Australians want what's bad for them: Biometrics
Australians would prefer to use voice biometrics rather than PIN and password verification to prove their identity — but security experts warn biometrics exposes consumers to even greater risk.
A study conducted by callcentre.net canvassed the attitudes of 216 Australians' towards security and authentication when interacting with call centres. According to the study, the threat of identity theft is driving demand for the introduction of voice biometric authentication processes at call centres — a process typically conducted by call centre staff.
Forty-two percent of those surveyed said their preferred method of verification is voice biometrics, ahead of using PINs, passwords and personal history, such as mother's maiden name, according to Dr Catriona Wallace, managing director of callcentres.net.
"Identity theft and fraud is an issue for consumers we research. The results of this study suggest not only for younger consumer but across all age groups advanced technology such as biometric voice identification appears to be a viable and preferred option to more traditional methods such as PINs and passwords," she said.
The report also found conflicting attitudes towards the use of SMS messages as a second factor of authentication alongside PINs and passwords — the system in use by most Australian banks to verify transactions over a certain amount.
"Twenty-three percent said they were totally secure with SMS but 22 percent said they felt completely vulnerable," Wallace told ZDNet.com.au.
The reason for this fear, according to Wallace, was that information sent by SMS can be easily uncovered by hackers.
But while SMS authentication is viewed as easy to intercept, a recent proof of concept attack on biometric systems by UK security consultant, Matthew Lewis, has shown that biometric systems are similarly vulnerable.
By devising a biometric equivalent to a keylogger — which captures key strokes made by a user to steal passwords — Lewis's so-called 'biologger' showed how it is possible to detect and capture data from fingerprint readers or iris scanners as it is transmitted across a computer network.
This type of attack, although just a proof of concept, is a reminder that biometric authentication systems may in fact put consumers at greater risk, according to IBRS security analyst, James Turner.
"The problem with biometrics is that instead of a user's password or swipe card becoming a target of attack, the user becomes the target themselves: their voice, their eyes, their fingers, their hand geometry, and so on," he told ZDNet.com.au
Rather than look at biometrics as an answer to current security woes, Turner said that the basics of network security can't be neglected.
Nishad Herath, senior research scientist at McAfee Avert Labs told ZDNet.com.au: "Biometrics is most definitely not a security cure-all. Far from it. Biometric authentication systems are prone to similar weaknesses as other authentication systems."
Herath agreed that the introduction of more biometric systems poses a more permanent threat to consumers in the event they become hacked.
"In fact biometrics pose a greater inherent risk that is seldom discussed. With most modern authentication systems, if your authentication credentials were compromised, you could always be issued with new credentials. Therefore your future use of such authentication systems is not affected by a past compromise."