A researcher has demonstrated the need for more rigorous mobile app security testing in the use of biometric authentication systems to access banking apps.
Since the release of Apple’s Touch ID banks have begun to replace traditional password based security with fingerprint and facial recognition systems.
A researcher at a financial technology firm found that it was possible to bypass a bank’s authentication software using Apple’s Live Photos feature. The Live Photo function was tricked by using a picture of the user blinking to trick two mobile banking apps into thinking that the account holder was present.
The banks in question were referred to as a US bank and a UK “challenger bank”. Atom is the only bank in the UK offering facial recognition as a method of authentication.
The vulnerability only applies to banks using this method of authentication and shows a failure to do proper mobile app security testing for logging in protocols. At the moment the number of banks doing this is limited in number, however, Standard Chartered has announced plans to abandon passwords and use biometric security for all its 5 million customers. Will Standard Chartered bother to do mobile app security testing?
The need for mobile app security testing also becomes clear when considering that around the world banks and financial institutions are moving to biometric security measures such as fingerprint scanning, facial recognition, and voice recognition. This is among the first generation of bio authentication methods available, with future plans for pulse recognition, iris recognition, vein and heartbeat recognition promised. Whether any of this is more effective than a traditional password remains to be seen.
Codified Security will help you to secure your mobile banking app against OWASP and PCI security standards, with mobile app security testing and Continuous Monitoring. To find out whether there are serious security flaws in your app please sign up to Codified Security.