Meaghan Johnson, director of research at the fintech consultancy 11:FS revealed severe security vulnerabilities in two banking mobile applications. The issues allow malicious users access to user bank accounts using photographs of the victims.
Severe Troubles with Biometrics in the Banking Apps
The security expert has discovered serious security issues in the biometric identification capabilities of two banking smartphone applications. The way the apps are made is that they require the user to blink a few times to allow access to the secure banking platform. Johnson successfully fooled the security measures by utilizing the Live Photo function of an iPhone. This feature allows users to make short recordings and share them with their friends. This 5-second animation was enough to bypass the banking security.
The security exploit can be used in scenarios where the only security feature that authenticates the users is facial recognition.
The security researchers said that the iPhone Live issue has proven successful in a major bank from the USA and a smaller competitor in the United Kingdom.
Banking policies currently enforce using additional methods that provide two-factor authentication or other ways that confirm that the user is the legitimate owner of the bank account. The suspected target bank of the vulnerability, Atom Bank, stated that biometric identification is an option only in certain cases. Users must designate a specific device for login use and use a device PIN.
The bank enforces denies jailbroken devices and has added additional measures to increase security.Users who use smartphones for banking must be cautious and use security options like PIN code access, two-factor authentication and other methods for maximum security.
As more and more banks continue to integrate biometric identification as login options or even the only way to sign in, the number of these types of exploits will surely increase. And while showing your face and smiling at facial recognition software is inherently a more convenient way of logging to your bank account, everyone must be aware of the risks involved.