Biometric tech comes to Tangerine

Tangerine’s business model relies heavily on electronic banking; the firm has a minimal physical presence across Canada.

Tangerine is introducing two types of biometric authentication into its mobile app to improve security for users.

The new Tangerine app will receive its first update on Apple Inc.’s iOS. The bank is making its app compatible with Apple’s TouchID system, which analyzes a user’s thumbprint when he or she presses the “home” button.

A subsequent update will come later this year, when both the iOS and Android versions of Tangerine’s new app receive biometric voice authentication, enabling users to speak a pass-phrase into their cellphone to access to their banking. Voice recognition also will enable clients to give verbal instructions to transfer money between accounts and conduct other banking tasks.

Charaka Kithulegoda, chief information officer with Tangerine, says these developments don’t replace the bank’s mobile app’s existing authentication system, which requires users to answer a personal question and confirm an image that was selected previously before entering a personal identification number (PIN).

“This is a choice that we are going to give to customers,” Kithulegoda says, “and it’s an added layer on top of the PIN security questions.”

However, the bank hasn’t ruled out the option of permitting customers to use only the biometric option in the future.

“Biometrics is a secure technology,” Kithulegoda says. “But we need to take customers on a journey to make them comfortable and to educate them.”

Is fingerprint-based biometric technology ready for seamless access?

Several German hackers would argue against that possibility. A year ago, the Chaos Computer Club, a Germany-based hacking group, cracked Apple’s TouchID simply by photographing a high-resolution image of a fingerprint left on a glass surface. The group then reproduced the fingerprint for scanning by using a combination of pink latex milk and wood glue.

“Fingerprints should not be used to secure anything,” says Starbug, one of the hackers involved. “You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

The issue here, as with most cybersecurity technologies, is one of effort vs reward, argues Derek Northrope, head of biometrics at Fujitsu Consulting (Canada) Inc. in Ottawa.

Given the time and trouble required for these types of hacks, Northrope says, the amounts involved would have to be significant to justify a hacker’s efforts.

“It’s a risk-based profile,” he adds. “If I am transferring $100,000, then it’s a different risk than if I am transferring $100.”

Biometric technologies come in various incarnations, each with their own level of accuracy. Some, for example, feature vascular analysis, which can identify a person based on the veins in their fingers. But these types of devices are expensive, Northrope points out, and would roll out to high net-worth individuals first.

Some investment firms contacted by Investment Executive were uninterested in the idea of using biometrics, suggesting that for some, at least, there’s a long way to go before biometrics move from consumer banking into the wealth-management space.

However, there may be opportunities for biometric access that allows investment managers to access their internal systems more securely.

Northrope also says that his company is receiving more queries regarding biometrics for everyday financial applications from outside North America: “The past couple of years has seen a shift to a much greater number of smaller-value programs, such as banking and financial services.”

© 2014 Investment Executive. All rights reserved.