0

Halifax is the town in West Yorkshire where I live, and it also happens to be the name of a well known UK Bank which started life there. Best known on the this side of the pond for TV adverts featuring a friendly chap called Howard Brown, a former customer services representative and sales ambassador for HBOS which owns the Halifax. If recent reports are correct, then before long the Halifax could also gain notoriety for replacing passwords and PIN codes with bio-metrics. Not just any old biometrics mind, none of this old-fashioned fingerprint scanning malarkey for Howard and co; the Halifax wants to verify customer identify using their heartbeat.

With wearables becoming the media luvvie dish of the day, and not just in the tech media space either now that Apple is entering the market for fashion conscious hype junkies, the Halifax would appear to be following suit and assuming that customers will be happy to wear an electronic tag. OK, not the kind that some offenders are required to sport but rather a Nymi wristband. I think that not only is that assumption wrong (my elderly mother would certainly not wear one and nor, for that matter, would my punk rocker teenage son) but the Halifax are equally erroneous when it comes to the identity verification side of things as well.

OK, so what are we actually talking about here? Well, according to Wired magazine Halifax is testing out the use of a Nymi wristband for online account identity verification when coupled with a companion access app. The idea being that only if the account holder is using the device it has been originally paired with using Bluetooth, and is actually wearing the band, would it verify when they touch the built-in sensor with their opposite hand. It should be said that Halifax isn't the first bank to test the technology, Wired reports that the Royal Bank of Canada has already run a test on some 250 staff and customers during a trial period. One assumes that RBC were happy with that, and Halifax appears to be happy that the device is better than either fingerprint or iris scanning as it repeats the claim that heartbeat pattern recognition cannot be replicated fraudulently.

This is where I start getting slightly concerned about the notion. Not that I think it would be easy to fool the Nymi, although I'm always open to the possibility that it can be done somehow, but more because I'm worried about the accuracy of the verification. You run an application to check your heartbeat pattern on your computer using the Nymi, and that pattern is then stored on the wristband itself. This data is then stored cryptographically within the hardware, with applications requiring explicit user permission to access it. Once paired with the relevant banking app via Bluetooth you can only access your account if your heartbeat pattern is recognised. The chances of two people having the exact same pattern, and using a Nymi paired to your mobile phone, are so remote as to be of little consequence. What's more concerning though are the chances of your cardiac rhythm not being the same as the recorded pattern when you come to access your bank account. My mother has heart failure, and across many years of heart attacks, stents, valve bypasses and medication I understand that her electrocardiogram has changed. I'm yet to be convinced that the Nymi would be able to recognise her ECG wave given some of the more dramatic changes that can take place. I appreciate it can record snapshots across the day to allow for regular variations, but heart disease and mechanical dysfunction are surely another story altogether. This is where things get a little complicated as the Nymi is looking at the shape of your ECG wave rather than your heart rate, and these are two separate things. By employing signal-processing and machine-learning algorithms to find unique features within the wave that remain static over time an accurate biometric template for the user can be created. Apparently. Like I say, I remain skeptical as to how an artificial heart valve or, as in the case of my mum, serious heart disease would impact upon accuracy regardless.

I also remain skeptical that this will somehow be the end of the password, as Halifax would have us believe. The Nymi is just another type of 2FV (Two Factor Verification) device, and an interesting one at that. In fact, the Nymi would provide three factor verification as it would require possession of the wristband itself, possession of your cardiac rhythm and possession of the partner app on the originally paired smartphone. But would I feel safer using this than my Yubico device or an authentication code texted to my smartphone? No, not really, as any second factor hugely decreases the risk of unauthorised access by increasing the layers of verification required. How clever that second device may be, in terms of the technology deployed, is relatively less important than having a second device in the first place.

Edited by happygeek

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
3
Replies
20
Views
2 Years
Discussion Span
Last Post by rubberman
0

Thanks. I think it is indicative of banks looking to get a competitive advantage by way of customer perception rather than actual security improvements. A cardiac rhythm measurement is no more secure in real world terms than any other token as a form of 2FA/2FV, and may be much less practicalm in reality. As I say, it's all about perceptive security to gain competitive advantage while data breaches are making headlines. IMHO of course :)

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.