tag:theconversation.com,2011:/us/topics/internet-banking-9977/articlesInternet banking – The Conversation2014-09-09T05:35:36Ztag:theconversation.com,2011:article/314332014-09-09T05:35:36Z2014-09-09T05:35:36ZThe rise of biometric banking as fight against fraud is stepped up<figure><img src="https://images.theconversation.com/files/58465/original/7swphy8t-1410181555.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Pain free password provision.</span> <span class="attribution"><span class="source">Barclays</span></span></figcaption></figure><p>Barclays has announced the <a href="http://uk.reuters.com/article/2014/09/05/uk-banking-barclays-fraud-idUKKBN0GZ2TB20140905">arrival of personal biometric scanners</a> for its corporate clients to combat banking fraud. Finger vein scanners are to be available in 2015, followed by voice recognition technology in phone calls to replace passwords or security questions. It remains to be seen how effective this is with widespread use.</p>
<p><a href="http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=5384806">Biometrics</a> is the science of recognising an individual based on his or her physical and behavioural traits. Biometric-based authentication systems are widely considered to be more reliable than established password systems for verifying individuals and ensuring they are who they say they are. Other examples include palm print, face and vein recognition, iris and retina scanning, DNA matching and even odour recognition.</p>
<p>Although not yet commonplace, biometrics are expected to become so over the next <a href="http://www.biometricsinstitute.org/data/Surveys/BiometricsInstitute_ExecutiveSummaryIndustrySurvey2013.pdf">three to five years</a>. Currently, the biggest users are governments which have already implemented biometrics into citizen identity documents (such as passports and national ID cards) and it is estimated that by 2015 biometric citizen IDs will <a href="http://www.digitalpersona.com/">outnumber non-biometrics</a> by 4:1. <a href="http://news.bbc.co.uk/1/hi/uk/5408534.stm">In 2006</a>, the UK joined 40 other countries in introducing e-passports that use facial recognition technology to authenticate citizens.</p>
<h2>Gaining acceptance</h2>
<p>Biometrics are firmly embedded in the public psyche through science fiction and adventure films such as Minority Report and James Bond. Images of secret agents and heroes using an array of biometric technologies to circumvent or secure systems are familiar. So, although many have limited real-life experience of biometrics, <a href="http://www.technewsworld.com/story/77896.html">studies</a> have shown that there is already a relatively high degree of acceptance of the idea of biometrics among potential users (more than 70% in the UK).</p>
<p>But there is no blanket acceptance of all biometrics – users have a preference for which types are used and how they are used. <a href="http://www.sciencedirect.com/science/article/pii/S1361372307700064">One study</a> found the most acceptable application of biometrics was for passports (75%) or ID verification (53%) in official contexts, with credit card verification around 56%. Users were most accepting of fingerprint, hand, voice and keystroke/signature recognition (over 90%), with one third considering iris and retina recognition as potentially risky to their health.</p>
<p><a href="http://www.sciencedirect.com/science/article/pii/S0268401212000898">Our research</a> investigated the potential use of biometric authentication systems for online banking. We found that users identified fingerprint scanning as the most suitable method, followed by iris scanning, voice and face recognition.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/58466/original/53j3w854-1410181745.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/58466/original/53j3w854-1410181745.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=426&fit=crop&dpr=1 600w, https://images.theconversation.com/files/58466/original/53j3w854-1410181745.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=426&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/58466/original/53j3w854-1410181745.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=426&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/58466/original/53j3w854-1410181745.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=536&fit=crop&dpr=1 754w, https://images.theconversation.com/files/58466/original/53j3w854-1410181745.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=536&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/58466/original/53j3w854-1410181745.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=536&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">User experience of biometrics.</span>
<span class="attribution"><a class="source" href="http://www.sciencedirect.com/science/article/pii/S0268401212000898">Rana Tassabehji</a>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>We <a href="http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5384806">also found</a> that the majority of our respondents considered fingerprint biometrics to be more secure than password-based authentication. Interestingly, respondents’ perception or belief that biometric banking was more secure was highly correlated with their understanding of the security risks of online banking. Thus, those potential users that had a good understanding of online security, were more likely to believe that biometric banking was more secure.</p>
<p>Other findings from this study showed that the biometric technology also had to be easy to use and perceived as more secure than traditional security systems to be popular. On this basis, our research suggests that people are ready and willing to adopt fingerprint-based biometric technology for online banking.</p>
<h2>Slow uptake</h2>
<p>There are a <a href="http://www.isaca.org/Journal/Past-Issues/2004/Volume-4/Pages/Biometrics-An-Overview-of-the-Technology-Challenges-and-Control-Considerations.aspx">number of reasons</a> why biometric authentication technology hasn’t been implemented more widely.</p>
<p>Biometric technologies <a href="http://www.itproportal.com/2013/09/09/fingerprints-and-faces-how-biometric-authentication-is-still-far-from-secure/">need to achieve</a> the required 99.9% standard of reliability and accuracy. Biometric authentication currently stands at between 40-95% in real world use. For example, government systems failed to recognise the Boston bombers and those carrying false passports on board the doomed Malaysian flight MH370.</p>
<p>Then there is the issue of proving the biometric “liveness”. So, for example, in films we see eyeballs being removed and fingers getting chopped off to circumvent biometric systems. In real life – somewhat less sensationally – <a href="http://it.slashdot.org/story/10/10/28/0124242/Aussie-Kids-Foil-Finger-Scanner-With-Gummi-Bears">gummy bears</a> and dough have been used to lift fingerprints onto latex moulds of simulated fingers. <a href="http://www.wired.co.uk/news/archive/2014-09/05/barclays-finger-scanner">Barclays</a> is using Hitachi’s finger vein system, which is harder to copy.</p>
<p>But, perhaps most importantly for enterprises, the costs and complexity of designing and deploying a biometric infrastructure are behind the slow uptake of this technology to prevent banking fraud. The costs of hardware, software and processes for verification, validation and authentication can be prohibitive, especially when the technology still provides less than the required 99.9% reliability. </p>
<p>There is also, as yet, no universally-accepted technical and legal standard for the interoperability of systems and consumer biometric data protection. This can lead many organisations to avoid the risks of biometric technology until it is established, proven and less costly.</p>
<p>Another, more general concern with the security of biometric technology is that biometrics are <a href="http://www.usatoday.com/story/cybertruth/2013/09/12/why-biometrics-dont-work/2802095/">hard to conceal</a>. We leave fingerprints when we touch anything, our eyes and faces are easily captured. Unlike passwords, if your account is breached, you simply change the password, if your biometric is compromised, it remains compromised all your life.</p>
<p>But, ultimately, our research suggests that a large proportion of potential users are willing to adopt biometric banking and the <a href="http://www.zdnet.com/30-percent-of-companies-will-use-biometric-identification-by-2016-7000025942/">projections</a> indicate that biometrics will be the next big thing in security.</p><img src="https://counter.theconversation.com/content/31433/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Rana Tassabehji does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Barclays has announced the arrival of personal biometric scanners for its corporate clients to combat banking fraud. Finger vein scanners are to be available in 2015, followed by voice recognition technology…Rana Tassabehji, Senior Lecturer in E-Commerce and Information Systems, University of BradfordLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/274712014-06-02T14:20:49Z2014-06-02T14:20:49ZFour steps to a simpler, safer password system<figure><img src="https://images.theconversation.com/files/49996/original/zvp4wwcr-1401711711.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">What do you mean 'IHATECAT' is not a strong password?</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/konszvi/4218539270/in/photolist-7VbFkS-8HUXh6-5FLPDm-ePZJvk-QR1x-axDXod-7qM7KG-acVs8B-7rYngA-2jCuq-frpBEh-9J1urj-5S9DAW-5f6ANv-7rYnnN-9LRsD-5c9R8o-5rRhxh-6jaraN-7KKHDU-bUopsz-9f9Bo-6AeYqH-QR1v-gLzxpX-ibY16M-qexSo-8Z96Xb-e45CQA-oYYfD-4ePJQB-jZ8qW-578e7H-4FUWFV-EC1Wp-jZ8he-7yZAbR-4csVVx-5j1DP4-5SjC6f-svLaP-4szsYa-bcqjcH-bcqikk-YwuAF-jZ8hY-jZ8oP-7xzzHB-deWMfR-feKMBA">konsvi</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA</a></span></figcaption></figure><p>Several <a href="https://theconversation.com/explainer-should-you-change-your-password-after-heartbleed-25506">high-profile security breaches</a> have, of late, got many people wondering about their <a href="https://theconversation.com/massive-ebay-hack-change-your-password-now-27052">passwords</a>. </p>
<p>It would be great news if I could tell you a perfect sure-fire system to manage your passwords; the reality is that you have to make your own choices. Many of us struggle to remember one password, let alone many, so changing passwords often makes life a little difficult. But if, like many others, you feel like it’s time to start again, there are ways of doing it right. Think of it as your new password ecosystem.</p>
<h2>1. Rank your accounts</h2>
<p>Step one of your new password system involves grouping the different online accounts you have according to their importance. You should rank your accounts according to the importance of the activities you carry out on the different sites.</p>
<p>Social media accounts, for example, might have a ranking of one, and cloud services such as dropbox or iCloud, a rank of two. Sites on which you make purchases, for example Amazon or eBay, are more important, and would have a ranking of three.</p>
<p>Next comes email, which is too often overlooked. These accounts are far more enticing for cyber-criminals than your Amazon account since they are often the gateway to many other accounts so they should be given a ranking of four.</p>
<p>And finally, online banking and Paypal should carry a ranking of five.</p>
<p>Once you’ve decided your ranking, you can set login names and passwords. All should be equally complex but you can treat some passwords as less important than others.</p>
<p>Sites with a ranking of one could easily share the same login email, but have different passwords. Whereas ranks four and five must be different.</p>
<h2>2. Don’t overlook your username</h2>
<p>You’ve got your ranking and are ready to start, we tend to focus our concerns on passwords but your username is another important piece to the puzzle. We all often use similar usernames to access our multiple accounts. It could be a secret name, such as fluffybunnykins, or more often it is your email address. </p>
<p>If I know your personal email address, I know too much. This was how a hacker calling themselves <a href="https://theconversation.com/explainer-is-your-iphone-at-risk-after-the-oleg-pliss-hack-27288">Oleg Pliss</a> recently compromised iPhones. This attack did not involve infiltrating iPhones, instead it involved finding out email addresses from other sites and applying that information to take control of phones. </p>
<p>If your email-based login has been used on one site that has been compromised and you are using the same password somewhere else, there is the outside possibility that these other accounts may also be exploited.</p>
<p>It’s not practical to maintain an email address for every online account but multiple email accounts are advisable. Look back at your ranking and try to use a different email address for the different ranks. You can easily attach your email software to multiple email accounts. So, in reality, this does not make life too difficult. </p>
<h2>3. The tricky bit</h2>
<p>The biggest challenge for most people as they begin their new password life will be to pick passwords that are complex enough not to be compromised but easy enough to remember.</p>
<p>Start by thinking of a meaningless word. It should be something that someone else couldn’t guess so children, pets, football teams and hometowns are a bit of a giveaway. It is worth taking a moment to think of something that you can only ever recall.</p>
<p>You do need to make sure that your word is at least ten characters in length. The reason that we like longer passwords, is that it takes <a href="http://sectools.org/tag/crackers/">brute force</a> crackers more time to break them.</p>
<p>Now you get to make it obscure, the more you can use capital letters, numbers or symbols (such as *&%$@) the better. Different sites do have different policies so try using one of each and already your password is harder to guess. Even if I now know what your meaningless word is, I still do not know how you have obscured it.</p>
<p>Let’s say your chosen password is the meaningless word “timecheese”. From this word you could create TimeCheese, t1meChee5e or T1meCh_e5e. There are many combinations. You can <a href="https://howsecureismypassword.net/">test out different passwords for strength</a> on dedicated sites and even use a <a href="http://listofrandomwords.com/">random word generator</a> if you are struggling with ideas.</p>
<h2>4. Remembering your password</h2>
<p>Now you have created your meaningless word, apply some common sense. Will you actually remember it? Passwords like DarkCalamariSandwich fit the criteria for length and nonsense factor. But there are a lot of characters to remember and possibly too many options for adding in numbers. A week after setting it, will you remember whether you replaced the i with a 1 or the s with a 5?</p>
<p>You need to create something that is relatively simple by using random words that you connect together. Typically I would suggest two words to most mortal souls, but some people will remember more.</p>
<p>Often word associations help. You might use “Dr Who Cheddar” as a prompt to recall timecheese. While you should obviously never write down your password, there’s nothing wrong with making a note of the association to jog your memory. If timecheese was your eBay password, you could write down “auction tom baker cheddar”. A Dr Who fan might see the connection but they still probably wouldn’t be able to work out the actual password.</p>
<p>These steps should help you start a new password life but you still need to change your passwords regularly, particularly when breaches like those seen over the past few weeks happen. You are the only person who can really protect your information online.</p><img src="https://counter.theconversation.com/content/27471/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Several high-profile security breaches have, of late, got many people wondering about their passwords. It would be great news if I could tell you a perfect sure-fire system to manage your passwords; the…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/256912014-04-16T15:09:49Z2014-04-16T15:09:49ZHand out money with my mobile? I think I’m ready<figure><img src="https://images.theconversation.com/files/46564/original/f8fw3jxk-1397650012.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Look, I know we're not really talking right now but could I possibly borrow a tenner?</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/ejbsf/4312589663/sizes/o/">ejbSF</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span></figcaption></figure><p>A service is soon to launch in the UK that will enable us to transfer money to other people using just their name and mobile number. <a href="http://www.paym.co.uk/">Paym</a> is being hailed as a revolution in banking because you can pay people without needing to know their account number or sort code.</p>
<p>In many respects it is. Paym cuts out the need for a dash to a cash machine. Distance is also not an issue as you could easily top up your children’s bank balance when they are away from home, solving immediate financial dilemmas.</p>
<p>And the main security risk appears to come from user error – the one thing you yourself can actually control. </p>
<h2>What is Paym?</h2>
<p>As of 29 April, customers of <a href="http://www.paym.co.uk/whos-involved">nine banks</a> including Barclays, Halifax, TSB and Santander can use Paym. Although each will have their own approach to offering the service, the principle remains the same for all. As long as you have registered your mobile number and the receiver of the payment has also registered their mobile number, you should be able to use an app on your phone or an internet banking option to make the payment.</p>
<p>It sounds simple because for you, the customer, it is supposed to be.</p>
<p>This simplicity has made systems similar to Paym phenomenally successful in many parts of the world. <a href="https://www.mpesa.in/portal/">M-Pesa</a> is one particularly popular version that has been operating for several years in India and <a href="https://theconversation.com/bitcoin-fuels-africas-banking-revolution-16044">Kenya</a>.</p>
<p>As technology evolved over the past decades, the typical cabled telecommunications structure used in developed nations such as the UK, the US or Australia couldn’t be delivered on the same terms for many African, Asian and South American regions.</p>
<p>While many western nations had an existing infrastructure that had evolved over 100 years and could be adapted to make room for more cables, the costs of bringing it in afresh in many developing countries was prohibitively expensive.</p>
<p>More recent developments in mobile telecommunications such as 3G and 4G networks, on the other hand, are easier to deploy. The cable costs are low and by strategically positioning the mobile towers needed to run the network, you can reach a large population of customers.</p>
<p>The use and trust of this technology in developing countries shows us how it could offer interesting benefits to new markets. We all make one-off payments, where the speed of technology could easily beat the slowness of cheques.</p>
<p>Parents probably recall when they have to help out a hapless teen or university student with a cash top-up when they are away from the nest, making Paym a potentially essential service. We could pay babysitters, lend a tenner to a friend and cover school trips for our younger children when they’ve forgotten to mention that it’s today.</p>
<p>Additionally, we could find that sole traders, market stalls and micro businesses thrive, knowing that they could have a way for a casual customer who otherwise did not have the cash in their pocket to make an immediate transaction for that artisan product. In fact I am sure that entrepreneurs out there could find other ways of offering services and encourage Paym style payments.</p>
<h2>And it is a free service</h2>
<p>Paym assures us that there is little risk in using this service but, as with all financial transactions, it pays to be cautious. Card fraud is a known issue, chip and pin is not infallible and there have been issues with some retailers when using <a href="http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/10398813/Bank-acknowledges-contactless-card-problems-by-changing-rules.html">contactless payments</a>.</p>
<p>There is a transaction limit of £20 and three transactions a day on contactless payments. That means there is still the potential for a £60 fraud to occur. While this is a relatively small amount, it could still cause financial problems.</p>
<p>With Paym, depending on your account and the agreement you have made with your bank, you can transfer up to £250 per day. That’s a significant amount of money if something were to go awry.</p>
<p>For a start, you must take care when entering the mobile number of the recipient. That seems obvious but mobile numbers are 11 digits in length and we’ve all typed in the wrong number at some point. You should also include the name of the recipient in the transaction, via your smartphone or web browser application. But as we all know, there are many John Smiths out there, so the probability exists that you could pay someone other than your friend John Smith.</p>
<p>But because the UK service links bank accounts, users will avoid the most serious type of crime that affects M-Pesa – the robbery or deception of the agents used to deposit money into the system. </p>
<p>With Paym, would have to have knowledge of the passwords and other security mechanisms to use your banking app or online account so you are reasonably well protected in this respect. As you already are already a bank customer, the service like cheque banking, contactless or chip-and-pin is free for you to use.</p>
<h2>Should you use it?</h2>
<p>This is certainly a payment technology worth trying. I like using contactless in cafes, for example. Paym seems like a useful way for me to give money to family and friends and I can see potentially useful applications for charities, schools, community groups and microbusinesses too.</p>
<p>If you intend to use it, practice with small amounts. Don’t suddenly pay £200 to someone. Give them a very small amount, eventually the opportunity will present itself. Check and double check their phone number. In all transactions, the best way to make sure you have the right number and name is to give them a call on the number you are going to use. This will considerably reduce the risk of unintended errors.</p><img src="https://counter.theconversation.com/content/25691/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A service is soon to launch in the UK that will enable us to transfer money to other people using just their name and mobile number. Paym is being hailed as a revolution in banking because you can pay…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.