Andrew Tryie, the chair of the UK government's influential Treasury Select Committee has called on banking industry regulators to develop action plans and policies to protect consumer interests in light of the increasing use of biometric technology to access accounts.
In letters to the Prudential Regulators Authority and the Financial Conduct Authority on the resilience and security of bank IT systems, Tyrie raises concerns about the growing trend for biometric access to customer accounts.
The letter says that the Committee has heard evidence that biometric data can be "relatively easily obtained by fraudsters".
Noting that compromised biometric data cannot be changed by the customer, Tyrie writes: "Banks and regulators will need to plan for what they will do if biometric details are lost and/or illegally obtained by third parties. They will also need to consider how affected customers will be compensated; they may be unable to persuade their banks to release all the technical details needed to pursue their claim in court. Are you concerned about this? if so, what is being done?"
The letter comes to light just days after Kaspersky Lab said it had uncovered evidence that members of the criminal undergound are offering to sell ATM skimming devices capable of stealing victims’ fingerprints. Several other underground crooks are also researching devices that could illegally obtain data from palm vein and iris recognition systems, says the firm.
Thieves are also discussing how to fool facial recognition biometrics, looking into the development of mobile applications based on placing masks over human faces and imposing photos taken from social media.
Olga Kochetova, security expert, Kaspersky Lab, says: "The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image.
"Thus, if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way."
In September last year, the US Office of Personnel Management warned that hackers who breached its systems over the summer made off with the fingerprint records of 5.6 million individuals, raising questions over the security of biometrically-protected identities.
