Westpac tests fingerprint scanning for mobile banking login

Will the Template Matching be done locally on the Phone, or will it be done back to a Server. This is an important issue/question. And moreover, what will be the Credential process, it cannot simply be the Finger scan. 

Mark Anderson asks a very good question. 

Paypal recently launched a fingerprint secured payment app also running on the Samsung Galaxy 5S. Paypal's app was very carefully designed to the new FIDO Alliance standards, which prevent biometric templates leaving client end points.  All matching is done on the remote devices.  (Paypal is a founder of the FIDO Alliance and a major contributer to the protocols). 

Was the Westpac app build using FIDO protocols and principles?

The Galaxy S5 fingerprint scanner can be easily spoofed according to http://bgr.com/2014/04/15/galaxy-s5s-fingerprint-scanner-hacked/

Fingerprints are more like a username than a password, they identity you but don't authenticate you.  You leave copies of them everywhere you go and you can't change them short of a skin graft.

Every time there's a new major hack (eg. heartbleed) we're told we should all change all our passwords.  How is a password that you can't change a good thing ?

I guess this goes back to Fraud Economics - a discussion I have had many times over the years – Costs/Risks versus Rewards.  In the unlikely event someone does manage to steal my phone how long will it take for them to establish which finger I have configured on the device and produce the replica – probably longer than it takes me to realise it is stolen and remotely wiping all the data (effectively bricking it).  Even if they do manage to do this all without me noticing the device is gone the most they can do is buy a cup of coffee on my phone (as it doesn’t have NFC or a Mobile Banking app that accepts fingerprints as a valid authentication method).  Maybe they could fence the coffee second-hand to liquidate their investment?

As Stephen says Paypal have launched a fingerprint-secured payment app for the S5, you can buy a lot more than a cup of coffee.  Copying a fingerprint is very quick and low-tech as that video makes clear, within the ability of any thief.

Of course the odds are good the victim of such a theft can successfully persuade Paypal to cancel the payment, but that just pushes the risk onto the merchants.  Who already have plenty of cause to protest high levels of fraudulent charge-backs.

Mark Scott would be right that fraud economics is the proper way to look at this -- if we had the data to do the calculations. But we don't.  We do not know the real life False Detect Rate of biometrics solutions.  We do know that they are much worse than the laboratory measurements occasionally released.   There are no standards as yet for spoof resistance; there isn't even agreed terminology for liveness detection.  All we have is peoples' calming guesstimates that the Galaxy S5 and the iPhone 5S are "secure enough".  This is not how professional information security should be done. 

The serious problem in all this is that while the security situation is lax and adh hoc, consumers are being told that biometrics is the way of the future.  We already have talk of cloud biometrics, and 'ubiquitous' biometrics for the Internet of Things.  But the das truth is this technology is not well understood even in the lab.  There are few if any standards, and no field data.   

You cannot do security by guess work.  "Near enough" is not good enough, not when vendors are agitating for broader consumer uptake, and at the end of the day, there is no way to cancel and recover from a stolen biometric. 

The inStore PayPal App requires a second layer of PIN authentication to access - and looking at the limited number of merchants accepting it - unless the fraudster was desperate for new clothes it is unlikely to have any benefit - there are no Electrical or High Value (Jewellery) Merchants accepting this so nothing of any substantial fencing/resale value - hence my comment on Fraud Economics. Fraudsters tend to go for the easy and more lucrative route (also considering the risks associated) whilst academics and researchers have other objectives...

Matt the PayPal inStore app may need a PIN but the PayPal mobile app doesn't: only the fingerprint scan.  The app allows both purchases and money transfers so we're not talking about just coffee and clothes.

I'm not an academic, my interest is how merchants might be affected.  Especially any increased risk of charge-backs (whether fraudulent or genuine) and the likelihood of higher transaction fees, perhaps justified by proprietary technology.