Australia's big four banks are a house divided over the introduction of biometrics identifiers to control fraud, with the National Australia Bank pouring cold water on the introduction of fingerprint identification for its customers.
Speaking at a banking technology conference in Sydney, NAB's senior operational risk manager, Kayelene O'Neill, said that banks need to consider the possibility that when they moved customer authentication to a biometric standard - a standard where a customer literally carries an identification factor as part of their body - that the individual may be targeted by crooks as a means to gain access to either funds or other items of value.
"The risk with biometrics is that you increase the risk to the user," O'Neill said, adding that a recent incident in Indonesia had seen a wealthy businessman's finger "lopped-off" in an attempt to gain access to his luxury car, adding that the crime gang involved appeared to have "got sick of carrying him around".
Such horror stories do not appear to have daunted Westpac, which for the first time confirmed it is considering fingerprint technology to reduce fraud on high value Internet banking transactions.
According to reports, Westpac CIO Michael Coomer says his bank is in negotiations with competitors ANZ and the Commonwealth Bank to develop biometric standards for an upgrade of Internet banking which may cost as much as $700 million across the retail banking sector.
However, NAB's O'Neill expressed some caution over whether biometrics can be regarded as a technological magic bullet, or a panacea to fraud. Pointing out that users who wanted to use fingerprints for identity verification to conduct Internet banking would need new hardware, O'Neill stressed that once an identifier was sent over an the Internet it could become susceptible to a classic "man-in-the-middle attack"; where a user's log-on session is monitored by an unauthorized third-party who then obtains either a password or other authorization factor.
"Fingerprints on a PC can be compromised by a man-in-the middle attack," O'Neill said, adding that secure biometric identification over the Internet may prove "very hard" because "you have to make sure you have all the right body parts".
As fingerprints are unique to a user, and also limited in number literally by nature, any potential loss of fingerprint information has far wider implications for users because it could also be misused - meaning that a person's fingerprints could become effectively useless as an identifier for the rest of their lives.
O'Neill said a more functional approach in terms of risk was to look at "scalable security" where the higher the value of the transaction, the better the authentication protocols.
Professor Bill Caelli, Queensland University of Technology IT security expert and critical IT infrastructure adviser, speaking at the same conference, said PCs were simply not suitably secure for banking transactions.
Fitting external "PIN-pads" which were fitted with end-to-end cryptography for end users to securely type in their identification details was one way of beating man-in the-middle attacks, he said.