Biometric Authentication Needs to Be Made Foolproof

If you were a builder, why would you buy a cushy SUV when you could buy a heavy duty pickup truck--something that did everything you wanted it to do, and did it better?

Financial institutions should be asking themselves that question as they shop for that second authentication level mandated by the Federal Financial Institution Examination Council (FFIEC), and by the Electronic Signatures in Global and National Commerce Act of 2000, says Josh Kessler, a TowerGroup analyst. There are plenty of solutions around--tokens, smart cards, and various biometrics-based methods--but cost aside, they all have various defects, including inconvenience and security flaws.

Tokens, for instance, offer good security, but as a practical matter they can be lost, and take up a lot of space on a keychain. Smart cards, likewise losable, need keyboards with smart card readers that somebody is going to have to pay for.

And iris and fingerprint-based biometric systems may supplement the "something you know" password-based system now in use with the "something you are" model, but have a serious security flaw, since such systems pre-suppose a central database of identifiers that can be hacked into, opening consumers--and businesses--to having all their assets stolen from all their accounts, instead of from just one.

Kessler's suggestion for an alternative? Behavioral biometrics, which substitutes "the way you do something" for "something you are."

"I've been trying to come up with a way someone could defeat it, and the best I could find is that if you were running a really high-end phishing attack, and implement behavioral biometrics in the site where you're capturing the data, you could possibly do it," he says. "But you would have to know which system the bank is using, for comparison. That's the only way I could come up with, and I think it's sort of far-fetched."

For the purposes of consumer-oriented, computer-based authentication, behavioral biometrics measures how someone types--speed, rhythm, and the duration of the keystrokes. A new user types in his or her password several times when they're setting up their account, and the system takes an average of various characteristics. For corporate purposes related to authorized use, a new user can sign his or her signature several times, and the system measures things like pen pressure and pen speed, thus making that signature impossible to forge as far as the authentication system goes.

In either case, explains Kessler, the result isn't just virtually irreproducible, but also trouble-free to the user, which relieves one of the anxieties of bankers and other operators of online payments sites--that making users take an extra step to authenticate themselves will seem so onerous that the authentication process will somehow alienate the users, costing the bank a customer.

Rather Safe Than Sorry

Studies floating about the payments business today indicate that this is probably a needless worry; most people, according to these studies, would rather feel safe than be sorry. But these studies are apparently of marginal comfort, at best, to bankers accustomed to being on the defensive when it comes to customer retention.

For these executives--and their numbers are legion--behavioral biometrics seems to be an ideal solution. But the technique has some very sound security advantages as well. Not only does it provide a very useful security layer for internal corporate authentication; for retail uses, behavioral biometrics vastly minimizes the likelihood of success for the mass of phishing, pharming and keylogging attacks that have multiplied across the Internet in the past year.

These attacks have--at least so far--all relied on a simple password- based security model and the gullibility of customers. But at least as importantly, they've relied on the predictability of bank security systems. Since most systems were relatively simple and roughly similar, getting a customer's account information was enough to defeat the bank's defenses.

But as Kessler points out, not only does behavioral biometric authentication require a black hat hacker to capture the user's average keystroke patterns--meaning the hacker would have to monitor several account accessions--but they would also have to know which sort of security algorithm the bank was using, and which characteristics the bank system was measuring. Such an attack would imply that a hacker not only was targeting a specific bank, but that he or she had specific, internal information about the bank's security configurations.

Hackers, on the other hand, have so far been mainly interested in mass attacks that target low-hanging fruit. And while there's little doubt that hackers are becoming more sophisticated by the hour, or that the criminal potential of hacking has been recognized by global organized crime--which is happy to heap resources in the laps of skilled hackers--such very specific attacks have so far been blessedly rare.

"There is that chink in the armor, but it's small," says Kessler. "It's not a big concern in implementing one of these systems, because the level of sophistication involved, and the amount of internal information the attacker would need about the target, would mean they wouldn't even want to take this route."

Bankers should not take comfort in that fact: Computer security is a game, and attackers in the hacker community are constantly surprising the defenders in the world's financial institutions. But anything that makes a hacker's life more miserable is a good thing, as far as bankers are concerned.

(Contact: Josh Kessler, TowerGroup, 773-348-8134)

[Copyright 2005 Access Intelligence, LLC. All rights reserved.]

<<Electronic Payments Week -- 11/16/05>>