No company or consumer is safe from cyber-attacks, and financial services firms represent a huge opportunity for hackers. Protecting clients’ information and accounts is as much about developing technology that’s difficult for a hacker to overcome as it is about educating consumers about their behavior. Simple passwords aren’t secure, but considering the amount of business consumers conduct online, remembering long strings of numbers and letters that are distinct for each website is unrealistic.
Technology providers are combating that in different ways. Companies like LastPass save and autofill passwords so users can easily create the kind of difficult passwords recommended by security experts. Others offer USB tokens that are used in addition to passwords; hackers must have both the token and the password to break into an account.
Hoyos Labs, a New York-based digital infrastructure security company, has created software that uses biometrics to authenticate a user. The firm’s HoyosID identity assertion platform can be used to access websites, doors and now ATMs, according to the company.
Biometrics are “the way of the future,” Hector Hoyos, CEO of Hoyos Labs, told Investment Advisor in February. “The password is dead.”
Banks can use Hoyos Labs’ software to modify their existing customer app and their back-end server software, which will produce a QR code for the customer on the ATM screen, Hoyos said. The bank customer will open the app on her phone and scan the QR code that appears on the ATM.
“That sends a message to the back-end system of the bank that returns an authentication request to your phone. You look at your phone and of course your biometrics matches you and sends a message to the bank saying, ‘Yes, this is Hector,’ and out comes your cash,” Hoyos said.
The QR code is generated using biometric open protocol standard (BOPS), a standard patented by Hoyos Labs and certified by the Institute of Electrical and Electronics Engineers. “BOPS is the framework that establishes all the rules for the way in which biometrics need to be implemented in end-to-end identity assertion platforms,” Hoyos said.
Liveness is another level of biometric protection. If a hacker uses a video or photograph of a potential victim to try to get past iris or facial recognition technology, liveness can identify those images as false and deny access, Hoyos said.
Active liveness prompts users to complete an action, such as a smile, frown, raise their eyebrows or wink. The firm is working on passive liveness, which instead of requiring the user’s participation will detect “the way light particles hit your cornea and how they’re absorbed, because the way that light particles are absorbed by human tissue is different from the way light particles are absorbed by paper or glossy paper or a video screen.”
Hoyos stressed the importance of distinguishing between authorization and authentication. With authorization, he said, “you may have somebody at an ATM claiming to be you, asking the bank to dispense money to them.” If the user has the right credentials, he or she can be authorized. With authentication, though, the system will “validate the identity of the person, plus it’s going to validate the identity of the device, and then it’s going to make sure that device is owned by the person whose identity has been verified,” Hoyos explained.
Biometrics are already being used by many different companies, Hoyos said. “Our company itself is engaged with probably about a dozen different companies at different levels of deployment to do everything from having the bank employees access their enterprise system, tying biometrics to active directories, [to having] customers access Internet banking and mobile banking,” Hoyos said.
Hoyos Labs aleady uses multiple biometrics to protect users’ identities, and Hoyos predicts the entire industry is moving in that direction. “Let’s say you have one lock on the door to your apartment, versus having two locks or three locks. If you have two locks, your apartment door’s going to be more secure. If you have three locks, you’re going to be even more secure, but it’s going to be more inconvenient. You have to use three different keys, or maybe you have a master key for all three of them, which would defeat the purpose. The point is, if you combine multiple biometrics, it’s the same thing as having multiple locks on the door. As you combine more locks, more biometrics in the same transaction, you enact more barriers to entry to the hacker.”
The HoyosID software can be used by any size firm, Hoyos said, even if the IT department is only one or two people. The cost of the service is based on each user per month. “In the case of active directory, for example, which is for employees to have single sign-on to their systems, it could be anywhere from $15 to $20 per year per employee. In the case of customers, it’s a fee that could be anywhere from 25 cents to 50 cents per customer per month,” he explained.
Hoyos noted that biometrics don’t represent a final step in preventing fraud. As long as there’s money to be made, there will be criminals ready to steal it. What this technology does provide, though, is “degrees of security.”
“Criminals and fraudsters are always going to outsmart these technologies. There’s no technology that’s 100% failsafe or foolproof. That doesn’t exist, and if anyone tells you that, you should immediately stop talking to them,” he said.