Monday, 23 March 2015

Biometric banking

This BBC article talks about various technologies for banking using biometrics.  I’m familiar only in principle with most, but I know a bit more about the Nymi solution and I think it’s a little undersold.

Nymi is a wrist band which authenticates its wearer by sampling her ECG.  When she takes it out of the box, she records her ECG by touching a panel on the band.  This data is encrypted and stored on a device such as her desktop machine or phone.  Then when she puts on the band in the morning she sits in Bluetooth range of that device and touches the band again.  This takes another sample of her ECG and matches it against the stored one.  If it does, the band is considered ‘activated’.  If the band is removed or cut, it is no longer activated.

The activated band can then be used to set up relationships with programs running on other devices and thereafter used to authenticate with those devices. 

The most obvious use for this is to automatically log in a user when she sits down at her machine or unlock her phone when she picks it up, but there are more interesting possibilities, including banking.  With an activated band, there’s something the user has (the band) and something they are (her ECG).  Personally, I’d prefer systems that required something I know, as well.  The Nymi band can recognise gestures, but that doesn’t seem like a very good solution for banking, for obvious reasons.  I think a PIN would be fine; different PINs for different payment methods, preferably.

This isn’t a bad scheme.  Removing the band deactivates it so that nobody else can use it.  It can only be reactivated when the user is in range of (and logged into) the authenticating device.  There are some concerns, of course.  This is a new device (not available commercially yet, I have the developer version).  It has yet to be seen whether its security is up to scratch.  There are several potential vectors for attack and I’d like to see a better track record before I used the band for banking (certainly without a password or PIN).

But I like the approach of the biometric sampling being secondary and never – in theory – out in the wild.  It seems a lot more difficult to steal and replicate my ECG without my knowledge than it is to replicate my fingerprints or – I assume – my iris. And if I ever find myself in a spy movie, at least nobody will cut off my finger or pluck out my eye to get at my stuff. They’d just have to force me to comply with their demands then kill me.  Wait… I think I just found a flaw…

Note: Nymi claims that the consumer version of the band will ship with Bitcoin payment and it has been doing banking trials with the Halifax.  I’ve no idea whether the first claim is true (Nymi has delivered much of what it promised but on a much slower timescale than it expected) and I’ve no idea how the Halifax trial went.

No comments:

Post a Comment