Biting off More Than You Can Chew: Why Biometrics Aren’t the Future

Posted on April 28th, 2015 by Dan Rampe


Recently a senior PayPal evangelist gave a rather controversial interview to the Wall Street Journal. In it, he appeared to suggest a radical alternative to password-based authentication systems: biometrics generated by devices ingested or embedded under the user’s skin. Now, it’s true that passwords should no longer be used by any online provider serious about security. And it’s always interesting to hear new approaches to user authentication.

But organisations need an answer today to the mounting problem of online fraud. It needs to be fast, affordable, frictionless and accurate. And in those respects, biometrics just don’t deliver.

So why isn’t biometric technology the answer?

The problem with biometrics

On paper, the prospect of biometrics like embedded wireless chips monitoring ECG readings, or ingestible capsules that can detect glucose levels, sounds like a decent idea. After all, the readings they then transmit should be unique to that person – surmounting problems of false positives and false negatives. LeBlanc even suggested that batteries for such systems could be powered by stomach acid. At last, a fully internalised, unhackable “natural body identification” system to put “users in charge of their own security”. Right?

Well, not really.

The main issue many people have with biometrics is that they rely on something that should be unhackable – impossible to simulate or crack. But if cyber criminals do find a way of doing so – and they’ve proven themselves to be a pretty resourceful bunch thus far – then what? You might be able to reset your password pretty easily after a phishing attack, but what about your heart rate? Or your glucose levels?

The next major barrier is the users themselves. Security versus usability is a tough balance at the best of times. How much tougher will it be to sell such invasive authentication systems if the user is basically happy with the level of security they get with a regular fingerprint scan or a phone based one-time passcode system?

Why context-based wins

I’m not dismissing the work of PayPal and others to improve on password-based verification. But too many question marks remain over biometrics – even the systems that are closer to reality than the hypothetical scenarios painted by LeBlanc. Whether your business is in e-commerce, social media, banking, insurance or another sector – you need fast, reliable, friction-free two factor authentication that works … today.

The key for organisations going forward is to seek out systems which can work in the background, completely invisible to the user, checking things like device identity, malware, and use of ToR or other obfuscation methods favoured by cybercriminals. They’ll be able to check against a series of unique attributes associated with that user comprised of log-in habits, typical locations, user IDs, email addresses, phone numbers, shipping information etc, and flag a suspect transaction even if the person is using valid (but stolen) credentials.

Futuristic biometrics will always grab the headlines. But context-based authentication is where the smart money’s already being spent, to cut fraud and keep customers happy.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real-time customer-driven analytics platform. These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes more than one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.




Passwords Are Passé – Unless You’re a Hacker

Posted on May 29th, 2014 by Dan Rampe


Passwords are passé. Finito. Kaput. Toast. That’s one of the takeaways from the eBay breach that placed roughly 145 million accounts at the tender mercies of cybercriminals.

Jon Xavier, the Silicon Valley Business Journal’s technology reporter, says the eBay breach has demonstrated “the era of the password is over.” In his article, Xavier touches on the history of the password when passwords on the Internet made sense, to today when they deflect criminal activity about as well as a “do not disturb” sign. The following has been edited to fit our format. You can find the complete article by clicking on this link.

Passwords were never intended to be the monster they’ve become. They were never THAT secure — human nature and the fallibility of memory meant that most people chose stuff that was easily guessed. Yet in the early days of computing, that was OK. The fact that you had to actually physically get to the mainframe where the data was stored provided another layer of security, and that was good enough in the era before everything was connected.

The Internet changed that, of course, but websites adopted the password because it was what they had, and it was still good enough. Some of the smarter sites started requiring your password be a minimum length and contain letters and numbers, but that was more an effort to save you from yourself than a real increase in security. Despite that, lame passwords like “letmein” and “password123” proliferated.

Again, it was OK. The Internet was just this oddity that people used to host fansites for boy bands and share proto-memes like The Hampster Dance or videos of guys wielding golf ball retrievers like light sabers. Nobody hacked websites because there was nothing much there to hack — until suddenly, there was.

The old joke goes that the No. 1 reason criminals rob banks is because that’s where the money is. E-commerce, and to a lesser extent social media, did that for the Internet. Now that websites were storing credit card numbers as well as a whole trove of useful information about their users, suddenly they had something worth stealing.

The breaches got more sophisticated as more sophisticated hackers turned to compromising websites. The tools got more sophisticated, too. Now we’ve reached a point where even very long passwords aren’t especially safe so long as they’re based around words in the dictionary, because hackers program their hacking utilities to look for patterns that mimic language, drastically reducing the time and effort it takes to crack a password. We’ve reached a point where computing power is cheaply available in the cloud, making brute force hacks that would have been hard to do even three years ago suddenly viable.

And passwords have gotten, what? Not more secure, certainly. Again, the smarter website operators have pushed for longer passwords, passwords with special characters, with caps, that don’t use common dictionary words. Passwords that are hard to remember, in other words.

And even still, this is more the appearance of security than actual security. People still use “password” as their password, they just replace the a and the o with a 4 and a 0, tacked an ampersand onto the end and call it a day.

It’s pretty clear: we need to move beyond passwords as a primary security standard on the Web. What we move onto isn’t as clear.

Password services like LastPass and Keepass, which generate very strong passwords and then enter them automatically for you, seemed like an early favorite. But those work best when you’re only accessing the Web from a single device, whereas today we have many — PC, laptop, work computer, tablet, smartphone, etc.

And what does one do once more of the objects in their home come online as a part of the Internet of Things? It’s not a use case those services are adjusted for yet.

Two factor identification, which uses a password in addition to a verification from another device, such as by entering a code texted to one’s cell phone, are a more recent stab at the problem and probably a more comprehensive one.

But they’re not yet offered by all websites (and I ask, Why not?). Not only that, but they work best on PCs. What happens when you primarily access the Web through the same phone that is supposed to receive the verifying text message, a device that is prone to being lost or stolen?

Most recently, we’ve seen the first forays into using biometric data to unlock data, such as through the new fingerprint scanners on the latest iPhone. That’s potentially a much better successor to the password: You don’t have to remember your biometric login, and biometric data is at least potentially much more difficult to crack.

But it also raises some worrying questions: Who stores that biometric info about a person? How do they secure it? Do we REALLY want them to have that much data about us?

There’s not a clear answer here. But one thing is for sure: We do need to fix this. Passwords were long ago outgrown by the security needs they were supposed to address. We can keep changing them all we want (and given that these breaches keep happening, we probably will), but until a viable alternative is found, no login will ever truly be secure.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.