Apple are right and wrong

I’m sure you’ve all seen this story by now.

Thousands of iPhone 6 users claim they have been left holding almost worthless phones because Apple’s latest operating system permanently disables the handset if it detects that a repair has been carried out by a non-Apple technician.

From ‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone 6 | Money | The Guardian

Now, when I first glanced at this story on Twitter, my immediate reaction was to share the natural sense of outrage expressed by other commentators. After all, it seems to be a breach of natural justice that if you have purchased a phone and then had it repaired, it is still your phone you should still be able to use it.

I have my Volvo fixed by someone who isn’t a Volvo dealer and it works perfectly. The plumber who came round to fix the leak in our bathroom a couple of weeks ago doesn’t work for the company that built the house, nor did he install the original pipes and he has never fixed anything in or house before. (He did an excellent job, by the way, so hats off to British Gas HomeCare).

If you read on however, I’m afraid the situation is not so clear-cut and I have some sympathy for Apple’s actions, even though I think they chose the wrong way to handle the obvious problem. Obvious problem? Yes.

The issue appears to affect handsets where the home button, which has touch ID fingerprint recognition built-in, has been repaired by a “non-official” company or individual.

From ‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone 6 | Money | The Guardian

Now you can see the obvious problem. If you’re using your phone to make phone calls and the screen is broken then what does it matter who repairs the screen as long as they repair it properly. But if you’re using your phone to authenticate access to financial services using touch ID then it’s pretty important that no one has messed around with the touch ID sensor to, for example, store copies of your fingerprint templates for later replay under remote control. The parts of the phone that other organisations are depending on as part of their security infrastructure (e.g., the SIM) are not just components of the phone like any other component because they feature in somebody else’s risk analysis. In my opinion, Apple is right to be concerned. Charles Arthur just posted a detailed discussion of what is happening.

TouchID (and so Apple Pay and others) don’t work after a third-party fix that affects TouchID. The pairing there between the Secure Element/Secure Enclave/TouchID, which was set up when the device was manufactured, is lost.

From Explaining the iPhone’s #error53, and why it puts Apple between conspiracy and rock-hard security | The Overspill: when there’s more that I want to say

Bricking people’s phones when they detect an “incorrect” touch ID device in the phone is the wrong response though. All Apple has done is make people like me wonder if they should really stick with Apple for their next phone because I do not want to run the risk of my phone being rendered useless because I drop it when I’m on holiday need to get it fixed right away by someone who is not some sort of official repairer.

 What Apple should have done is to flag the problem to the parties who are relying on the risk analysis (including themselves). These are the people who need to know if there is a potential change in the vulnerability model. So, for example, it would seem to me to be entirely reasonable in the circumstances to flag the Simple app and tell it that the integrity of the touch ID system can no longer be guaranteed and then let the Simple app make its own choice as to whether to continue using touch ID (which I find very convenient) or make me type in my PIN, or use some other kind of strong authentication, instead. Apple’s own software could also pick up the flag and stop using touch ID. After all… so what?

Touch ID, remember, isn’t a security technology. It’s a convenience technology. If Apple software decides that it won’t use Touch ID because it may have been compromised, that’s fine. I can live with entering my PIN instead of using my thumbprint. The same is true for all other applications. I don’t see why apps can’t make their own decision.

Apple is right to take action when it sees evidence that the security of the touch ID subsystem can no longer be guaranteed, but surely the action should be to communicate the situation and let people choose how to adjust their risk analysis?

Will America bypass chip and PIN? One of the things I’m going to Money2020 to find out

Another article, this time in American Banker, questioning the rather odd trajectory of EMV in the USA. You’ll recall, I’m sure, that a number of international observers expressed surprise when (some time back) the banks over there decided to roll out chip and signature rather than chip and PIN or, indeed, chip and anything else (fingerprints, body odour or voice recognition). No-one seems to know why.

One reason banks offer for this choice is the presumed difficulty of remembering another PIN. Are we to think that Americans are not quite as capable as the British, Dutch or Canadians — all of whom managed to figure out a way to make the more secure Chip and PIN work?

[From A Chip Without a PIN Is Asking for Fraud | Bank Think]

Is that really it? That American card issuers think that Americans are too stupid to remember a four digit PIN? The seems somewhat patronising to me. I wonder what the American government thinks about it? The FBI thinks that Americans can use a PIN. Or at least they did, before their CVM recommendation was mysteriously taken down.

The alert, which was removed from the FBI’s Internet Crime Complaint Center site on Oct. 9, noted: “When using the EMV card at a POS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card”… That recommendation left many of us scratching our heads because the vast majority of U.S. banks and credit unions have opted to roll out EMV as a chip-and-signature, not chip-and-PIN, transaction.

[From FBI Quickly Pulls Alert About EMV – BankInfoSecurity]

So. Checkpoint. What do we know. Well, we know that PIN is far more secure than signature (I remember being told by Walmart that fraud on PIN debit cards was 250 times less than fraud on signature debit cards). The US banks are going to the expense of issuing chip cards that will defend only against the particular fraud of card counterfeiting — although to be fair according to the Nilson report, counterfeit card fraud losses to US issuers were something like a quarter of total world card fraud losses last year. But why not defend against other kinds of fraud (e.g., lost and stolen cards) by adding the PIN? Old chum David Poole says that the US is “stark raving mad” not to adopt PIN, on the basis of the latest fraud figures.

I was fascinated to read the latest fraud figures as reported in The Nilson Report this week. Worldwide card fraud is up 15% to $16b in 2014. Read that again – $16b that could potentially solve some austerity problems not to mention some poverty. I dare say many organisations would love to be reporting >15% top line revenue growth.

[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]

Let’s just put those figures in context. One of my favourite statistics last year, one that I often dropped into presentations, was that the US is a quarter of the world’s card volume but half of the world’s card fraud. Well, I’m afraid that statistic in no longer valid. On the basis of the latest figures, the US is now a fifth of the world’s card volume and half of the world’s card fraud. And remember, this the cost to issuers. It does not take into account the costs to merchants or the police.

The USA accounted for 48% of these losses. But a very important detail should not be omitted; this figure is over only 21% of the purchase volume. While this globally represents 5.65 cents in every $100 spent, the USA has more than doubled that at 12.75c per $100, and over the last five years the figure has increased each year.

[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]

The US has a problem. Yet, to be frank, if you were inventing EMV today, in a world of smartphones and online and biometrics, then you almost certainly wouldn’t come up with chip and PIN. You’d probably use a combination of convenient authentication and back-office analysis. It would not be surprising to me if the US banks have thought about this and have no intention of going to chip and PIN for their domestic market because chip solves their biggest card present fraud category (counterfeit, which is about half of their losses in the US) and tokenisation is a better solution to the card not present fraud category (and pretty much everything else). The evidence for this is that they’ve gone to chip, but rather than spend hundreds of millions on upgrading ATM networks for PIN management, waiting for merchants to add PINpads and educating customers about looking after their PINs, they’ve instead spent the money on tokenisation infrastructure, assuming that the growth of mobile, especially in-app, will be a more effective means to tackle overall fraud.

So, what does this mean? Well, that’s what I’m hoping to find out at Money2020 in Las Vegas next week, where I am chairing the session on authentication. For most of our clients, where to invest next is a crucial strategic question. Do they assume that US consumers and merchants will get fed up with “chip and wait” pretty quickly and so develop an appetite for contactless that they lack in a “swipe and go” world? Do they assume that none of this matters because in-store, online and mobile will all converge on in-app solutions? Do they assume that clever use of tokenisation platforms will deliver new services over and above fraud reduction? Well, it’s probably all three, but I will be fascinated to discover the sentiment in the corridors of the Venetian and will, of course, report back.

“Personal” computers weren’t

Kicking off the session on “Old vs. New P2P” at Mobile Banking & Payments in New York, Steve Kirsch (the CEO of Token) made the strong point that somehow the era of the PC and the Internet left the basic payment “rails” unchanged. For a long time we’ve papered over the cracks — using 3D Secure, PCI-DSS and so on — but with the arrival of the smartphone we could all see that it was time for change. What we may have underestimated is just how big that change will be.

it can still feel natural to talk of the PC as the most fully-featured version of the internet, and mobile as the place where you have to make lots of allowances for limitations of various kinds… I’d suggest that we should think about inverting this – it’s actually the PC that has the limited, basic, cut-down version of the internet.

[From Mobile first — Benedict Evans]

I couldn’t agree more. And in my framing, it’s all to do with identity. The PC was never personal: it didn’t have a SIM. My laptop isn’t mine in the same sense that my smartphone is and, as a consequence, will never be able to deliver as personal a service. Now, I suppose you could argue that it’s silly to talk about smartphones as PCs because they are, after all, phones.

The study also showed that four in ten users could manage without the call-making capability on their handset.

[From Soft cell: 40% of Brits don’t make calls on smartphones – report — RT UK]

I rarely make calls on my smartphone and I rarely answer them either. Unless it’s the police, my CEO or my wife then I’ll let it go to voicemail or hit the “please text me if it’s anything important” button. Calling it a phone is just a figure of speech, like when you say you are going to dial a number to someone who has never seen a phone dial and has no idea why the word “dial” is used in that context.

So what is the smartphone for?

We’ve all seen a thousand conference slides that show the smartphone as a Swiss army knife: calendar, watch, contact book, diary, games console, social media gateway, radio and so on. But if we go back to Benedict’s point, then we can answer the question in a different way. My smartphone is… me. Well, as good as. It’s sort of proxy me.

a smartphone knows much more than a PC did… It can see who your friends are, where you spend your time, what photos you’ve taken, whether you’re walking or running and what your credit card is.

[From Mobile first — Benedict Evans]

We can all see the what the consequences are in payments and banking. The practical result of the identity-less PC vs. the proxy-identity smartphone is that when I want to transfer some money or pay a bill, I use my excellent Barclays mobile app. I’ll only use my laptop if I absolutely have to because I have to type stuff in (like setting up a new payee). Conversely, it seems bizarre that when I phone up my bank, or my insurance company, or my airline or whatever else, I’m asked to demonstrate my identity by getting involved in (as I heard someone describe it recently) an episode of Jeopardy hosted by Kafka — OK, Franz, let’s go with “places I have lived” — when they could just ask the other me. The mini-me. The mobile-me.

Similarly when I go into a bank branch or a retail outlet or a government office, why do they ask me for bits of paper that cannot possibly be verified when they could just ping mobile-me. App pops up on the phone, you put your finger on the sensor, job done. And just as the crucial role of the smartphone in disrupting the payments industry is to take payments, not make them, so the crucial role of the smartphone in disrupting the payments industry is to validate credentials, not present them. Since my mobile-me can check that your mobile-me is real, our mobile world ought to be much safer our internet world.

Mobile payment is fun, but mobile ID might be indispensable

We hardly notice identity fraud any more. Every day the wires bring more tales of fraud, theft, mischief and mayhem. Our antediluvian identity infrastructure, still based on the pre-industrial infrastructure of paper and signatures, has shifted from being a business irritant to a fundamental barrier to progress.

To my horror, I discovered my savings were nearly wiped out. Over the previous two business days, a woman claiming to be me had used a fake photo ID to make five large, in-person cash withdrawals from different branches of my bank in two faraway states. The largest withdrawal was $4,800; the smallest was $2,400.

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

Now, you might think that this is a little odd. Surely, you would imagine, if someone walks into a bank to draw out a few thousand dollars in cash then the bank would take their identity document and authenticate it — let’s say take their secure microchip on a plastic card and get them to enter a PIN, or take their e-passport and verify via digital signature and online lookup — before doling out the dosh. But apparently not.

Why was it so easy for a petty criminal to get away with so much cash? It doesn’t take many brains to understand that data breaches have created a thriving market for confidential financial information. And modern technology apparently provides the means to create authentic-looking fake IDs… In many of today’s bank branches, it seems in-person transactions still rely heavily on paper and trust. “If the teller feels that the person standing in front of them is indeed the customer, they’ll give out the cash,” several bank employees explained to me. Am I really to believe that with more tools available than ever to detect crime, a major bank relies on employees’ “feelings” to verify customers’ identities?

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

This is indeed puzzling. Not that anyone should be using driver’s licenses as identity documents anyway, since bank tellers and bar bouncers are not anti-terrorist geniuses capable for spotting fake IDs from around the world in an instant — note that if they actually did want to verify these documents properly, they could always use technology to do it (e.g., Au10tix) — when everyone that walks into the bank or the bar is carrying a piece of technology that can easily provide the combination of identification and strong authentication that is more than adequate for business.

Mobile financial services can’t expand fast enough, in my opinion. Though nothing is foolproof, a mobile phone seems like a good starting point for verifying a customer’s identity and immediate physical location

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

If I walk into a branch of Barclays (I can’t off the top of my head imagine why I might do this, but let’s just say) then the Barclays mobile app is more than capable of telling the branch who I am. It seems like an obvious way forward. But there is another reason why a mobile app might be a better basis for establishing identity than a scrawled signature or a trivially-counterfeitable utility bill or whatever, is the principle of identity symmetry. When the bank asks your mobile app to authenticate you, your mobile app can simultaneously verify the digital signature on the requests so that it knows it is dealing with your real bank. The Secure Enclave that hosts my tokens could also validate other peoples’ tokens to close the security loop. Ah, you might think, that might apply online but why would you need that in a physical branch? Well,

A Chinese man made thousands of dollar by opening a fake branch of one of the world’s largest banks. The man, whose surname is Zhang, equipped the fraudulent China Construction Bank outlet with card readers, passbooks and three teenage girls at the teller counter. One of the girls posing at the branch near Linyi, Shandong province, was the man’s 15-year-old daughter.

[From Chinese farmer swindles thousands of dollars by opening fake BANK | Daily Mail Online]

Brilliant. I love this story. No-one spotted that this entire bank branch was fake, not until a woman who deposited $6,200 at the fake branch could not withdraw it from a real branch a month later. The managers there spotted the fake deposit and contacted the police!

We can use mobile phones to prevent this kind of thing. But who will do so? Why don’t we all have working mobile ID already given that the idea has been around for years? The key question is: will the banks and the mobile operators and the handset manufacturers and the platform providers the government be able to work together to deliver a mobile ID infrastructure just as they did not work together to deliver a mobile payments infrastructure? Assuming the answer is no, then we are relying on Apple to once again perform its sheepdog role of corralling the banks so that the next time I access my bank online, use an ATM, walk into a bank branch or phone the bank from home, I will expect my bank app to pop open on my iPhone and ask for authentication. Once I’ve used TouchID or entered my PIN then I will know that I’m dealing with my real bank web site, ATM, call centre or branch and I’ll be able to get my banking service with a minimum of fuss.

The ability to recognise each other (as I’ve written many times before) is the fundamental precursor to relationships (and therefore transactions). If there were a cost-effective and convenient mechanism to do this that could be used for governments and citizens to recognise each other, for businesses and consumers to recognise each other and for banks and their customers to recognise each other, we would see an inevitable growth in transactions and open up the virtual world to even more innovation and entrepreneurship. If my “Apple ID” provides a convenient mechanism for mutual recognition in person and on line, it will be indispensable in short order. I am heartily sick of usernames and passwords, account numbers and one-time codes, call centres and secret words and I can’t wait for my mobile to do away with them.

High value in Apple Pay

At a recent industry event, I overhead a discussion about paying contactlessly with Apple Pay that made it obvious to me that the (bank) participants were not at all clear about how the authentication options will work with the contactless no-CVM (“tap and go”) limits set by UK Cards. Naturally, instead of taking the time to explain it to them, I rather selfishly thought “what a great idea for a blog post”. So here we go.

Most contactless terminals today have a £20 transaction limit, which makes sense when you accept contactless cards, which offer no cardholder verification mechanism (CVM). It doesn’t make sense for an Apple Pay transaction which uses biometric cardholder authentication via Touch ID.

[From Celent Banking Blog » Apple Pay: welcome to the UK!]

That’s right, it doesn’t. Which is why the CVM can be replaced by the CDCVM if the terminals are running the correct software. Wait, what? CDCVM?

Consumer Device Cardholder Verification Method (CDCVM) is a type of consumer verification method (CVM) supported by the card networks when assessing transactions originating from mobile devices. Verification is used to evaluate whether the person presenting the payment instrument is the legitimate owner of the instrument, and affects where the liability lies for fraudulent transactions.

[From Consumer Device Cardholder Verification Method – Apple Support]

CVM, as you will recall, is part of the EMV standard.

The EMV specification allows for a number of different Cardholder Verification Methods (CVMs) and any particular card will have the acceptable CVMs stored on it, in order, by its issuer.

[From Signature solution | Consult Hyperion]

Right, so, when you have CDCVM, this is used as the CVM. Are we clear on this. Provided that the terminal is running the correct software, your phone will take care of verification and the issuer can then decided whether or not to authorise the transaction or not based on the enhanced authentication. I don’t know what the situation in the US is, but in the UK the rollout of this “high value contactless” infrastructure began some time before the Apple Pay launch.

A new service that lets NFC phone users enter their PIN on their mobile device to confirm a high value transaction is making it possible for UK consumers to make contactless payments valued at more than the current £20 (US$32) transaction limit for the first time.

[From High value contactless payments arrive in the UK • NFC World+]

In essence, this means that the £20 (soon to be £30) limit does not apply to mobile phones with strong authentication, provided the terminal is running the correct software, of course. Consumers, as far as I can tell, will have no way of knowing this. I know, for example, that Pret a Manger has updated their software, so when we went off to Pret to film a live item for the BBC Six O’Clock news, Rory Cellan-Jones (the BBC technology correspondent) could have bought more than twenty quids worth of coffee and pastries with a single tap there and then.

Behind the curtain

He didn’t. But back to the story. Apple Pay uses this infrastructure, so…

For Apple Pay transactions, CDCVM acts in place of other methods of verification when it’s supported by the payment terminal.

[From Consumer Device Cardholder Verification Method – Apple Support]

Good. Now, this has a specific implication in the case of Apple Pay, which is that Touch ID (fingerprint authentication) can take the place of entering a PIN or signature at the terminal or entering a passcode on the device for transactions above the contactless limit…..

With Apple Pay, Touch ID or the device passcode can be used as the consumer device verification method, instead of the more traditional methods of PIN, signature for transactions in stores, or 3D Secure for transactions within apps… For Apple Pay contactless EMV transactions, CDCVM is performed and verified entirely on the iOS device (e.g. iPhone 6 and Apple Watch).

[From Consumer Device Cardholder Verification Method – Apple Support]

OK, so (just as you would expect) if you have authenticated yourself to your phone, then you can just tap and go even if the transaction is above the contactless no-CVM limits. You don’t have to enter a PIN on the terminal or sign a paper receipt. It seems to me that there are plenty of retail POS situations where this will work very well: you “pre-arm” your Apple Wallet by authentication with TouchID and then tap and go. I was thinking about this in a cab yesterday because that’s an obvious case (as I’ve mentioned before: in the back of cab I tend to be sitting on your wallet but have my phone in my hand).

Black cabs could be legally obliged to accept contactless credit cards, as a new set of proposals are opened up to consultation… The proposal was backed at a meeting last month between TfL, the deputy mayor for transport Isabel Dedring, senior taxi trade representatives and card providers.

[From London’s black cabs could be made to offer contactless payments | City A.M.]

So if cabs are made to accept contactless payments and if they use the “high value” terminal software then, at last, things will work properly: open your Apple Wallet, pre-arm the transaction using Touch ID and then when the cab pulls up and your destination, at last, tap and go. None of this will matter to most people, of course, because they will pay using Apple Pay, Google Pay, Samsung Pay and everything else Pay inside Gettaxi, Uber, Hailo or another taxi app.

Authentication yes, identification… hhmmm…

I had the great good fortune to be asked by the GSMA to chair the Mobile Identity session at this year’s Mobile World Congress in Barcelona. During the absolutely excellent session, which featured input from Telesign, Payfone, Early Warning, Telenor, the UK Cabinet Office and Nok Nok, I happened to mention in passing that I thought that a global mobile-centric authentication push (perhaps using FIDO) was possible and that it would make life easier for many people, but that it wasn’t clear to me at all that a global identification platform was getting any closer.

B_GKGYvWwAANwkz

A couple of people asked me about this afterwards, and so I thought it would make an interesting blog topic to look at real-world, population-scale identification as discussed in the session. I’ll use Pakistan as an example. Pakistan has very strong identification laws around mobile and rigorously-enforced mandatory SIM registration.

[Pakistanis] have to show their IDs and fingerprints. If the scanner matches their print with the one in a government database, they can keep their SIM card. If not, or if they don’t show up, their cellphone service is cut off.

[From Pakistanis now need to be fingerprinted to have a cellphone – Business Insider]

This will help to stop criminals and terrorists from obtain mobile phones and operating with impunity in Pakistan because it depends on the integrity of the national identity register. Oh, wait…

The famous green-eyed ‘Afghan girl’ immortalised by the National Geographic magazine on its 1985 cover has been living in Pakistan on fake documents, prompting authorities to launch a probe. Four officials were suspended on Wednesday for allegedly issuing fake Computerised National Identity Card (CNIC) to Sharbat Gula and her two ‘sons’.

[From National Geographic Afghan Girl living on fake identity card in Pak : World, News – India Today]

National identity registers are a single source of failure and a natural honeypot for crime and corruption, as Pakistan has discovered.

The National Database and Registration Authority [NADRA] reports that it has deployed a state-of-the-art facial matching system with the capabilities to stop fraud and forgery in identity documents, yet people are still able to obtain forged identity cards. This was very puzzling to understand given the supposed surety, accuracy and privacy of NADRA database that such a scam was still happening even after the introduction of new chip-based identity cards.

[From Identity theft persists in Pakistan’s biometric era | Privacy International]

It’s not “puzzling” as at all as far as I am concerned.

Identity theft is more common in single reference systems such as centralised national population registers, as they create a single point of failure, and centralisation increases rather than reduces the potential for fraud. Doppelganger matches also become more likely in large scale databases.

[From Biometric Smart ID Cards: Dumb Idea :: SACSIS.org.za]

So while it makes sense for service providers to rely on biometric authentication to digital identities that they themselves will bind to virtual identities (with attributes), it is not so clear that it makes sense for service providers to rely on biometric identities established by third parties. In fact, when it comes to mobile phones, in this case I might go even further and say that it is not at all clear to me that we should be attempting to stop the bad guys from using mobile identities at all!

Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.

[From Search Results SIM registration]

There’s a further point to make here, away from the exigencies of national security and the war on terror and in the world of business. As the banks have long understood, the issue of identification is inextricably linked to liability. There’s a world of difference between me as an operator saying to a service provider that “this is subscriber XYZ and it’s the same person who logged in last time and it’s still the same handset and SIM” and saying to a service provider that “this is Dave Birch”. I know I sound like a broken record on this, but it the overwhelmingly majority of interactions, who you are is not the point. The point is whether you are allowed to do something, whether you have credit, whether you are a subscriber or whatever. Trying to work out who someone “really” is means a world of legal pain.

According to the Post, “…sources say Instagram, owned by Facebook, ran into “serious legal problems” over its verification process and has been forced to pause it. Some suspect Twitter, which also has a verification system, had an issue with Instagram’s.”

[From Instagram is no longer verifying accounts – Business Insider]

Therefore it seems to me that in business terms, it makes sense for service providers to rely on bank identification since banks already have to comply with know-your-customer regulation. For this work, however, there must be a kind of identity “safe harbour” (i.e., if the person turns out to be using a false identity that the liability rests with the bank but if the bank has followed KYC procedures then it has no liabilty) from zealous prosecutors otherwise the wheels of commerce will become gummed up with identity junk.

Time to get rid of my dongle

I just had to quickly log in to my online banking service to transfer some money to someone who doesn’t have PingIt, yawn. So I had to enter my sort code, account number and name and then use my bank’s 2FA dongle with my chip and PIN card to get a security code to enter in to the web site to log in to create a new payee and then send the money. I have to say that it all worked OK, but in an age of touchID it’s beginning to feel a little tired. While I was doing it, I started to think about the way that I could log in to my USAA account just by looking at my phone.

Biometric log-on is the latest effort by USAA to offer novel solutions to its members. The app is designed to heighten security as well as to improve the overall member experience.

[From Biometrics in Banking – PaymentsJournal]

Logging in by looking at your phone is, just as touchID is, about convenience before it is about security but it  certainly does enhance the latter. The way in which different biometrics are combining with the smartphone to create a new security landscape is starting to shape the mass market and it is really interesting to be working with our clients on bringing the technology to market and exploiting it effectively in different sectors.

Voice biometrics, fingerprints, iris scans, and other authentication options are beginning to replace passwords as a means to verify a user’s identity and simplify the login process when banking online or via a mobile device. The key is to provide enhanced security against hackers while improving the overall user experience.

[From Biometrics: Fighting Fraud and Protecting Identity In Banking]

If you are interested in this sort of thing, there’s a terrific lunchtime roundtable on biometrics in banking coming up. It’s organised by the Centre for the Study of Financial Innovation at SWIFT in the City on 11th May. The panelists will be:

  • Rick Swenson, the USAA Executive responsible for Fraud Operational Excellence and Strategic Initiative who will share USAA’s experiences with biometrics and explain why their approach has been so successful.
  • Oran Cummings from MasterCard, who will give an international perspective on the use of biometrics in the financial sector.
  • Keith Gold, formerly with IBM Banking and Financial Services Europe, who has been helping the CSFI to understand the requirements of an ageing population, will talk about the importance of biometrics in the useability toolkit needed to this key segment of bank customers (or, why looking at a mobile phone is easier than remember a PIN for most of us!).

The usual well-informed and wide-ranging discussion will ensue, with wine and sandwiches for all. Don’t miss this opportunity to learn from Rick while he is visiting the UK. There may be a few places left at this free event, so if you’re interested in seeing how the biometric state of the art is advancing in banking, contact anna@csfi.org for further details and to reserve your place.

It’s time to do away with my dongle

Dgwb blog white border

Banks are under pressure to do something abut security, so now that everyone has a smartphone it’s probably time to rethink the hodge-podge of measures we have now and standardise around the handset.

Biometrics are already mass-market for banking

Dgwb blog white border

Biometrics aren’t really futuristic any more, and even in as conservative a sector as banking they are being deployed in the mass market. I’ve helped to organise a CSFI roundtable on the topic to share some practical experiences. (Revised 22nd April 2015 with updated roundtable details.)


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.