The Central Bank of Nigeria now requires every Nigerian bank account holder, in order to perform financial transactions, to have what it calls a Bank Verification Number. To receive this 10-digit number, you are required to register your information, along with a digital photo and all ten fingerprints with any bank, which will then be shared with all other banks. Supposedly this is for your convenience and protection.
You have probably already done it, but here’s a heads-up on what dangers you may have been subscribed to.
Data Responsibility
First of all, let’s talk data privacy and protection, because it doesn’t exit. Nigeria has not signed a data privacy and protection act into law, for whatever reason. There was a bill tabled before the House of Representatives in 2010, but it is yet to become law. Coincidentally, the bill was sponsored by the current Speaker of the House, Mr Yakubu Dogara. It provides guidelines on the responsibilities of any organisation which collects personal data, placing restrictions on what, how and when that data may be used. Crucially, it also places responsibility on the organisation in question to protect that data. But without such a law, we remain vulnerable. It is pertinent in this case because the CBN could technically give away, misplace, abuse or not sufficiently protect the biometric data they have collected and still face no penalties because there isn’t a law against it. In fact, quite a few bills relating to data and cyber security have only passed the second reading at best and then lain dormant since.
The Electronics Transaction Bill (nope, still not a law either) is another interesting one as regards the BVN because it sets conditions under which data can be processed, including that the processing must be “necessary in order to protect the vital interests of the data owner” (emphasis my own). One of my arguments here (keep reading) is that my fingerprints do not represent a necessary scope of data to protect my vital interests. The same bill also says that “personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.” Note my emphasis again. Is fingerprint data relevant? I’m not so sure. Is it excessive? That one I’m sure about.
Finally, if/when there’s a data breach, organisations and companies are usually loath to communicate that to those whose data may have been accessed. Government agencies even more so. In fact, if you had to name five organisations that would have a vested interest in not revealing their shortcomings, banks and government would surely have a presence. But more on that in a minute. And so, without legislation that requires them to inform anyone who may be at risk, what are the chances that we would be informed? The way it typically works is that there is an Information Commissioner set up by law which the organisation in question is required to inform when a data breach has been discovered. They are then also required to inform affected data owners within a period of 30 days, or face penalties. Finally, they usually provide free monitoring services to those whose personal information was compromised in the breach. But this is not law in Nigeria at the moment.
Between Literacy and the Literature
Now, Nigeria’s illiteracy rate is set at around 44%, according to UNESCO figures (PDF). In other words, almost every 2nd person here can’t read and write. Technological literacy is way further below. Put those two together and you have a situation where people are told a few convenient facts, and they believe completely that biometric security is infallible.
Look at the terminology used on the BVN website, as well as by the banks running this scheme with them and you get a sense of how perfectly unbreachable this system is. To be fair to them, they probably really do believe it, after being told so many times by biometric companies’ salespeople that it is so.
So for instance, they tell you that BVN, because of its biometric base, allows every bank “to uniquely verify the identity of each Bank’s customer for ‘know your customer’ (KYC) purposes.” This is a good example of misinterpreted concepts of biometric security combined with carefully selected words. Whether they willfully intended to mislead or if it was a simple oversight is impossible to determine. Anyway, for clarity’s sake, the system does not “verify” your identity in any way; all it does is confirm that you are who you said you were when you registered with it. But if that identity you claimed was not your true identity to begin with, there is little chance of the system being able to “verify” that.
“If we pick the wrong week to call normal, then the attacker who is already inside is now in our scope of normal.” – Dan Greer
They go on to say that “The BVN helps to reduce fraud, increase the efficiency of banking operations and also enable customer access to future credit facilities.” Reduce fraud is probably true, albeit in the short term, though one could think of a few ways in which you could do that without creating a massive database of every person who just happens to put money in a Nigerian bank. Efficiency of banking operations also makes sense, but enabling customer access to future credit facilities smells like crap. Anyone who has ever been scammed (hands up, please) probably looked at that phrase and thought it sounded somewhat familiar. It seems to promise credit facilities will be open to everyone who signs up for this, if you “just provide these details first.”
The BVN website also cites “increasing incidents of compromise on conventional security systems (password and PIN)” as the reasoning behind their search for “greater security.” It should be noted that passwords and PINs being compromised usually results either from poor bank security systems, poorly chosen passwords or the account owner giving them up. The first is something that should be taken care of by the bank, the second requires educating account holders on how to develop and use stronger passwords and the last is probably what the BVN is most supposed to counter. The reasoning is likely that if your account is tied inextricably to your person (BVN is being touted as “for life”) then you can’t be forced to divulge it. There are times, however, when it would be in your personal interest to be able to give it up.
In 2005 a man in Malaysia had a Mercedes Benz valued second-hand at about $70,000. The car was configured to use his fingerprint to start the ignition. Unfortunately for the poor gentleman, he was attacked by carjackers who forced him to start the car and then tossed him in the boot. When they found themselves unable to disable the fingerprint security of the vehicle, they chopped off the owner’s finger and left with both it and the car. Of course, chopping off a finger likely will not work in our case because Dermalog, the German company contracted by CBN for this exercise, has scanners with a “liveness detection” feature which rejects any digits that are missing a living owner. But the point is that some security features can actually make you less safe. These kinds of attacks are known as side channel attacks, attack vectors which are non-direct and unconventional and so haven’t been properly secured. As one commenter on the issue argued, the car should have had a feature whereby, after starting the ignition by verifying his fingerprint, an option to disable fingerprint verification becomes available. Arguably, it would have saved him a finger. In the case of BVN in Nigeria, which does not apparently have a backup access method like a PIN, having such an option could mean the difference between theft and kidnapping.
Image credit: www.vocativ.com
Another point worthy of note is a newspaper article from late last year titled “How Hackers Stole N6.3bn From Bank”. I’ll admit, the editor won, because I bought the newspaper. As it turns out, the “hacker” was one of the bank’s IT staff who showed up with some strangers on a Saturday when the bank was closed, supposedly to carry out maintenance on the computers. In a few hours, they had transferred a load of money and then simply walked back out again. This is important not only because of the loose usage of the term “hacker”, but also because the proposed BVN could likely have traced the flow of the money to specific account holder(s) and maybe apprehended those responsible. But is it worth putting the (unchangeable) biometric details of many millions at risk to catch these guys, probably after the fact? Are there no better ways to correct the internal deficiencies that allowed one staff and a couple of strangers unsupervised access to sensitive systems?
But lest you think I am just picking on semantics and poor phrasing to reject the BVN, I will give some concrete reasons why the famed fingerprint security is not so secure after all. That will come in a further article though, as this one is already long enough. But for now…
Understanding the Problem Space
One of my greatest disappointments is how this is marketed as a sure-fire cure for our financial security woes. I believe that what the authorities should really focus on is educating the populace on security practices and vigilance, rather than stuffing us full of promises about how this technology or that system will set us free from worry. This is nothing but a trap. True security is a consistent, ongoing process which requires those who value it to never let their guard down. In their haste to sell the BVN to us, the people in charge are creating an erroneous belief within the populace that “just put your finger here and everything will be alright.” With such belief in the infallibility of a system, you are already losing the security battle. God help us if the banks have also been led to believe that this “magic remedy” will cure all ills. It will only make bank fraud easier in the medium to long term.
Anyway, this all leads me to suspect that the BVN is intended not to protect the millions of people who use banks, but rather to protect the banks themselves. After all, the overwhelming majority of bank frauds are committed by insiders. Just about every bank fraud I have heard of was committed by or with the help of bankers. This brings me to what I alluded to earlier. Banks are one of the organisations least likely to admit when something has gone amiss. In truth, you can’t really blame them. People are sensitive about the safety of their financial assets, and rightly so. After health and, in some cases, family, money is arguably the next greatest concern. If you even venture to suggest a certain bank is vulnerable to fraud, consumer confidence could plummet and put that bank out of business. After all, it wasn’t so long ago that Nigerian banks would fold up without warning, leaving hundreds of thousands, even millions, stranded and destitute. This is why you will rarely hear of bank frauds and, even when you do, the bank’s name is generally redacted from the report. In fact, if the Nigerian banking system resembles that of some other countries, the banks would usually have a certain amount, say N1million, where any fraud under that will be written off, culpable staff members sacked, and the authorities not informed. The authorities anyway don’t have the resources to investigate and prosecute every single bank fraud so they just focus on the big ones. In fact, the way they get banks to alert the authorities on “small” frauds is by promising them anonymity and sharing between all banks who sign up best practices to prevent such frauds, a technique I would like to see applied to information security legislation. And so the CBN may just be in on the details of numerous and rampant frauds in the Nigerian banking sector (there, I said it) and has come to the conclusion that having every account tagged with fingerprints may allow them to track money wherever it goes. After the fact, of course. And while that may sound like a decent enough idea at first, it is missing a key point, as succinctly put by security guru Bruce Schneier;
“If you think technology can solve your security problems then you don’t understand the problems and you don’t understand the technology.”
Who needs a Publisher 