A digital security point of view for the digital business era

Multi factor authentication in the mobile channel

27 Oct 2017

Can we really use the biometric sensors that are built into mobile devices for securing high value and high volume payments in the banking sector?

With the explosion in smart phone banking, financial organisations continue to innovate in the area of customer authentication. Many new cases are emerging that use a smart phone biometric feature as part of a multi-factor approach to customer and transaction authentication. This could include any of facial, iris, voice or fingerprint recognition, typically served up via an App for retail banking customers to authenticate their logon to internet banking and in some cases, extending to individual transaction authentication. The mobile banking App simply uses the hardware features of the smart phone and for retail banking customers accessing their own accounts and typically making a few lower value transactions, the security level may well be fit for purpose.

All of the above listed biometric modalities are effectively “external” biometric features that can be captured without the knowledge or permission of an individual. There have been well documented cases of fake fingerprints created from gel overlays being used to fool smart phone finger print sensors, high resolution images of face or iris data being used to fool facial and iris recognition systems and recorded voice data being use to spoof voice recognition systems. Indeed, Lyrebird’s API can be used to record any voice and then synthesize that voice to generate any phrase such that it appears to have come from the original person.

Aside from the consideration of which biometric is safe to use in a multi-factor setting, the proliferation of the smart phone as a preferred banking channel presents major problems for any bank’s security teams. We need to look at the problem of cybercrime and the huge growth in the number of attacks on the smart phone channel. The sheer number of new threats that are appearing is very worrying. According to Nokia’s March 2017 Threat Intelligence Report, malware struck 1.35% of all mobile devices in Oct 2016 with 85% of those devices being smart phones and the majority of those being Android. The infection rate was 83% higher in the second half of 2016 when compared to the first half. Even more worrying are statistics reported by The Independent in March 2017 showing that over 30 different Android smart phone models, including some from major manufacturers, contained malware when initially shipped to customers, with the malware thought to have been added somewhere along the supply chain.

In the context of the business banking world, the processing of corporate payments are in general large in volume and high in value. The security concerns outlined here should ring alarm bells for any organisations that plan to enable smart phones or other mobile devices for corporate banking without fully considering the security implications of the solution to be deployed.

A multi-tiered approach is necessary. Firstly, an effective end point security strategy is needed and secondly for biometric multi-factor authentication, the selected modality must fulfil a number of key criteria. As well as being easy to use and simple to integrate with mobile platforms, the biometric scanner needs to be highly accurate with robust security features.

Our view is that these two things needs to be addressed independently and the scanner device needs to be separated from the high risk mobile platform.

Our cybersecurity tools can protect the mobile channel from malware and phishing attempts and our world famous finger vein authentication technology provides simple to use and highly secure logon and transaction authentication capability. Our “sign what you see” VeinID tools, already in use at Barclays, allow for seamless integration with the major mobile platforms.

A mini VeinID scanner equipped with a PKI smart card connects via Bluetooth with the mobile device and is used for the authentication step in creating digital signatures for transactions using traditional PKI tools based simply on the scan of a single finger. Privacy compliant VeinID data is inside the body and not susceptible to being captured without the knowledge of the individual.

As a one stop shop, Hitachi provides the necessary cybersecurity, PKI and biometric tools to ensure that fast and flexible mobile corporate banking solutions can be served up in the most secure and practical way.

To speak to us about how our solutions can be part of a multi-factor program for securing the mobile channel for corporate banking, please contact us at