Devil's Advocate: Biometrics offer false hope

Banks may talk of using biometrics but doing so would hardly be a foolproof means of providing secure transactions, says Martin Brampton.

There seems to be as much window dressing as there is clear thinking in the security arena. Headlines say the banks are thinking of using biometrics to authenticate transactions. Yet how much thought has actually gone into this idea?

Maybe something of the kind is inevitable with banking, which has always involved a good deal of smoke and mirrors. For many years, we were impressed with the solidity of the banks, mainly on account of their grand buildings and the imperious looks of the managers. Of course, such features did not stop banks failing, especially in countries with a less substantial support regime than the UK.

So perhaps the latest moves are in the same vein: designed to give us a sense of security more than to actually achieve anything. The banks' efforts are built around the currently popular mantras of the IT security industry. Yet the reality is always more complex and a lot messier.

The favourite story nowadays is three-factor authentication: something you know, something you possess and something you are. The first has never been very effective because of people's inveterate tendency to blab.

Remember the researchers who stood on Liverpool Street station asking people for their computer passwords? Most people told them. And last week it came to light that bank customers were happily revealing their PINs to call centre staff, only to find their accounts promptly cleaned out.

Something you possess seems a more promising angle. For the banks, that used to mean magnetic strip cards. Nowadays it means smart cards with embedded chips. Increasingly, it is likely to mean ingenious security devices that generate single-use codes that are constantly changing. These would be used more if they were less expensive.

The trouble with all these technological fixes is that it is difficult to keep ahead of the enemy. Magnetic strip cards - and to a lesser extent smart cards - are vulnerable to the wide availability of readers, and the inevitable tendency for people to try to crack the systems for their use. The problem is that it is difficult to package up sophisticated security in a form that can be used millions of times a day by people all around the world.

So now there seems to be a lot of talk about biometrics for the 'something you are' level of authentication. Before we get to worries over the effectiveness of the technology, it seems to me there is a significant problem of user perceptions for organisations such as banks.

There is something quite offensive about being subjected to physical checks such as fingerprints and iris scans. We know who we are and sometimes the people we are dealing with know who we are too. So the implication tends to be that in circumstances where we have to be identified by some machine, we are being treated as an object and not a person.

Moreover, despite all the talk of the primacy of the customer, we tend to feel we are supplicants when we ask to receive some of our own money, the safe keeping of which we have entrusted to the bank. Is the bank providing us with a service or are we merely the tools of the bank?

However that may be, the thinking behind biometrics is confused. They make some sense in situations such as an airport, where it is necessary to be certain that a person matches their documents, such as their passport, and that the documents are genuine. But the vast majority of banking transactions now take place at a distance.

That opens up a plethora of possibilities. There was the Japanese man, Matsumoto, who made a false latex 'finger' for about £5 worth of materials, which was good enough to fool a fingerprint identification machine - albeit some years ago when the technology was less sophisticated. Then there is the simple fact that what is transmitted to the bank has to be a digital representation of the fingerprint or whatever biometric identifier is being used.

Anything that can be digitally transmitted can be copied and therefore can be perfectly forged. The only issue is getting hold of it. We know that spyware is becoming more of a threat than the old fashioned virus. It is hard to avoid the conclusion that biometrics in banking is just another variant of the grand façade.