Reconciling TouchID with Bank T&Cs

Reconciling TouchID with Bank T&Cs
Apple’s TouchID is brilliant – I now use it not only to unlock my phone, but also to log into my Amazon account. I can also use it to log into my Amex app and my bank’s mobile banking app. And of course, it is the way to initiate Apple Pay transactions. The only trouble is that none of those providers can be assured that it is really me doing all of this. TouchID allows registering up to 10 different fingerprints, and authenticates the user locally by matching his or her fingerprint to the registered templates. However, authentication is not the same as identity – banks and other apps know it is someone authorised to use that phone, but they don’t know it’s me, Zil Bareisis. It is likely to be me, but it could also be my wife or my kids. It could even be a total stranger if in some bizarre bout of insanity, I allowed them to register their fingerprint with my phone. The Telegraph reported last week that the UK banks are very much aware of this issue and have decided to take a hard stance:
“Banks have warned customers that if they store other people’s fingerprints on their iPhones they will be treated as if they have failed to keep their personal details safe.
This means the bank can decline to refund disputed transactions or refuse to help where customers claim they have been victims of fraud.”
According to the paper, “the banks’ position is typically buried in the detail of bank account Ts & Cs”, something as we all know that most people accept without reading in detail. I can appreciate the banks’ concerns, but I wonder if they are somewhat overblown. Although this will change in time, most of Apple Pay transactions in the UK are still capped at the contactless limit (£30). Any of my family members today can take my contactless card and use it as contactless without any PIN. I haven’t heard too many suggestions that I should keep my card locked away from my family members. However, if this were to happen, I should be prepared to accept my family’s transactions and not report them as fraud. I am no legal expert, but it doesn’t feel like inserting protective statements within T&Cs is the way forward. First, it’s not very transparent. Second, if the issue were to arise, it is something that would not be easy for banks to prove. Could consumers just delete all the other fingerprints in case of a dispute? Finally, it’s just poor customer service. Instead, banks should invest into educating consumers about digital technologies and how to use them safely and responsibly. Even if it’s as basic as, “don’t allow strangers to register their fingerprints on your phone” and “be prepared to accept your family’s transactions and not dispute them as fraud.” As the value of Apple Pay transactions grows, banks ought to consider deploying additional techniques, such as behavioural analysis to authenticate the users and minimise fraud. As with most security, multi-layered approach is likely to work best.

Logging Into Your Bank in a Heartbeat

Logging Into Your Bank in a Heartbeat
Apple may not always come up with the idea in the first place, but by throwing their weight behind they can take the idea mainstream. Biometric authentication has existed for years, but it was Apple that really brought it to everyone’s attention when it first launched TouchID, and subsequently demonstrated with Apple Pay how biometrics can be used to authenticate a payments transaction. Now financial institutions are looking for ways to use biometrics to authenticate customers for other things, such as logging into online and mobile banking. Everyone agrees that the situation where we all have to remember a plethora of passwords and PINs has become unmanageable and is now a serious security concern. In the UK, RBS and Natwest have announced in February that their customers can now log into their mobile banking app with Apple’s TouchID available on the iPhone 5s, 6 and 6 Plus. The critics of biometric authentication point to a number of shortcomings – for example, TouchID was hacked soon after launch by using a fake finger from a photograph of a fingerprint left on a glass surface. If your password gets stolen, you can change it; it is a lot worse if the record of your fingerprint is compromised. And the extreme scenarios bring up the Hollywood-style scenes of cut-off fingers and loose eye balls. True, no security is perfect, so layering and balancing is important. For example, even after the log-in, RBS and Natwest require further authentication for some payment transactions. You also might want more assurances if you are getting access to a private banking account with high balances. Some banks are also experimenting with more sophisticated biometrics technologies. Last year, Barclays have trialled a special fingerprint scanner which uses infrared lights to scan blood flow in the veins of a person’s finger, and was planning to roll out the scanner to commercial customers. Incidentally, using the “vein profile” solves the “cut-off finger” challenge. Halifax, another UK bank, is trialling the technology from a Canadian firm Bionym. The bracelet called “Nymi” measures the intricate “cardiac rhythms” unique to every person, which can be used not only to log into a mobile banking app, but also potentially for many other applications, such as gaining access to the office, unlocking a car, or even boarding the plane and crossing borders. As always with new technologies, there is lots to learn and work out. But it seems that the future of logging into your bank account with a heartbeat (quite literally!) is not that far away.