The Future of Biometric Authentication in Mobile Banking

Biometric authentication is a security mechanism that uses unique biological characteristics to verify a person’s identity. In the context of banking applications, it represents a significant advancement in securing financial transactions and account access.

The implementation of biometric authentication in financial apps typically involves several common methods. Fingerprint recognition, which analyzes unique fingerprint patterns, has become standard on most modern smartphones and banking applications. Facial recognition technology, which maps and analyzes facial features, offers another secure verification option. Voice recognition and iris scanning, while less common, are emerging as additional authentication methods in some advanced banking systems.

Banking applications leverage these biometric features to enhance security while improving user experience. When accessing their accounts, users can simply place their finger on the sensor or look at their device’s camera instead of entering complex passwords. This process not only streamlines the login experience but also provides stronger security compared to traditional PIN codes or passwords, which can be forgotten, stolen, or compromised.

However, implementing biometric authentication in financial apps also presents certain challenges. Banks must ensure robust data encryption and secure storage of biometric templates. They must also provide alternative authentication methods for cases where biometric verification fails or is unavailable.

The finance industry is an attractive target for cybercriminals due to the large amount of sensitive data and financial assets at stake. For more detail on attacks targeting the finance industry, check out our article on Major Cyber Attacks Targeting the Finance Industry.

Common Biometric Techniques in Mobile Banking

The relationship between mobile banking apps biometrics and smartphone biometrics is quite interconnected, as many banks leverage the existing hardware and security features of mobile devices.

Modern smartphones incorporate several biometric authentication methods that banks can utilize. One of them is facial recognition systems and the other one is fingerprint recognition systems. Apple’s Face ID uses TrueDepth camera technology, which projects and analyzes over 30,000 invisible dots to create a precise depth map of the face, along with infrared imaging. Android devices typically use a combination of RGB cameras and infrared sensors, though the specific implementation varies by manufacturer.

Two main technologies dominate the market: capacitive sensors which create an electrical map of the fingerprint and optical sensors which capture an image of the fingerprint using light. Apple’s Touch ID and many Android devices use capacitive technology, while some newer phones employ ultrasonic fingerprint sensors for enhanced security.

Many mobile banking apps directly integrate with the smartphone’s native biometric APIs (like Apple’s LocalAuthentication framework or Android’s BiometricPrompt). This means when you use your fingerprint to log into your mobile banking app, you’re actually using the phone’s secure authentication system, because that’s what you have access to, rather than a separate banking system.

In addition to those, mobile banking apps typically add their own security measures on top of the device’s biometric authentication. These are generally server-side validation systems to authenticate biometric data and token-based systems that generate temporary access credentials after successful authentication.

Threat Landscape

Every system is open to attacks and biometric authentication systems are no exception. Here you will see certain attack types and vulnerabilities around biometric systems.

Common Attack Vectors and Vulnerabilities

Presentation Attacks

Attackers may attempt to deceive biometric sensors using artificial replicas such as high-quality photographs, 3D-printed fingerprints, or sophisticated masks. These attacks target the data collection phase, attempting to bypass the initial security barrier. Modern systems counter these through advanced liveness detection and multi-spectral analysis.

Data Interception

Vulnerabilities exist in biometric authentication systems just like any other system. Threat actors might attempt to intercept and replay biometric data, necessitating secure communication protocols and robust encryption methods. Transmission is not the only problematic area. Stored biometric templates represent another critical vulnerability point. Attackers targeting these templates might attempt to extract stored templates from databases, insert fraudulent templates into the system or modify existing templates to grant unauthorized access.

Vulnerabilities

A cyberattack known as SQL injection, which is inserting malicious code into strings delivered to a terminal’s database, is made possible by the CVE-2023-3938 vulnerability, targeting a biometrics system.

Two further sets of new vulnerabilities, CVE-2023-3939 and CVE-2023-3943, can be successfully exploited to allow the execution of arbitrary code or commands on the device, giving the attacker complete control and the highest level of privileges. This gives the threat actor the ability to control how the device functions, using it to attack additional network nodes and spread the crime over a larger corporate architecture.

By taking use of CVE-2023-3941, threat actors are able to remotely change a biometric reader’s database in addition to gaining access and stealing data. Inadequate user input verification across several system components is the root cause of this category of vulnerabilities. By taking advantage of it, attackers can add unauthorized users to the database by uploading their own information, including images.

A software component has a vulnerability known as CVE-2023-3940 that allows for arbitrary file reading. By taking use of these flaws, a potential attacker can access and extract any file on the system. In order to further compromise the company credentials, this comprises password hashes and sensitive biometric user data. Similarly, CVE-2023-3942 offers an additional method for obtaining private user and system data from the databases of biometry devices: SQL injection attacks.

Understanding the current cyber landscape is key to strengthening your defenses. With SOCRadar’s Vulnerability Intelligence, gain valuable insights into which vulnerabilities are being actively exploited. This intelligence delivers actionable information on potentially vulnerable technologies, allowing you to make informed decisions. By staying informed about the latest threats, you can adapt your security measures to address these vulnerabilities effectively.

Dark Web Posts Targeting Biometric Data

A hacking tool purportedly designed to exploit ZKTeco biometric authentication devices has emerged on a monitored hacker forum. The post, detected by SOCRadar, details the tool’s alleged capabilities and potential applications.

The tool claims to offer extensive functionality for interacting with ZKTeco biometric authentication devices. Among its purported features are:

• Retrieving Sensitive User Data: The tool allegedly enables users to retrieve and display all admin and regular user data registered on the device.

• Device Information Extraction: Users can purportedly access detailed device information, including the serial number, platform, firmware version, and MAC address.

• User Manipulation: The tool claims to allow the creation of new user accounts with customizable credentials and privilege levels.

• Biometric Data Access: It allegedly facilitates the extraction of fingerprint templates, a particularly sensitive form of personal data.

• Denial-of-Service Attack Capability: The tool includes a feature to perform a Denial-of-Service (DoS) attack, potentially rendering devices inoperable.

It is crucial to emphasize that these claims remain unverified. The existence, functionality, and effectiveness of the alleged tool have not been independently confirmed by cybersecurity experts or authorities. Threat actors often exaggerate or fabricate capabilities to garner attention or sell unproven tools.

In a recent post on a Dark Web forum monitored by SOCRadar, a threat actor claims to have obtained unauthorized access to biometric control machines belonging to a globally operating company. The allegations, if true, raise concerns about potential vulnerabilities in the company’s security infrastructure. However, it is crucial to emphasize that these claims remain unverified.

According to the post, the seller is offering full access to the biometric control machines, which reportedly allow buyers to:

• View logs of personnel access.
• Access employee names.
• Create or delete user identities within the system.

The alleged breach purportedly impacts machines in multiple countries, including:

• Brazil
• Mexico
• Mauritius
• Saudi Arabia
• India
• Jordan
• South Africa
• Egypt
• Germany

Such access, if genuine, could have serious implications for the affected company, potentially exposing sensitive employee information and compromising physical security measures. However, the targeted company remains undisclosed.

SOCRadar’s Advanced Dark Web Monitoring equips organizations with vital insights into hidden threats targeting key industries such as finance, insurance, and information technology, which have faced significant risks over the past year. By providing real-time monitoring of underground chatter and sensitive data exposure, SOCRadar empowers proactive defenses against Dark Web threats.

Activate your free trial today to safeguard your organization’s most valuable assets.

Benefits for Mobile Banking Users

Biometric authentication offers inherent security advantages because of their nature. The uniqueness of biological traits provides a robust foundation for authentication, as these characteristics are extremely difficult to replicate accurately. The requirement for physical presence adds an additional layer of security.

The integration of multiple biometric factors significantly enhances security. When systems combine fingerprint authentication with facial recognition, the complexity of executing a successful attack increases exponentially.

The security benefits are substantial. Biometric data is significantly more difficult to replicate or steal compared to traditional credentials. Each biometric marker is unique to the individual and typically requires the person’s physical presence for authentication. Furthermore, many modern financial apps implement additional security measures to ensure that the biometric data is coming from a real person rather than a photograph or recording.

Conclusion

Biometric authentication offers mobile banking apps a unique opportunity to enhance security and usability by providing a seamless user experience. However, as technology evolves, so do the risks. Biometric data cannot be replaced like a password, so banks and developers need to pay special attention to protecting this data by applying advanced encryption and anonymization techniques. Integrating biometric authentication is not just a step towards modern technology, but also an important contribution to customer trust.

By applying biometric authentication wisely and responsibly, banks can not only improve their services, but also increase users’ confidence that their financial information is securely protected. The future of mobile banking biometrics promises to be exciting, from the introduction of multi-factor biometrics to the use of artificial intelligence to predict and prevent threats. It’s just important to remember that security is not a one-time effort, but an ongoing process.