Biometric passwords and online payday lenders

5 July 2017

As a leading online payday lender, 247Moneybox.com has always considered itself at the cutting edge of technological development and innovation. Offering a straight through application process for its payday loans necessitates applicants providing sensitive information relating to their pay, banking details and employment. As such security, particular data security, is of the utmost importance.


Ransomware attack

Secure data

All data captured across the site is transmitted and encrypted using Transport Layer Security (TLS) protocols. TLS has been adopted as the standard security technology for setting up an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain confidential and hidden from prying eyes. Good to know if your putting your personal data into a site when applying with a payday lender.

As common with other payday lenders both in the HCSTC industry and indeed beyond, the firm operates a customer account area where returning customers can login to a secure account and view their borrowing history, saved personal data as well as apply for new borrowing or restructure their existing current borrowing. As you would expect this area is locked down by a strong password policy.

How does it work?

Well one such way biometric can work is to work directly with pre-existing hardware and software common to devices such as phones and tablets. Many phones now have a built-in finger print scanner. Operating system manufactures have allowed developers to effectively hook into this feature and verify the user without the need to store the biometric data themselves.

Voice recognition works in a different way. The concept is that the software installed by the verifier reviews 100 or more unique identifiers in an individual's voice. For example, the software monitors things like the cadence, accent and pronunciation of the voice. In addition, it is looking out for indicators in the sounds that give an indication as to the size and shape of the larynx, nasal passages and vocal tract. Storing this aural signature and matching it off when the user logs in again is mean to be a robust and secure way to login.

Can voice recognition be compromised by a mimic?

According to the proponents of the technology, voice recognition is as safe as any other form of biometric security. Software and humans hear sounds in a very different way. To the human ear, mimicry is sometimes very accurate, it is a far cry from matching off all 100 distinct characteristics that the software is looking out for.

My voice changes all the time?

The large number of variables analysed by the software should in theory cut through any slight variations in some of the variables to give a score based on the probability of matching. Whilst some aspects of your voice may well be compromised by a cold say, the weight of a number of unaffected variables will be enough to conclude you are indeed the owner of the matched voice. The way you pronounce words, your accent and cadence remain constant even if you've had a few drinks!

But just how safe is this new technology?

Typically, a device will have the fingerprint scanner embedded in a multifunction key such as the home button. The software will also most likely be stored in an encrypted section of the handset. To set up the functionality, at the outset you will typically be asked to set up other alternative passwords to secondary security. During the set-up process the software will ask you to move you chosen finger around the pad. As you move your finger pad around the scanner, it will be detecting a small electrical charge naturally given off by your skin. This is the same technology that is used to operate the touch screen and explains why you can't operate a device wearing woolly gloves!

In addition, the technology also utilises a radio frequency scanner to analyse the fingerprint on the living tissue a few layers down from the surface. Note the living part here which explodes the Hollywood myth that you can use a recently severed finger to open the bank vault! Whilst on the subject, another myth is that a criminal could use an eyeball on a stick to access the bank vault or wherever they are trying to gain access to. However, this won't work either. For starters to remove an eyeball, intact without damaging it takes surgical skill and instruments. Secondly retinal scanners require blood flow across the eye to work. Another film myth bites the dust. Sorry.

Another important security feature to note is that the fingerprint is stored on the device itself and is not transmitted anywhere else where it could be compromised and used nefariously.

Alternative biometrics

Voice and fingerprints are not the only biometric identifiers out there. The technology has been in place for some time but what is catching up is mass use of the capable hardware and software. It took time for adequate processing power to be available at an affordable price in people's pocket. Without this there was no to little incentive for say a bank to invest in the technology and offer it to their customers.

Alternative biometric technologies that are out there and also still in the pipeline include:

  • Heart-rate recognition, which detects and reads the unique pattern our beating heart produces
  • Vein-pattern recognition, which distinguishes the unique pattern of your veins, most often in your wrist arm and hand
  • Iris recognition, which maps the unique pattern of your iris
  • Retina recognition, which works in a similar way to vein-pattern recognition but within the eye.

Further out in the future some systems being developed analyse other unique patters that we subconsciously display in our behaviour. For example, the way we type on a keyboard, move the mouse around, apply pressure to a click etc. may be a manifestation of the way our brains are wired which is incredibly unique. Whether we can trust this more intangible trait is another matter but then again, a fingerprint scanner in your phone would have been equally futuristic but 15 years ago.

Passwordless authentication

Leaving the world of biometrics aside, there are other alternative technologies that may hold the key to the direction of travel over the coming years. There are initiatives out there that will do away with any form of password altogether and also not rely on any biometric data. Intriguing, right?

Passwords are dead. The next step will be to leverage a kind of virtual blockchain for storing authentication hashes. As a result, the server doesn't need to store anything sensitive that could be compromised. Cool huh?

Keeping customer data safe is just one of the firm's commitments to treating customers fairly. To see more about how customers are at the heart of the business, see our Responsible Lending Principles page.

Summary

Whatever the future for passwords, staying safe online is of paramount importance. As an online direct payday lender, we need to work in partnership with our customers to ensure that everyone feels safe and secure when using our services. As new technologies come into play it's important that we don't lose sight of the main function of a password and stray too far the other way into convenience. We would love to hear what you think about the future of passwords and encryption and what you think organisations should be doing to help you stay safe online. Get in touch via our social media accounts and let us know.