This is the final of a two-part series on the Central Bank of Nigeria’s initiative they call Bank Verification Number. It continues on from the first part, focusing on the security issues involved.
Fingertips are arguably the most-used part of the human body. Just about everything we do requires the application of fingers. So while the whole “revelation” about the uniqueness of fingerprints is nice enough, to choose this part of the body as the primary and only security token seems to this writer to be pretty cocky. Sure, we can use it to unlock our phones, which is super convenient. But for something as sensitive as our financial life, I think we ought to ask the authorities to try a little harder. Anyway for phones, the fingerprint data is stored on a separate area of the device, meaning it does not leave your phone for any reason, thereby making it more difficult to access. Plus it’s optional, meaning you can always use a passcode if it fails. Of course, Apple’s TouchID which debuted on the iPhone 5s was hacked after just a day so maybe even that is not such a great idea.
“Fingerprints can be a useful addition to security but their value depends highly on the type of fingerprint reader and how it is being used – for example, the best use of a fingerprint is to provide a convenient way to unlock something in a medium to low security scenario” – Marc Rogers, intelligence expert and Principal Security Researcher at Lookout Mobile Security
We leave copies of our fingerprints everywhere we go. Every time we use a door, type our number into someone else’s phone, use the ATM, hand over a card, accept a drink, even the simple act of sitting down leaves a fingerprint deposit. We have all seen movies where police dust fingerprints off furniture, light switches, drink cans and the like. It is really not that difficult and the technical know-how easily available online. There are even easier ways of obtaining fingerprints (mentioned below) than following you around with a duster and a roll of tape. If an aspiring thief decided to personally target you, obtaining copies of your fingerprints would be easier than picking your pocket, and probably a lot safer too because your fingerprint, unlike possessions, can be lifted without your ever knowing.
Using fingerprints as a security feature is not the ingenious measure that biometric companies’ marketers would have you believe. Fingerprints as a means of identification have been in use for over 100 years, so they are not so new as is being championed. It is really the advancing technology which allows them to be captured and processed more quickly and accurately that has changed. And so you won’t be too surprised to hear that your fingerprints can be cloned, and apparently with relative ease.
“It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token” – Frank Reiger
The truth is, researchers have been proving for a while that biometric scanners can be fooled. Back in 2008, fake fingers created by researchers were able to fool biometric scanners between 80-90% of the time. But of course, spoof detection has now been implemented by most scanners, and Dermalog (the German company contracted by CBN for this $50m project) is rated as one of the most secure biometric service providers in the world. But the nature of the attacks keep changing, and it is difficult to predict what form the next attack will take. For instance few would have anticipated that a hacker would be able to clone a politician’s fingerprints from pictures taken about 10 meters away with a standard camera. Another researcher was able to clone fingerprints left on a wineglass by simply taking a few pictures.
And then a Chinese woman is reported to have had her fingerprints switched to enable her beat fingerprint scanners at a Japanese airport. The scheme apparently worked and she got in, but was later arrested for faking a marriage, at which point her deception was discovered. Part of the reason she was found out was because she could not afford to have all 10 fingers switched and was caught because of the remaining 3 unchanged prints. This story brings us back to our discussion on side channel attacks. Apparently there is a booming market in China for people who want to have their fingerprints surgically changed, and Miss Ling was the 8th person to be found out, leading one commenter to recommend that “everyone should change their fingerprints at least once a year.” Funny, yes, but it may not be so far-fetched. Starting with the more criminal-minded but, once they have pervaded the system, we all might have to as well.
Security is always something of a cat and mouse game, and even though spoof and liveness detection has been incorporated into most biometric scanners, the attack vectors are becoming more varied with each new technology. Because, as it turns out, we will soon be able to 3D print skin, complete with blood vessels and all, and you don’t need me to tell you what that means for your precious fingerprint security.
Your fingerprints are more or less permanent identification markers and if someone manages to get a hold of them, you literally cannot reset it. An article aptly titled You Can’t Replace Your Fingerprints (well worth reading) says it all. If someone was able to use any of the methods described to gain access to your account, what would you be able to do about it? With passwords and PINs, a reset is always possible and can be done within minutes. Some organisations even have the added security feature of locking your account for 24-48hrs after a password reset, essentially buying you time to discover the attempted break-in. But when the security is inextricably tied to your person in the form of fingerprint recognition, however, the water gets a lot murkier. First of all, especially where credit facilities are concerned, you are going to have an incredible task convincing the banks that you are who you say you are when you say you are, but at other times you are not. Keep in mind that no other form of identification will be required to access your account. Indeed, the thief wouldn’t even have to go to your bank; he could just as easily open an account in a different bank with your fingerprints and take out a loan, maybe another mortgage. When they come around to repossess your home, the burden will be on you to prove your innocence, despite your fingerprints being found at the scene of the crime.
But the hacks mentioned above work best when a particular individual is targeted, meaning that only a small percentage of the population will be affected (though likely the richest percentage). So what about mass fraud? Well…
Ironically, in order to have all 10 of your fingerprints captured for the BVN, you are required to provide identification (national ID card, international passport or drivers license) which is issued by a government agency that has already captured the very same fingerprints. I have been informed that there are up to 19 different government agencies collecting fingerprints as a form of identity verification. That means 19 different points where hackers could gain access to millions of fingerprints. And you can bet your DNA that those agencies are acting independently of each other, otherwise there wouldn’t be 19 of them. The likelihood of at least one being breached is pretty high, then. It has not happened yet (as far as we know) but that is likely because there has been little financial benefit in harvesting biometric data of Nigerians. And criminals, as we know, are motivated by profit.
But you might argue that Nigerian criminals are really not that sophisticated at the moment and not likely to go through the trouble. Fair enough.
“Security is rarely static. Technology changes the capabilities of both security and attackers.” – Bruce Schneier
But Nigerian cyber criminals have been evolving from their usual scams and beginning to look at ever more complex ways of defrauding not just individuals, but businesses as well. Researchers have also discovered that Nigerians are communicating with Russian cyber criminals, probably obtaining malware and other such toolkits from them, if not learning how to create their own. As noted in the research, though Nigerian cyber crime has historically been very rudimentary technologically, the criminals have been rather good with social engineering, essentially using ‘people skills’ for their fraudulent activities. Combining this with the technical expertise of Russian hackers could make for a noteworthy adversary, if they ever decided to join forces. With this BVN, we may have just given them more reason to do so. In fact, in an informal survey of security professionals, it was found that social engineering is one of the biggest security problems we face, probably because of how difficult it is to create protection measures against. This, in my view, means that the need for better security training and practices should trump adoption of new technology, however promising.
Am I being too paranoid? Maybe. Or maybe the people in charge of this scheme are not being paranoid enough. Remember, this is not some temporary patch to plug a loophole they are implementing. The fact that they are calling the BVN “for life” means that they probably have no intention of EVER deleting your biometric data, whether you have closed your accounts and left the country or passed out of this world. After all, it doesn’t specify whose life, and there are solid arguments for keeping the biometric data of the deceased, for instance to prevent criminals from re-registering with their details. Which is why I fear that we are going down a deep, dark rabbit hole to unknown destinations just as flippantly as dear Alice.
Technology can help save banks a lot of money, that is true, but I would venture to call lazy thinking an approach which assumes that simply gathering people’s biometric data and using it to secure the front-end of the banking process will solve the problems. I would have recommended an approach which is admittedly more difficult, though it also uses technology (even biometric technology, if you like it so much). My recommendation would have been to use technology to tighten up the banks’ internal processes, identify and keep track of staff across the entire sector, as well as verify things like whether defaced currency has been properly disposed of. I can’t be the only one who has walked up to an ATM machine and laughed at the pop-up message declaring that “This copy of Windows is not genuine.” And while they haven’t rolled out biometric ATM machines yet, the point is that when one of the biggest banks in the country is using a pirated operating system, then you should know that the most urgent problems lurk within.
Finally, I fail to understand why the BVN was not made optional like Kenya did when they introduced a similar system back in 2013, but rather forced upon us. I would have liked to see it as an opt-in procedure, though banks would be free to require all their staff to comply. That way, if you choose to do it, your transactions are simpler and faster. But those of us who are extraordinarily attached to our fingers, however, should be willing to go through more stringent checks when making transactions. Personally, I wouldn’t mind the extra few minutes I would have to spend at the bank each time. Besides that, being able to fall back to a system less dependent on a single database or network is of significant value if (read: when) the unexpected happens. But by discarding our ability to retreat back to a known system, however cumbersome or slow, we are essentially throwing all our eggs in the tech basket, after clear warning signs that it is not all rosy in there.
The reason why reducing OPM to low tech paper may help things is akin to why taking the Bugatti keys away from an irresponsible teenager prevents an accident from occurring. “Just take the skateboard kid. It’s really all you can handle.” – Richard Fernandez
The way I see it, most bank frauds are inside jobs anyway. And if you have people on the inside actively looking for ways to break the system, there is little that me giving them the finger can do to prevent it.