Could a heart attack lock down your bank account in Halifax?

happygeek 0 Tallied Votes 432 Views Share

Halifax is the town in West Yorkshire where I live, and it also happens to be the name of a well known UK Bank which started life there. Best known on the this side of the pond for TV adverts featuring a friendly chap called Howard Brown, a former customer services representative and sales ambassador for HBOS which owns the Halifax. If recent reports are correct, then before long the Halifax could also gain notoriety for replacing passwords and PIN codes with bio-metrics. Not just any old biometrics mind, none of this old-fashioned fingerprint scanning malarkey for Howard and co; the Halifax wants to verify customer identify using their heartbeat.

With wearables becoming the media luvvie dish of the day, and not just in the tech media space either now that Apple is entering the market for fashion conscious hype junkies, the Halifax would appear to be following suit and assuming that customers will be happy to wear an electronic tag. OK, not the kind that some offenders are required to sport but rather a Nymi wristband. I think that not only is that assumption wrong (my elderly mother would certainly not wear one and nor, for that matter, would my punk rocker teenage son) but the Halifax are equally erroneous when it comes to the identity verification side of things as well.

OK, so what are we actually talking about here? Well, according to Wired magazine Halifax is testing out the use of a Nymi wristband for online account identity verification when coupled with a companion access app. The idea being that only if the account holder is using the device it has been originally paired with using Bluetooth, and is actually wearing the band, would it verify when they touch the built-in sensor with their opposite hand. It should be said that Halifax isn't the first bank to test the technology, Wired reports that the Royal Bank of Canada has already run a test on some 250 staff and customers during a trial period. One assumes that RBC were happy with that, and Halifax appears to be happy that the device is better than either fingerprint or iris scanning as it repeats the claim that heartbeat pattern recognition cannot be replicated fraudulently.

This is where I start getting slightly concerned about the notion. Not that I think it would be easy to fool the Nymi, although I'm always open to the possibility that it can be done somehow, but more because I'm worried about the accuracy of the verification. You run an application to check your heartbeat pattern on your computer using the Nymi, and that pattern is then stored on the wristband itself. This data is then stored cryptographically within the hardware, with applications requiring explicit user permission to access it. Once paired with the relevant banking app via Bluetooth you can only access your account if your heartbeat pattern is recognised. The chances of two people having the exact same pattern, and using a Nymi paired to your mobile phone, are so remote as to be of little consequence. What's more concerning though are the chances of your cardiac rhythm not being the same as the recorded pattern when you come to access your bank account. My mother has heart failure, and across many years of heart attacks, stents, valve bypasses and medication I understand that her electrocardiogram has changed. I'm yet to be convinced that the Nymi would be able to recognise her ECG wave given some of the more dramatic changes that can take place. I appreciate it can record snapshots across the day to allow for regular variations, but heart disease and mechanical dysfunction are surely another story altogether. This is where things get a little complicated as the Nymi is looking at the shape of your ECG wave rather than your heart rate, and these are two separate things. By employing signal-processing and machine-learning algorithms to find unique features within the wave that remain static over time an accurate biometric template for the user can be created. Apparently. Like I say, I remain skeptical as to how an artificial heart valve or, as in the case of my mum, serious heart disease would impact upon accuracy regardless.

I also remain skeptical that this will somehow be the end of the password, as Halifax would have us believe. The Nymi is just another type of 2FV (Two Factor Verification) device, and an interesting one at that. In fact, the Nymi would provide three factor verification as it would require possession of the wristband itself, possession of your cardiac rhythm and possession of the partner app on the originally paired smartphone. But would I feel safer using this than my Yubico device or an authentication code texted to my smartphone? No, not really, as any second factor hugely decreases the risk of unauthorised access by increasing the layers of verification required. How clever that second device may be, in terms of the technology deployed, is relatively less important than having a second device in the first place.

XP78USER 30 Posting Whiz in Training

This is Interesting

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Thanks. I think it is indicative of banks looking to get a competitive advantage by way of customer perception rather than actual security improvements. A cardiac rhythm measurement is no more secure in real world terms than any other token as a form of 2FA/2FV, and may be much less practicalm in reality. As I say, it's all about perceptive security to gain competitive advantage while data breaches are making headlines. IMHO of course :)

rubberman 1,355 Nearly a Posting Virtuoso Featured Poster

In the immortal words of Bruce Schneier, it sounds like security theater to me!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.