back to article iBank: RBS, NatWest first UK banks to allow Apple Touch ID logins

RBS and NatWest have become the first UK-based banks to offer their customers the option to log in to mobile banking apps using Apple’s Touch ID fingerprint recognition technology. From today (19 February), RBS and NatWest customers who have an iPhone 5S, iPhone 6 or iPhone 6 plus will be able to access their mobile banking …

  1. Blergh

    40x a month

    "RBS and NatWest have 1.8 million active iPhone users who use the app on average 40 times per month."

    So that's not just up to 40x a month but an average? What the hell are they doing with it?

    Or did I get that wrong and it isn't 1.8m each using it 40 times, but just that of those 1.8m with the app it is used on average a total of 40 times a month.

    1. Doctor_Wibble

      Re: 40x a month

      > So that's not just up to 40x a month but an average? What the hell are they doing with it?

      That's my reading of it too, so I echo the question but with an extra 'F' in the 'WT' section - unless this is a result of stallholders taking card payments from people who are happy to stick their card and PIN into a box plugged into someone's phone, or doing NFC payments?

      Also, "What could possibly go wrong?" has to be added here, whilst confessing that "gummi bears" always echoes in my head in a slightly odd voice for which I entirely blame Steve the Monkey (Vervet apparently, but definitely not a chimp).

    2. JoshOvki

      Re: 40x a month

      Nonono, you are reading it wrong. What they mean is on average the app is used 40 times in total, BETWEEN the 1.8m people.

  2. Zacherynuk

    Fingerprints are usernames... they are not passwords....

    Something the user KNOWS, something the user HAS and something the user IS.

    The user IS the fingerprint, they should HAVE the bank card (and PIN Reader) or an assigned Phone and they should KNOW the password (and PIN)

    IMHO

    (OT - I see Barclays app still doesn't work on rooted androids by default)

    1. Anonymous Coward
      Anonymous Coward

      "Fingerprints are usernames..."

      Not quite: fingerprints are full canonical credentials containing both the identity of the user and their 'secret'.

      1. Zacherynuk

        Re: "Fingerprints are usernames..."

        "canonical" is just an accepted rule / standard / conforming to.

        It is not a 'secret' - nor is it something the user 'knows'

      2. Christian Berger

        Re: "Fingerprints are usernames..."

        "Not quite: fingerprints are full canonical credentials containing both the identity of the user and their 'secret'."

        How exactly do you keep your finger prints a secret? I mean particulary the iPhone doesn't work well with gloves.

  3. Anonymous Coward
    Anonymous Coward

    Disaster

    waiting to happen...

    Lets see how the banks respond to the first "fingerprint fraud" case.

    "I see, so you have had money stolen from your account? But its fingerprint protected, ONLY you can access your money, so YOU must have taken it out. You do know fingerprints are unique don't you? Go away please ".

    *popcorn time....

    1. Mike Bell

      Re: Disaster

      Is that long-life popcorn you've got in the cupboard?

      There are a million far easier ways of committing fraud than trying to fool Touch ID using elaborate print-cloning techniques.

  4. Anonymous Coward
    Anonymous Coward

    Not smart.

    Phone is stolen.

    Thief makes copies of fingerprints all over phone and presents them to reader.

    Eventually one works - bank account is cleaned out.

    But hey, if typing a password is SUCH an onorous task then all you fanboys knock yourselves out...

    1. gnasher729 Silver badge

      Re: Not smart.

      That's why Apple has the "Find my iPhone" feature.

      Enter "Find my iPhone" into Google, which links you to the iCloud site. Login with your AppleID / password. Click on the "Find my iPhone" app. Find your phone, erase it. Job done. Money safe.

      To the other guy: Your finger print is not enough. A thief also needs your phone. And they have to use it in a place where they are visible, for example the checkout in a shop, and one would hope that if they don't put their finger on the phone but start flapping around with bits of rubber, that might raise some suspicion.

      Anyway, it's in use in the USA for quite a while by million of people, and we haven't heard anything of fraud going on. Some initial problems at one credit card company, which was all sorted out easily, but no fraud. And that nice store employee won't find out your credit card number anymore, which is a real danger, unlike fingerprint cloning.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not smart.

        "Enter "Find my iPhone" into Google, which links you to the iCloud site. Login with your AppleID / password. Click on the "Find my iPhone" app. Find your phone, erase it. Job done. Money safe."

        You've got to know its gone before you can do that. A thief only needs a few minutes.

      2. Richard Jones 1
        Unhappy

        Re: Not smart.

        Its say ten-o-clock in the evening, I have just found that my phone is missing so I should use Find my iphone. So here I am in the car park and I pull out my missing iphone and start up Google, and oops there just might be a tiny wee problem due to the missing phone.

        Never mind I do not really have an iphone and my actual mobile phone is buried deep in an inside pocket and rarely if ever touched, so I CAN use it to report my missing credit card.

        Now I will be the first to say, what suits me does not suit many others and vice versa, but the sales patter does get just a little bit boring.

    2. `TSeng

      Re: Not smart.

      Can you explain to me how you make copies of the fingerprints?

      It's nothing short of requiring a fully equipped laboratory, do you have a fully equipped laboratory?

      1. JimmyPage Silver badge
        Thumb Down

        Re: Not smart.

        Downvoted because

        you appear to have ignored the linked articles in the story which relate to creating serviceable fingerprint prosthetics using gelatine - in the form of gummi bears.

        So the proof of concept is their.

        1. Handy Plough

          Re: Not smart.

          @JimmyPage

          Articles that are utterly, and entirely bollocks.

          1. phil dude
            Boffin

            Re: Not smart.

            Go read/watch Mythbusters....

            They might have a big "garage", but generally the results are quite pleasing!!

            P.

      2. Remy Redert

        Re: Not smart.

        Step 1) Talcum powder or similar over the screen, backside of the phone and any other items that are liable to have fingerprints.

        Step 2) Sticky tape over now visible fingerprints.

        Step 3) Sticky tape on scanner. You now have a digital copy of the fingerprint. Depending on the quality, some touch up may be required.

        Step 4) Depending on technology, you can now print the fingerprint to paper (This still fools many fingerprint readers!) Or use 3d printing to make a mold.

        Step 5) If you used 3d printing, fill the mold with a suitable gel. It will take a few hours to set. Skip this step if your targeted fingerprint reader can be fooled with printouts.

        Step 6) Use fingerprint.

        Total cost in equipment for printout fingerprints? A few bucks for the talcum and sticky tape. You probably already have the computer and scanner.

        Total cost for the equipment for proper fingerprints is a few thousand bucks for the 3d printer, which is reusable and a few dollars per mold.

        Depending on the quality of your mold and gel, you can get fingerprints thin enough to apply to your finger directly, making it difficult for others to notice that you're not using your own prints to log in. This is a moot point for the phone app as you do not need to use it near anybody, you can log in at home and transfer money at will.

        1. Calleb III

          Re: Not smart.

          "This is a moot point for the phone app as you do not need to use it near anybody, you can log in at home and transfer money at will."

          Good luck pulling this one out if the owner locks the phone remotely, which every sensible iPhone owner should do upon discovery their phone is stolen.

      3. Velv
        FAIL

        Re: Not smart.

        @'TSeng

        RTFA, detailed instructions were linked

        Or go search Mythbusters, they did it in their garage

    3. Jimmy2Cows Silver badge

      @boltar Re: Not smart.

      Slow down there big man. It's not that simple.

      Last time I checked, the Natwest app doesn't allow money to be sent to just anyone. It can only send money to accounts that have been previously registered as payees in the full online banking website, and at least one payment to them has to have already been made on the website.

      Otherwise all you can do is see how much is in there, and send money to existing payees already set up. Of course the thief might be an existing payee, and some thieves are stupid enough to send money to themselves, but it's unlikely.

      Worst case is your gummy-bear wielding chancer gets a cardless cashpoint code, which is only good for a few hundred quid. Sure that might clean out some accounts, but we're not talking thousands and thousands.

      To set up a payee requires logging in to full online banking, having the bank card, its pin and the card reader. If your thief has all that you were already screwed long ago.

      1. Tin Pot

        Re: @boltar Not smart.

        Most thefts are carried out by people the victim knows.

        Therefore they may already be set up as payees.

        Therefore they are likely to have access to the victims phone.

        They have plausible deniability, inherently.

        They lose a 'friend', you lose a few hundred pounds.

        1. Calleb III

          Re: @boltar Not smart.

          Knowing someone and having him/her as a payee in your online banking are two entirely different things. If someone so close to you to have received bank payments from you and in a position to steal your phone and fingerprints actually end up stealing from you, you have bigger problems

      2. Anonymous Coward
        Anonymous Coward

        @Jimmy2Cows

        That's all the Natwest app does TODAY. What if a future update adds the ability to transfer money to accounts that weren't previously set up?

        1. Calleb III

          Re: @Jimmy2Cows

          Then you will have a choice to go back to password or remove the app from your device, or switch bank - it's a free world.

    4. Ed 11

      Re: Not smart.

      "Eventually one works" - The thief better hope it is one of the first three.

      1. JHC_97

        Re: Not smart.

        Not certain but i reckon dusting the finger print reader might be a good place to start

  5. Anonymous Coward
    Anonymous Coward

    I have no money anyway, it's all gone on Apple kit.

    1. TRT Silver badge

      More money than cents?

  6. Kevin Fairhurst
    Facepalm

    This isn't Apple Pay - try reading the article next time!

    All Natwest have done is enable you to log in to the Natwest app using your fingerprint. In the same way the Amazon app lets you log in with your fingerprint.

    You can not go in to a shop in the UK and use RFC payments with this. Worst case scenario, your phone would need to be unlocked when the thief gets it, and it has to remain unlocked while they clone your fingerprint. Then they run the app and spoof as you, getting access to your bank accounts!

    Where they can either transfer money to existing payees, or arrange for a small amount of money to be available at a cashpoint if you enter a code...

  7. tony2heads
    FAIL

    cashless society

    When this screws up and thieves empty your account, you become a new member of the cashless society!

  8. Financegozu
    WTF?

    Passwords are stolen routinely

    Just read the news on all the data breaches that happened in the last 12 months. But i've never read about fingerprint scans having been downloaded by the millions ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Passwords are stolen routinely

      If you *really* wanted to, it's a zillion times easier to "steal" a fingerprint than a password.

      Just collect the tray from Costa where I've had lunch. You'd find a nice set of all 10 prints on the coffee cup, plus a really nice thumbprint on the knife.

  9. Calleb III

    I hope people do realize that most mobile banking apps (HSBC and Barclays for sure) allow payments only to payees in a pre-approved list that can only be changed from the full blown internet banking that requires 2 factor authentication.

    All that is changing is that instead of password you now use your finger print to open the mobile app, essentially swapping one type of authentication for another. Giving the fact the a vast amount of people are using insecure passwords like password, 123456 etc. Fingerprint will be actually an improvement.

    And this will be an option not mandatory. No one is forcing you to use it, if you decide to trade a bit of security for convenience it's your personal choice and you bear the consequences via T&C, so i wouldn't hold my breath for the flood of fraud charges...

  10. The_Idiot

    I know...

    ... many other people have said this already. And said it a lot better than I ever could. But what the heck - I'm an Idiot. So I'll try anyway.

    A fingerprint is not a password.

    Note: I did not say a fingerprint cannot be _used_ as a password. I said it isn't one, because it fails most of the most (yes, I know I used most twice :-P) basic 'good practice' rules for a password. So what might they be:

    1: Most security guidelines will tell you to implement a policy whereby passwords are subject to changes over time.

    Fingerprint: FAIL.

    2: Most security guidelines will tell you to use complex passwords.

    Fingerprints overall are complex patterns: POTENTIALLY NON-FAIL.

    Caveat: Many fingerprint readers and software use N-significant-point pattern reduction. N is potentially a low number, probably unknown to the user and outside the user's control. LOGICAL FAIL.

    3: It should be possible to reliably reproduce a password when required. Fingerprint pattern reproduction (paper, fingerprint scanner etc) can and does have variable degrees of 100% reproduction, depending on temperature, finger pressure, scarring and the presence of the greasy remnants of late night finger food. Partly because of this, readers often reduce the complexity of the recognition problem with N-significant-point pattern reduction.

    Fingerprint: See Point 2 - possible LOGICAL FAIL.

    4: Most security guidelines will tell you not to write your password down on a real or metaphorical yellow sticky, and leave it where A N Other can find it. We write our fingerprints all over the bloody shop, whether we like it or not.

    Fingerprint: FAIL.

    For the sake of not appearing _too_ tin-foil hat-y, I'm going to ignore the ways widespread use of such a recognition process, coupled with Security Service, Police, Local Council and the nosy neighbour down the road access to such a system could be used to build a backdoor national fingerprint register.

    To leave where I came in - if a fingerprint tells you anything, it may give you a confidence level that the mechanism presenting the fingerprint artifact is a specific individual. But while the level of confidence to assign, and the associated risk acceptance, is a matter for service providers - a fingerprint still isn't, or at least by any guidelines I ever came across, suitable as a BLOODY PASSWORD!

    Yes. I'll shut up now. After all, I'm an Idiot.

  11. Jin

    With caveats, not to be trapped in a quagmire

    It is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)

    We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.

    Biometric products like Apple's Touch ID are operated by OR/Disjunction so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password, although it is more convenient.

    Those banks would need to let their clients know clearly that this new access method using Touch ID is recommended to those people who want the convenience rather than the security, not recommended to those people who want the security more than the convenience.

  12. Anonymous Coward
    Anonymous Coward

    Hacked already

    But very insecure:- http://whaley.org.uk/andrew/blog/2015/03/08/rbs-natwest-touch-id-security/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like