Symantec says biometrics isn't the answer for protecting against financial fraud

With Australians to soon transfer money in near real-time, banks will need to up their fraud detection capabilities, but Symantec's local CTO has said biometrics isn't the way to do that.

In the coming months, Australians will be able to transfer money between one another using only a mobile number or email address, with the country's New Payments Platform (NPP) allowing for the near real-time transfer of funds between bank accounts, regardless of the financial institutions involved.

While the NPP has been touted as great for consumers, Nick Savvides, Symantec CTO for Australia, New Zealand, and Japan, told ZDNet it is an even greater opportunity for attackers as they will have the ability to move money quickly.

Currently, when money is transferred it gets lodged in batches that go through a clearing house, with the big four banks in Australia running their own batch clearing practice; there is also a collection of second-tier clearing houses that perform transaction clearing. These transactions are held for a number of hours to allow batch analytics to be run thoroughly and for time to isolate dodgy transactions.

Under the NPP, banks will have 30 seconds to clear the settlement and forward the funds.

"So now, all of that infrastructure that is built to do batch analytics doesn't exist anymore and they need to work in real-time, which means we now have to trust the authentication method," Savvides explained.

"One of the things I personally have been working on over the past two years is helping our customers move to stronger mobile apps to be able to facilitate NPP while reducing that risk because they know they can no longer do that batch analytics."

One thing working in Australia's favour is that financial institutions had the ability to watch their peers in Europe undergo a very similar shift.

"When the Europeans did this with PSD1 [the region's payment services directive], there was a massive spike in fraudulent transactions -- in the first quarter three-times the previous -- because the European banks were not ready for PSD1," Savvides said.

"We've learnt from that here and our financial institutions are really trying to do that."

Under the NPP, a person's financial institution will generate a Pay ID for them, which is registered against the NPP as an identifier for that person. Money will then be routed to and from that ID, which is also mapped against a specific bank account.

"The best thing that you have in your favour [right now] with financial institutions is the time it takes for money to go through," he said. "The big risk with NPP is the speed of processing payments."

Banks in Australia will need to ensure they are able to catch the fraudulent transactions in less than 30 seconds.

Despite the hype around biometrics and its place in the finance sector, Savvides isn't convinced it is the right solution when it comes to authenticating NPP transactions.

"It's OK in closed scenarios like passports and other places like that where it's a closed ecosystem, but in an internet-enabled world I don't like the idea of biometrics being collected," he told ZDNet.

"The other thing is that the amount of data that you're going to collect and then store, I don't think is going to give you enough to do very strong biometric authentication because you're always going to be limited by the sensors on the device.

"Even a sophisticated system, like Apple's FaceID, which is probably best-in-class right now, has been fooled using a mask. That's pretty advanced -- how is that going to translate into an online world?"

He said that perhaps biometrics in the future might be capable of developing trust based on a person's walking patterns, for example, but he isn't confident with where the technology is at now to be the key for instantaneous verification.

"These are things that we need to start considering, but they're not good enough in their current state. It is one thing that you can use, but it's not the one thing alone," he added.

PREVIOUS AND RELATED COVERAGE

Voice biometrics could curb fraud under new payments platform: Nuance

Nuance has eyed a place within Australia's new payments platform to curb fraud using voice biometrics.

Biometrics centrepiece of new Visa security roadmap

The financial services giant has launched its 2020 and beyond roadmap first in Australia, focusing initially on biometrics for payment authorisation, '3-D Secure' fraud detection, and pushing the use of tokenisation.

Intel demos 5G facial-recognition payment technology

Intel and Foxconn have demonstrated use cases for 5G-based edge computing facial-recognition technology across payments, smart retailing, and access to residential and business buildings.

Australian national security COAG says yes to facial biometric database

The group of Australian state and territory leaders has unanimously approved the prime minister's request for a country-wide database of citizens' driver's licence details..

Why your heart could be the next biometric security feature for your smartphone (TechRepublic)

A team at the University at Buffalo has discovered a method that uses the heart's measurements to determine user identity.