How does biometric authentication improve security

IT for the financial decision maker

The financial sector in particular is a popular target for cyber fraudsters. Here they hope not only to gain the savings of private customers, but with a lot of luck even to gain access to the reserves of large companies or organizations. In order to protect their private and business customers from attacks of this kind, financial and credit institutions have already taken a number of security measures in recent years. But that is far from being the end of it. What is needed now are solutions that are robust against new methods of fraud. Biometric authentication solutions that are combined with cryptographic methods and are no longer stored centrally on servers could be the right key for this.

Reading tip:What is cryptography?

The scams of the internet scammers

From stealing passwords from servers to credential stuffing to (spear) phishing: When it comes to getting there, fraudsters are extremely creative. When choosing the method used, the main thing is who your victim is and whether you are trying to get many small bites or rather directly to the thickest fish. The first method, the theft of passwords from servers, is about gaining access to the largest possible amount of login data.

These are then often offered for sale on the dark web. For example, the hackers can attempt to log into a number of websites in order to obtain money on behalf of the victims - completely automatically. The extent of this approach is enormous: As Forbes reports, the team from The Digital Shadows Photon Research has succeeded in locating more than 15 million stolen login information in the dark web. In total, more than two billion passwords have been stolen from servers.

  1. Botnets
    A network of computers that have been infected with malware can be controlled by cyber criminals without their users being aware of it. In the cyber underground, (pseudo) hackers can acquire access to computers that have already been infected - often in a network. The infrastructure of a botnet can be “rented” from around 100 dollars per month, a complete, finished system costs around 7,000 dollars.
  2. Browser exploit packs
    In combination with a botnet framework, BEPs allow their buyers to spread ransomware or malware on a large scale. Like any advanced malware, BEPs have built-in modules for obfuscation, optimization and administration of criminal activities. A complete BEP package costs between $ 3,000 and $ 7,000 underground.
  3. Phishing toolkits
    Criminal hackers who want to attack a certain group or simply normal users can purchase ready-made SMTP servers, scam websites or high-quality mailing lists in the CaaS environment - at a low price: between 15 and 40 dollars due. The combination with “weapons-grade documents” is also popular - ie files that at first glance look like Word documents or Powerpoint presentations, but contain malicious code that exploits known and unknown vulnerabilities in Office to put malware on the user's computer to install. This can be ransomware or remote access toolkits - depending on the purposes of the computer criminals. The cost of such an office exploit is between $ 2,000 and $ 5,000.
  4. Ransomware
    One of the most popular hacking tools currently in the cyber underground is the family of blackmail malware. This type of malware can be developed at very different levels of complexity and cause devastating follow-up costs. According to research by Trend Micro, a customizable crypto locker file is available from around $ 50. However, many ransomware providers usually charge an additional "commission", the amount of which is based on the damage caused - this is usually around ten percent.

Because of these fundamental weaknesses in passwords, many providers have supplemented the passwords with one-time passwords. Unfortunately, these combined systems are also targeted by fraudsters. To do this, they use phishing attacks and redirect the ignorant user to the actual website via a deceptively real-looking phishing website. Both passwords and one-time passwords are read by the attacker and can be used and resold despite duplicate security measures.

To make such attacks more difficult, many services have made further incremental improvements: they save additional characteristics of each user. This includes the browser used, the language or the typing speed. By checking these features, which can be viewed for each (web) application, the next time you log in, it should be ensured that the user is actually the one whose data is being used.

The system sounds an alarm in the event of any irregularities. Depending on whether only a different browser is used or whether, for example, a credit card suddenly appears in a country on the other side of the world, the so-called "Risk Based Authentication" evaluates the respective risk and either sends a warning SMS to the stored mobile phone number or blocks it the card completely for security reasons.

But even this combination of password, one-time password and recording of further device features are no longer inviolable. In April 2019, for example, Kaspersky reported on an underground marketplace that specializes in a particularly insidious form of identity theft. Digital identities are offered that contain the characteristics that Google, Amazon and Co. additionally request to recognize users and which are therefore just as useless as conventional passwords.

Reading tip:Anti-Phishing - The Best Tools and Services

Authentication - a balancing act

In order to protect its customers - and of course itself - from access by unauthorized third parties, the financial industry has already introduced numerous security measures and uses large parts of the IT budget to maintain them. Regardless of whether it is a TAN reader, one-time password or risk-based authentication: each of these solutions is intended to ensure secure and convenient authentication. However, the industry has changed enormously over the past few years. Not only have new guidelines been added, but a wider range of technological options have made additional complications such as multi-factor authentication indispensable.

For example, the European Banking Authority has stipulated that a one-time password via SMS is no longer sufficient to authenticate the user when making online payments and that a second authentication factor is required instead. Balancing these security standards with the greatest possible degree of user-friendliness is an important task that banks and credit institutions are currently facing. The first step in overcoming this challenge is to recognize that traditional passwords no longer guarantee security today that is needed in our globally networked world. Since they - together with the user name - can be stolen from the central server or accessed by phishing, it is possible for criminals to carry out transactions without major obstacles.

A further complicating factor is the fact that conventional passwords are often used for several accounts at the same time. It is also a fact: Due to the constantly increasing security regulations, it is increasingly difficult for users to remember the increasingly complex combinations of letters and numbers. The result is a real vicious circle that opens the door for internet fraudsters to gain access to even larger amounts of their digital loot. The combination of a password with a one-time password has been attacked less often, but the one-time passwords do not help against the current phishing methods either.

Reading tip:This is how you create and remember really strong passwords

The age of biometrics begins

Biometric authentication methods combined with cryptography could finally solve this problem. They offer considerable advantages not only for banks, credit institutions and their customers, but also for all other industries. Face recognition and fingerprint sensors are user-friendly to use.

It is crucial, however, that the mistakes that have been made in the administration of conventional passwords so far cannot be repeated with the new method. The cryptography provides the ownership factor - which is also different for each server. The biometrics (inherence factor) makes it easy for the user to use the method on his respective device.

As an alternative to biometrics, users can also use a PIN. Neither the PIN nor the biometric data are sent to the server. If these steps are observed, there is nothing to prevent biometric authentication from soon becoming established in the financial industry and replacing traditional passwords with a more secure and convenient alternative. (bw)