Will fingerprint security REALLY stop thieves hacking your bank account?
Our investigation exposes disturbing flaws in the new high-tech alternatives to passwords
HIGH in the eaves of a warehouse in Berlin, a hacker uses a clone of my fingerprint to break into my iPhone.
He can see my personal and work email accounts, photo album, apps and social network accounts. In a series of swift movements, he opens my banking app and uses the same plastic fingerprint to make a payment to a new bank account.
I am completely at the mercy of the hacker — and it has all been achieved with terrifying speed and proficiency.
Thankfully, this is just an experiment. But it is chilling, nonetheless.
Money Mail has travelled to a research lab in Germany which specialises in cyber security to test the safety of the new techniques banks are using to keep crooks from raiding your accounts.
Nearly all the major firms, from Barclays to HSBC, now allow customers to log into their accounts and make payments using so-called biometrics instead of passwords.
This means using your fingerprints, face, voice, retina and even vein patterns to verify your identity.
Most smartphones now offer fingerprint sensors as standard for logging in — and it’s certainly easier than remembering a series of numbers and letters.
In response, banks have updated their mobile apps and telephone banking to use biometrics, claiming it’s safer than traditional passwords because our unique characteristics are harder to hack.
But our tests in Germany showed the new-fangled verification software can be cracked using everyday household equipment, including a pen and glue, that can be bought for less than £45.
We broke into bank apps that are solely protected by iPhone fingerprint sensors, facial recognition software and also cracked the voice recognition used for telephone banking. The findings are deeply disturbing because, unlike a password or PIN, you cannot swap your voice or fingerprint for a new one if you’re hacked.
SAFEGUARDS THAT LEAVE YOU AT RISK
BEN SCHLABS, a security consultant at Security Research Labs in Berlin, agreed to try to break into my phone’s fingerprint sensor and apps that use facial and voice recognition not to scare bank customers, but to raise awareness of weaknesses in the technology.
Security Research Labs is a respected IT security consultancy and think-tank which has worked with some of the world’s biggest companies, including firms listed on Britain’s FTSE 100. Its experts try to spot security flaws in smartphone apps and payments systems to stop customers becoming victims of fraud.
Ben, a 34-year-old American, says: ‘There is a huge misconception that biometrics only make our devices safer, but they add an extra window into the security wall for hackers to try to get through.’
The good news is that Ben says it’s unlikely criminals would spend the time and effort cloning fingerprints, irises and voices to target ordinary customers, or carry out attacks on a mass scale.
He made it look easy, but in practice, hacking takes in-depth knowledge and skill.
And so far, no customer has reported losing any money to biometrics hackers.
Even if they did, banks say they would always cover losses — as they should for all genuine fraud where the customer was not at fault.
So for now, those most at risk are likely to be the high-profile and wealthy — or someone who knows their attacker well enough for them to have access to their body and their phone.
Mr Schlabs adds: ‘We need to be honest and say biometrics increases convenience and helps not having to remember so many passwords, but to increase security significantly users would need to type in their password and scan their fingerprint as well.’
FINGERPRINT CODE CRACKED IN HOURS
THE process of copying my fingerprint was achieved in less than three hours. The equipment used could all be bought on Amazon for less than £45.
We leave our fingerprints smeared across our touchscreens every day, meaning phone thieves can get hold of them easily. Ben’s team simply took a picture of the clearest fingerprint they could find on my phone.
For best effects, they went into a dark cupboard and used a torch so my fingerprints showed up clearer.
We won’t reveal exactly how, but that picture was then transferred on to a printed copper-plated circuit board — the kind hobbyists can buy for £4 for a pack of 10 from Amazon.
Finally, Ben’s team painted a cheap polyvinyl acetate (PVA) glue on to the copper engraving and, after a couple of hours, peeled back the glue to reveal a nearperfect copy of my fingerprint. By placing the glue print on his fingertip, Ben was able to press the sensor on my iPhone7 and break into my phone.
We tried this on an iPhone 6S and an iPhone 5S with the same results. Ben says the same trick can be replicated on all smartphones with fingerprint sensors.
Using the cloned fingerprint, the ‘hacker’ was able to enter every mobile banking app I had downloaded to my phone, including NatWest and Metro Bank. Other banks which use fingerprint technology include HSBC, Barclays and Lloyds.
Banks rely on the technology provided by the maker of the phone — in this case, Apple.
So if the Android or Apple device tells the phone that the fingerprint matches, the bank allows them in. Many banks also allow new payees to be set up and payments sent using fingerprint authorisation.
This enabled the lab to send money to a new account from my own bank account. Had this been a genuine attack, it is likely I would have been stung for more than the 1p it transferred.
SNARED IN THE BLINK OF AN EYE
TO TEST facial recognition technology, we downloaded the mobile phone app for UK challenger bank Atom, which lets customers access their savings accounts this way.
To set it up, you stare into the camera on your smartphone and the Atom app captures images of your face.
The pretend hackers found several photographs of me on Google and Twitter from my work as a journalist.
They downloaded a photograph of my face from Twitter and saved it to their own phone. The Atom
app — like many others — claims to have ‘liveness’ technology which can distinguish a photograph from a real person.
But this often just means the app looks for evidence of the person blinking. When the researchers opened my Atom app, it instructed them to ‘just blink’.
They held up their phone with the picture of my face from Twitter and ran a pen momentarily in front of it. The app opened, tricked into interpreting the movement as blinking.
Other banks developing facial recognition security say they are using even more robust technology.
Lloyds has struck a deal with Microsoft’s Windows 10 ‘Hello’ Service to allow customers to log on to a computer, rather than an app, by showing their face to a camera. This technology uses two cameras to scan a 3D image of the face, meaning the pen trick would not work.
CROOKS CAN EVEN STEAL YOUR VOICE
Our voices contain 100 or so physical and behavioural characteristics which make them unique.
Voice recognition technology can analyse accents, pronunciation, the sounds of someone’s mouth, tongue, voice box and even breathing.
Several uK banks now use this as an option for logging into apps or making payments.
For example, the Atom app asks you to repeat the same phrase each time: ‘My identity is secure because my voice is my passport. Verify me.’ Other banks also use this phrase.
Some claim to be able to distinguish a recorded voice from a live voice. But when researchers recorded me saying this phrase on their own mobile phone, standing a couple of feet away, they were able to get into my Atom app seconds later by replaying the message.
Last year, software firm Adobe launched a programme called Voco, which allows you to record someone’s voice and get that voice to say phrases which the person may have never said before.
Santander uK already allows customers to make payments using their voice over the phone.
HSBC and its offshoot First Direct also allow voice recognition to access their accounts.
Despite being hailed as highly secure, a BBC journalist’s nonidentical twin broke into his brother’s account in an experiment last month.
HSBC said it would increase the sensitivity of its software.
THE RISKS ARE SMALL, SAY BANKS
AppLe declined to comment on Money Mail’s research.
Metro directed us towards uK Finance, the industry trade body.
Katy Worobec, head of fraud at uK Finance, says: ‘While it may be possible to circumvent biometric security in a lab, this is highly technical and very difficult to scale up to make it a widespread problem.’
ed Twiddy, chief innovation officer at Atom, says: ‘Atom has decided to employ both the security inherent in the phone meaning you have to access the phone using fingerprint or passcode, but also other unrelated technology to capture face and voice biometrics from customers.
‘We think this enables easy access for customers, but also creates a genuine separation between accessing the phone and accessing the bank.
‘We believe that an experiment under controlled conditions, where a customer mimics themselves to gain access to their own account, is not reflective of the real-life scenarios that banks and other users of biometrics technologies are protecting customers from on a day-to-day basis.
‘Any potential fraudsters would
need to recreate a number of difficult circumstances. Even if they did succeed, we’re confident our customers’ money is safe, as we only offer non transactional accounts( fixed terms savings and mortgages), so money cannot be transferred out.’
A spokesman for NatWest says: ‘Touch ID does not replace any of our existing controls which are in place on the mobile banking app to protect customers. [Money Mail’s tests] require a fraudster to have access to the customer’s mobile phone.
‘If a customer’s iPhone is lost or stolen they can contact us so we can suspend the mobile banking app on their phone.
‘They can also use their “find my iPhone” feature remotely to wipe the phone of any apps, including our mobile app.’
This feature allows owners to find lost or stolen iPhones, if they are switched on.
To do this you simply log onto Apple’s iCloud.com website with your password and click on the ‘Find your Device’ button.
This uses the GPS in your phone to tell you exactly where you last left it.
NatWest said it would refund fraud losses as long as the customer had kept their security information secret.