Mastering the Art of Palm Reading

Criminals are figuring out how to fool biometric systems
Illustration: 731

Worried about ATM fraud, several Brazilian banks began rolling out machines equipped with fingerprint readers. Undeterred, criminals began severing the fingers of account holders to gain access to their money, says Frank Natoli, chief innovation officer at Diebold. One of the world’s top suppliers of ATMs, Diebold is working with some of the country’s banks to switch over to palm-vein-recognition systems. “We made sure people can’t abscond with other people’s digits,” he says.

As biometric authentication systems for banking and mobile payments go mainstream, criminals are honing techniques—some gruesome, some elegant—to overcome the systems’ much hyped security. “The faster the adoption of biometrics, the more attempts we’ll see, in the same way that cyberfraud started taking off when e-commerce was on the rise,” warns Cyrille Bataller, a managing director at Accenture who consults with government clients.

Fraudsters will have no shortage of targets. The newer generations of iPhones are equipped with Apple’s Touch ID fingerprint reader. The technology works with the mobile payment system the company introduced in September. PayPal has beefed up security on its mobile app, taking advantage of fingerprint sensors installed on some Samsung Electronics devices. Fujitsu unveiled on March 2 an iris-recognition camera small enough to fit into a smartphone. Later this year, MasterCard and Royal Bank of Canada will be testing a wristband called Nymi that’s embedded with an electrocardiogram sensor.

By 2020 every smartphone, tablet, and wearable device will have an embedded biometric sensor—up from fewer than 7 percent today, according to Acuity Market Intelligence. Banking and e-commerce are two of the industries driving demand. Within five years, 50 percent of mobile commerce and as much as 10 percent of in-store payments will be authenticated with biometrics, estimates market researcher Goode Intelligence.

Fraud rates on transactions using Apple Pay are higher than on credit cards, says Richard Crone, chief executive officer of Crone Consulting, a payments researcher. Criminals can, for instance, associate their fingerprints with stolen credit card numbers. Apple didn’t respond to a request for comment.

Ben Schlabs, of Security Research Labs in Berlin, says he and colleagues succeeded in fooling facial-recognition software by holding up a photo of a person’s face to the camera, then waving a pen in front of it. The system mistook the movement for blinking, and the photo was accepted for a living image. “This may be the worst idea ever,” Schlabs says. “Your face is literally recorded everywhere you go. It’s the only part of your body that you never cover up.” Thwarting fingerprint readers is a tad more complicated. “Copies of your fingerprints are left on every glossy surface you touch,” Schlabs says. “You can get a copy of a fingerprint, edit it in Photoshop, print it out, etch it, and have a wood glue spoof in three hours of work.”

Biometric systems suffer from the same vulnerabilities that afflict repositories of credit card numbers and other personal data. While images of fingerprints and other identifiers are usually stored on users’ devices, some retailers and banks may begin warehousing the information. Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation, a consumer advocacy group, points out that people affected by the Target breach at least had the option of canceling their credit cards. If the hackers had also made off with their prints, what then? Says Lynch: “There’s a real problem, and we haven’t dealt with it as a society yet.”

The bottom line: By 2020 half of e-commerce transactions over mobile devices will be authenticated using biometrics.

    Before it's here, it's on the Bloomberg Terminal.