Australians would prefer to use voice biometrics rather than PIN and password verification to prove their identity — but security experts warn biometrics exposes consumers to even greater risk.
A study conducted by callcentre.net canvassed the attitudes of 216 Australians' towards security and authentication when interacting with call centres. According to the study, the threat of identity theft is driving demand for the introduction of voice biometric authentication processes at call centres — a process typically conducted by call centre staff.
Forty-two percent of those surveyed said their preferred method of verification is voice biometrics, ahead of using PINs, passwords and personal history, such as mother's maiden name, according to Dr Catriona Wallace, managing director of callcentres.net.
"Identity theft and fraud is an issue for consumers we research. The results of this study suggest not only for younger consumer but across all age groups advanced technology such as biometric voice identification appears to be a viable and preferred option to more traditional methods such as PINs and passwords," she said.
The report also found conflicting attitudes towards the use of SMS messages as a second factor of authentication alongside PINs and passwords — the system in use by most Australian banks to verify transactions over a certain amount.
"Twenty-three percent said they were totally secure with SMS but 22 percent said they felt completely vulnerable," Wallace told ZDNet.com.au.
The reason for this fear, according to Wallace, was that information sent by SMS can be easily uncovered by hackers.
But while SMS authentication is viewed as easy to intercept, a recent proof of concept attack on biometric systems by UK security consultant, Matthew Lewis, has shown that biometric systems are similarly vulnerable.
By devising a biometric equivalent to a keylogger — which captures key strokes made by a user to steal passwords — Lewis's so-called 'biologger' showed how it is possible to detect and capture data from fingerprint readers or iris scanners as it is transmitted across a computer network.
Want to know more?
For all the latest news, analysis and opinion on security, click here
This type of attack, although just a proof of concept, is a reminder that biometric authentication systems may in fact put consumers at greater risk, according to IBRS security analyst, James Turner.
"The problem with biometrics is that instead of a user's password or swipe card becoming a target of attack, the user becomes the target themselves: their voice, their eyes, their fingers, their hand geometry, and so on," he told ZDNet.com.au
Rather than look at biometrics as an answer to current security woes, Turner said that the basics of network security can't be neglected.
Nishad Herath, senior research scientist at McAfee Avert Labs told ZDNet.com.au: "Biometrics is most definitely not a security cure-all. Far from it. Biometric authentication systems are prone to similar weaknesses as other authentication systems."
Herath agreed that the introduction of more biometric systems poses a more permanent threat to consumers in the event they become hacked.
"In fact biometrics pose a greater inherent risk that is seldom discussed. With most modern authentication systems, if your authentication credentials were compromised, you could always be issued with new credentials. Therefore your future use of such authentication systems is not affected by a past compromise."
While I was reading this article, a few things came to mind. Where those proof of concept attacks targeted at a single biometric system? If so, one way to secure the system would be to use a challenge-response system. The system generates random tokens (based on the time of day for example) to be used at the authentication terminal, these tokens are valid for about 5 minutes for example. When a user places their thumb on a print reader, that print information is encrypted with the token. That info is sent to a central server (which can generate the token based on the request submit time) which decrypts the info. If the information has been tampered with, the decryption will fail. Once a token is used, it can never be used, ever again.
You might also add voice recognition to this. The system asks the user to speak a phrase (doesn't matter what phrase it is) and then uses the voice pattern to encrypt the data along with the token. The data is decrypted by the token, then by the persons voice pattern held on file. For someone to steal your identity, they would need your voice pattern and thumb print. They would also somehow need to get the formula used to generate the random tokens, which could just as easily be changed every day.