Why RBS and NatWest were wrong to trust Apple on biometric security

Last month, shortly after RBS and NatWest became the first UK-based banks to allow access to their mobile banking apps through Apple's biometric technology Touch ID, security researcher Andrew Whaley said it was 'very easy' to bypass all authentication to gain access to accounts, payments and even send cash.

RBS and NatWest’s response that this was only possible on jail-broken iPhones was refuted by Whaley, who said lost or stolen device can be easily jail-broken, and malware could be used to exploit any device remotely.

Here, Richard Walters, GM and VM at Intermedia, expands on Whaley’s criticism, claiming that the biometric technology offered by Apple is not secure enough to support sensitive activities like mobile banking.

Opinion:

We live in a world where everyone expects instant, always-on access to information. If you haven’t already got ‘an app for that’, you can download one within minutes.

Alongside every development team are user interface and graphic designers, as well as user experience experts. Product management and marketing think as much about ease-of-use as they do about features.

Convenience sells. But unfortunately, when it comes to security, convenience can also come at a price.

>See also: Mobile payments: biome-trick or treat?

Take, for example, Apple Touch ID. Unlocking your iOS device just by placing your finger on the home button is highly likely to make you smile at the sheer simplicity of the feature the first few times you do it. But the reality of using Touch ID as the only means of authenticating to sensitive apps – such as banking applications from RBS and NatWest – is a perfect example of convenience taken too far.

Apple’s Touch ID fingerprint identity sensor is not able to provide a high enough level of assurance that the person using the device is the same person authorised to use an application. Apple has no concept of a fingerprint belonging to an individual user.

If a device is shared, any user can add a fingerprint to Touch ID. If unauthorised access is obtained to the device (by guessing or otherwise obtaining the passcode as opposed to an opportunist accessing an already unlocked iPhone or iPad) then the unauthorised user can also add their fingerprint for later use.

Any application that integrates with the Apple Touch ID API will simply receive a response that a trusted fingerprint has been used – there is no information as to which fingerprint it was and whom it belonged to. Access to an application would be granted to anyone that has saved a fingerprint over the life of the device.

In the home, the worst-case scenario may be that your partner or children can use the fingerprint they’ve stored to quickly and easily access your banking application – or any other application that accepts Touch ID as a replacement for much less convenient passwords. Whilst this may be acceptable to some, it’s potentially a dangerous approach for any device that’s used by multiple individuals in an enterprise environment.

If a device is no longer going to be shared, changing the passcode alone is no longer enough to make that device your own. You need to delete all of the stored fingerprints as well.

Until Apple adds the concept of users – and fingerprints belonging to individual users – sensitive applications such as banking applications should not use Touch ID as the only means of authentication.

This is not the first time the balance of security and convenience has been completely wrong.

Wi-Fi hit the stores, as an option on the Apple iBook under the brand name AirPort, in July 1999. Soon after, anyone could plug an access point in wherever there was power and a free Ethernet socket.

Carnage followed: attackers began wardriving and even warflying, looking for insecure networks. Coffee-shop hotspots became a popular place to grab a skinny latte along with a full fat helping of wireless data.

Access points could be secured, but security was not enabled by default out of the box. A whole wireless security segment rapidly emerged with products to help enterprises respond to the new wireless threat spectrum. 

Over a decade later, September 2011, three men in Seattle were charged with wardriving in a 1988 Mercedes filled with networking kit and various antennas, targeting networks secured with the outdated Wired Equivalent Privacy (WEP) standard. They gained access to 13 businesses’ wireless networks, stealing credit card numbers used to purchase goods, as well as payroll information allowing them to redirect payroll funds to accounts under their control.

The next IT paradigm shift – now that we’re all enjoying life in the cloud, wirelessly accessing apps from our own personal devices and interacting with customers over social networks – is the Internet of Things (IoT): billions of connected devices taking the world into a new era of automation and, no doubt, to new levels of convenience.

>See also: 8 in 10 Brits would ditch passwords for biometric security

Unlike Wi-Fi, the IoT potentially involves such a variety of different devices from so many different vendors that there is a greater chance that standards will be needed to deliver consumer value. Having 20 different ‘things’ under the stairs and around the house that all talk different languages and require 20 different apps on your iPad or Android phone are unlikely to deliver the level of simplicity and user experience that success and mass adoption will require. With standards comes the opportunity to strike the balance between security, incorporating the ‘Identity of Things’ and convenience.

In reality, history tells us that we’ll go through a possibly prolonged period of time when attackers will have, at the very least, a great deal of fun at our expense – turning the heating up to maximum at the height of summer, cranking up the stereo and switching the lights on and off in time to the music, or setting off all the car alarms along the street at once.

I personally will be walking across the room to adjust the temperature until we get to IoT version 3. And I won’t be banking on my Apple iPhone 6 just yet either.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Biometrics