  Passports issued by several countries contain multiple bio-metrics – usually fingerprint and facial recognition – to make the process more secure overall.

The choice of bio-metric depends on cost and convenience (eg fingerprint for a smartphone) and the level of security required (multiple bio-metrics). Participation in bio-metric identification must demonstrate a benefit to the user and trust that the system will not be used for purposes that have not been agreed such as employee time keeping.

Bio-metrics would therefore appear to be the key to the password burden since they are unique to the user and do not have to be remembered. However, a recent report (i Newspaper 06 October 2016) suggests that it is possible that smartphones may be accessed using a fingerprint mould and facial recognition bio-metric systems hacked using 3D facial models based on Facebook images. However, it is likely that bio-metric access to mobile devices provides good protection for both cases of opportunistic theft or accidental loss. Targeted theft of a celebrity or an industrialist might be a different issue where major resources might be used to access the data.

Since bio-metrics are equivalent to having a single password, are we returning to the multiple password dilemma mentioned earlier?

As with military developments there is a countermeasure arms race in cyber security. With increasing numbers of cyber attacks there are suggestions that financial institutions will no longer accept the burden of losses and that customers might have to become increasingly responsible for the security of their accounts. This, together with the suggestion of negative interest rates might eventually to an increase in the use of My Mattress Saving Bank.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *