Major Security Weakness in iOS 10 Backups

After officially adding support for iOS 10 in Elcomsoft Phone Breaker,it was discovered that password recovery speed for iOS 10 backups is now SIGNIFICANTLY faster: 6 000 000 passwords per second on just one single CPU (Intel i5)!
“All versions of iOS prior to iOS 10 used to use extremely robust protection”, says Vladimir Katalov, ElcomSoft CEO. “Chances of recovering a long, complex password were slim, and even then a high-end GPU would be needed to accelerate the recovery. As a result of our discovery, we can now break iOS 10 backup passwords much faster even without GPU acceleration.” 
The following benchmarks were obtained for iOS 9 and iOS 10 backups using the same hardware:

• iOS 9 (CPU): 2,400 passwords per second (Intel i5)

• iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)

• iOS 10 (CPU): 6,000,000 passwords per second (Intel i5)

Changes in iOS 10 make it much easier to try backup passwords. iOS 9 backups were slightly more than 150,000 passwords per second using a powerful NVIDIA GTX 1080 accelerator. For iOS 10, Elcomsoft Phone Breaker peaks at 6 million passwords per second using a CPU alone without the help of a GPU. 
This means that a truly random, 6-character alphanumerical password (single-case letters) protecting iOS 10 backup will only take a few minutes to break. Add an extra character, and it still takes several hours to brute-force, which is also very reasonable. For reference, the same 7-character password protecting an iOS 9 backup would take almost a week to break.



Security Experts Respond to Yahoo Breach

Following hours of speculation, Yahoo has confirmed that it has suffered a massive data breach:

Responding to the breach,several industry experts have shared their comments with our magazine;
Gavin Millard, EMEA Technical Director, Tenable Network Security says, “With the complex, data rich, IT environments organisations run today, there is always a high possibility of yet another breach with customer data making its way onto the dark web. As we continue to add more technologies to our networks and as attackers become more sophisticated, it’s important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout.
If you have a Yahoo! account and have re-used the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now. Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.
One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mothers maiden name, first car, and first pet, which could lead to further exploitation and account misuse.”
Leo Taddeo, Chief Security Officer of Cryptzone says, “The loss of unencrypted security questions and answers creates a risk for enterprises that rely on this technique to enhance security for traditional credentials. The best defense is to deploy access controls that examine multiple user attributes before allowing access. This type of “digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.”
Alex Mathews, EMEA Technical Manager, Positive Technologies, says, “Almost every year we see reports of “millions of leaked accounts of Yahoo / Hotmail / Gmail / iTunes / etc”. We would even suspect that some of this news is “designed” especially for certain events. Yahoo’s sale to Verizon sounds like an interesting occasion to make such a brouhaha, but it would appear that this time the allegations were founded.
The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers haul. If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.
Any Yahoo customers would be prudent to change their passwords – although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.
Despite many warnings, millions of users will still use very simple passwords like 1111, “qwerty”, or their own names. According to Positive Technologies research, the password “123456” is quite popular even among corporative network administrators: it was used in 30% of corporate systems studied in 2014. Hackers use the dictionaries of these popular passwords to bruteforce the user accounts so perhaps now is the time to employ a little creativity.
Yahoo! does offer additional protection in the form of Account Key and it would be prudent for any users that decide to continue using its service employ this as a matter of urgency.”
Troy Gill, Manager of Security Research at AppRiver, says, “The fact that Yahoo has now confirmed the breach is no surprise – the scale however is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.
Yahoo users should be particularly concerned that the stolen information includes security questions and answers as this could leave them open to far more than just their Yahoo email account being compromised. It raises the potential for accessing other accounts, including those with sensitive personal and financial information. Identity theft is a very valid concern for all the victims.
I would be interested to know the findings by Yahoo when they allegedly investigated the 200million records that were for sale on the dark web. Where those able to be confirmed as valid? If so why did it take this long to inform users of the breach and why were no forced password resets issued prior?
Keeping customers’ data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organizations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organizations that no company is too big or too small a target.
Yahoo users should change their passwords immediately and monitor activity closely. Also, they need to make sure they are utilizing a new password that is complex, lengthy and most importantly “unique”. Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure that they are not using the same password[as their Yahoo account} on other accounts as well.”
Richard Cassidy, UK cyber security evangelist at Alert Logic, says “Overall this is a considerable data breach, especially if initial reports citing circa 500million records leaked, are indeed accurate. Furthermore, the data seems to have already been monetized (in part) and firmly distributed via various cybercriminal networks. It is indeed very unfortunate; service providers such as Yahoo will always be a high-value target for bad actor groups on the DarkWeb, especially those looking to prove credibility and stamp their name in the data heist record books (per say). Naturally such a breach will cause concern at board level for those involved in the M&A process and eventual purchase of Yahoo; with IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability. Furthermore, the knock on effect financially as worried shareholders seek to exit to safer stocks, will create short to medium term fiscal unrest, however, it’s how Yahoo now communicate the details of the breach, helping users (who have been identified as having had their data breached) put in place expedited account security measures, not just at Yahoo, but across all personal accounts where passwords and/or usernames may be similarly used.
Without a doubt however, anyone who has ever signed up to Yahoo services, shouldn’t wait to hear from Yahoo on whether they may have been directly affected (or not), steps should be taken immediately to reset shared passwords across other online accounts and monitor financial transactions closely for signs of nefarious activity. Unfortunately, stopping every threat is a panacea that many argue is impossible to achieve. Regardless of organization size or security capabilities in-house, there needs to be a paradigm shift in how we view susceptibility to threats and how we architect our current security framework around threat detection and early warning of nefarious activity. Relying on legacy layered security solutions, with no correlation on activity from application to network layer, can leave organizations at greater risk of a data breach. It’s herein that we need to shift our thinking and architecture; organizations need to assess their risk status to data breaches, understand the market they operate in, their competitors and of course the threat vectors most likely to be seen, architecting security capabilities that reduce that risk profile and enable better trust relationships between 3rd parties and customers, all with the aim of keeping key data security assets as protected as current technology capabilities permit. Furthermore, reliance on automated security scanning functions can lead to key indicators of compromise going undetected; the human expert analysis approach ensures a level of assurance around protection from even the most advanced malware threats or zero day activity that may be targeted against the organization.
If initial reports that Yahoo experienced this particular breach back in 2014, and its only now coming to light, then this raises serious concerns for consumers of Yahoo products or services, and questions need to be answered on why external communication has been withheld for so long. Overall what has to be learned from this event, is that data breaches can (and do) occur across organizations of all types and sizes. Well defined incident response plans that communicate the details of the breach in an effective, directed and reassuring manner both internally and externally, is the key to maintaining consumer and market confidence, not least providing users who have been affected, with the best possible chance of containing further breaches to other online accounts where passwords or usernames may have been similarly used.”



South Carolina’s Fastest Growing Companies Recognizes Integrated Biometrics

SPARTANBURG, S.C. — Integrated Biometrics, LLC, developer of the world’s most compact, lightweight, and energy-efficient FBI-certified fingerprint scanners, has been named one of South Carolina’s Fastest Growing Companies.
This recognition comes on the heels of Inc. magazine ranking Integrated Biometrics No. 965 on the annual Inc. 5000 list of the nation’s fastest-growing private companies.
“Our industry is driven by the need for personal identity enrolment and verification throughout the world, with fingerprint biometrics being the technology of choice,” stated Steve Thies, Integrated Biometrics CEO, adding, “We have developed an innovative, patented and market disrupting FBI-certified light emitting sensor (LES) film technology which generates very high quality fingerprint images in a compact, energy efficient design.”
The company’s scanners are designed for durability with no breakable glass components and are able to withstand tough operating environments with minimal maintenance, while providing accurate high-resolution fingerprint images even at extreme hot or cold temperatures. The patented LES technology at the core of each of the company’s products is durable and works flawlessly in both direct and indirect sunlight. Whereas other scanners based on older optical prism technology require a secondary light source to illuminate a fingerprint. When a finger is placed in contact with LES film, the underside of the film produces a fingerprint image in light, capturing the image in less time and without the need for special environmental considerations. 
This unique aspect enables Integrated Biometrics products to be used in global applications for national ID, voter identification, finance, healthcare, background checks, visas, law enforcement, border control, and criminal and terrorist database purposes.
South Carolina’s Fastest Growing Companies competition is the annual ranking of the Palmetto State’s 25 most dynamic and successful companies. This event is presented by The Capital Corporation and Co-sponsored by Integrated Media Publishing (publisher of Greenville Business Magazine, Columbia Business Monthly and Charleston Business Magazine), BDO USA, LLP and Nelson Mullins. The event recognizes an exceptional and diverse assembly of businesses from across the state among its Top 25 winners. 
Integrated Biometrics is a proud member of the Biometrics Institute, AFCEA, and EU-LISA and is active in biometrics, defense, and government industry events around the world. The company’s leadership team serves on numerous technology boards and regularly contributes to industry media outlets, sharing best practices on identity management and biometric fingerprinting technology.



Panda Security ensures privacy protection in public administrations

PandaLabs, Panda Security’s anti-malware laboratory, have released a whitepaper on “Privacy in Public Administration”; detailing numerous cyber-attacks impacting government organizations and what legislation is being put in place to help solve the issue. 
Theft and misuse of data
The use of information and communication technologies in general, and specifically online government services, are key factors in the way the public sector is changing. Technological advances have made it possible to store personal data in digital format, a great benefit to users, but also a highly-prized target for cyber-criminals.
The healthcare sector alone, saw 184 total breaches between January and March 2016, and as the NHS handles some of the most personal and sensitive data, breaches can cause those included a huge number of problems and distress.
Politically-motivated attacks
New crimes including cyber-terrorism, cyber-espionage and hacktivism are on the rise. The secret phase of the cyber-war against Iran began during the last decade with espionage carried out by the US and Israeli intelligence services.
With just three months to go before the US elections, the FBI has confirmed the hacking of at least two electoral databases by foreign hackers who have extracted voter information from at least one of them. This is just one of the latest recorded cases of hacktivism.
The solution for adapting to the change
The emergence of new players from different backgrounds and with varying motivations combined with their ability to act in any security dimension, hinders the identification of aggressors and decreases the ability of countries to adequately respond. Current legislation is not adapted to the new cyber-crime dynamic or to new technological or data management demands.
To prevent new attacks on public agencies, a common regulatory and legislative framework is needed, with responsibilities shared between states. One such example is the new regulatory data protection framework passed in the EU in 2016.Of course much of the UKs inclusion within European legislation depends on exactly what the government decide Brexit means.
For public bodies, success in ensuring cyber-security lies with meeting certain requirements:

· Having real-time information about incidents and security holes related to data security.
· Compliance with Article 35 of the “General Data Protection Regulation” on data protection impact assessment.
· Reporting all possible transfers of data files to foreign countries.
· Safeguarding delegation to other processors, i.e. deleting of data, meeting reporting and notification requirements, and the maintenance of file transfer activities.
To this effect, the implementation of advanced technologies such as Adaptive Defense , as a complement to traditional antivirus solutions, enables compliance with these, since Adaptive Defense offers guaranteed security against threats and advanced targeted attacks.



Financial fraud incidents up 53% in the first half of 2016

A new report from Financial Fraud Action UK has found that fraud in the UK payments industry has soared by 53% in a year, totalling £755 million in 2015. The report also showed that a financial scam was committed once every 15 seconds in the first half of the year.
“We’re saddened, but not shocked, to see these findings. In this study, the fact that fraud losses climbed 53% in six months in the UK is a sad state of affairs for consumers who can often bear the brunt of the costs (especially with regard to account takeover and new account fraud). It’s absolutely no wonder that consumers are pushing back on companies to improve security, holding them accountable for it, yet still wanting to have a good experience going through the gates.
Financial fraud offers a lucrative source of income for cybercriminals, totaling £755 million in 2015 in the U.K. alone. Cybercriminals have grown in their sophistication, exploiting the human interest factor by posing as banks or suppliers and then duping consumers into revealing their personal details. These scams have also proved effective in targeting commercial organisations, as senior executives are tricked into revealing sensitive information which enables access to a company network.
The increasing volume of attacks globally can also be attributed to more fraudsters willing to commit the crime, more data available on the black market, and more financial institutions and merchants that are vulnerable to attacks. Plus, as more countries fully adopt EMV, we’ll see fraud continue its migratory path to all available online channels.
We have to remember; fraudsters know us better than we do in that they’ve pegged our vulnerabilities. It’s time we returned the favour. They are vulnerable because they must do very similar behaviours to be successful, and guess what? We can find them by their tell-tale signals.
In order to detect out of character and potentially fraudulent transactions before they can create a financial nightmare for consumers, we must adopt new authentication methods that they can’t deceive. Solutions based on consumer behaviour and interactional signals are leading the way to providing more safety for consumers, and less fraud in the marketplace.
To combat these types of attacks, consumers should always report emails to their banking provider. No legitimate organisation will ask for security or banking details so consumers need to be suspicious of any email that requests this information.
Meanwhile there are steps that consumers can take to help secure themselves: 

  • Shop with well-known companies online, or use safer payment systems such as PayPal, ApplePay or Android Pay, to avoid providing your payment details directly to an unknown merchant.
  • Use strong, unique passwords on each site you register with.
  • Make sure to change your passwords regularly.
  • Don’t use public computers or free, unencrypted Wi-Fi to conduct financial or retail transactions or interactions.
  • Don’t fall victim to email and phone scams, where a consumer receives a call from “their bank” asking for personal, or financial account information. If it looks too good to be true, it most likely is. When I doubt, call the bank directly, based on the number printed on the back of your card, or on a recent statement.

If you suspect you have been a victim of fraud in the UK, report the crime to”

– Robert Capps, VP of business development at NuData Security. 



FinTech’s Worldcore introduces new payment options and enhanced security via its face recognition and voice biometrics authentication systems

Worldcore introduces an option to load any Visa, MasterCard and UnionPay credit or debit card around the world and is finalizing the integration of mobile phone top-up solution in over 100 countries across the globe.
The Worldcore platform provides multi-currency payment account, an alternative to traditional bank accounts, and payments sent and received via SEPA and SWIFT; the account has no monthly maintenance fee, and there is no limit on funds that can be passed through or held in the account. There is also a 0% timeless fee for internal transfers.
Worldcore is also developing an invoice management system for corporate clients where companies will be able to create and send invoices to their clients’ mobile phones or e-mail addresses and get paid via various options supported by Worldcore – bank transfers, credit/debit card payments, sofort, iDeal and many others. Recurring invoicing with complete automation will be available as well.
Moreover, Worldcore’s iOS app will be released in October. It will have Voice Biometrics Authentication option and will become the world’s first mobile app in the FinTech industry that can be controlled via Siri for making all types of payments supported by Worldcore.
Worldcore pays much attention to security and their Face Recognition System for secure account access and payment confirmation will be available before the end of 2016.
Most notably, Worldcore is the very first – and currently only – EU-based and regulated payment system with integrated voice biometrics authentication via its ‘VoiceKey’. There is huge demand for integration, as key to flexibility, in today’s market, and Worldcore bringing biometrics into the mix for payment systems means that the company can boast unrivaled security measures; all outgoing payments require a two-level authorisation process, supplemented by the VoiceKey biometric authentication. You can discover more about VoiceKey by watching this video:
“Worldcore itself and scope of its activities grow rapidly and currently our team is in the process of setting up a group of companies to cover more FinTech areas authorized by European regulations and to enter equity crowdfunding and P2P lending markets in 2017”, said Alex Nasonov, CEO of Worldcore.
Within the world of FinTech, Worldcore certainly proves an interesting case study, as it continues to innovate and shape the market in intuitive and beneficial ways.



Only 29% of merchants can accept chip cards, CNP fraud surging anyway

Nearly a year after the EMV liability shift in the U.S.—a move specifically engineered to incent retailers to install EMV-compliant POS systems in their stores—only 44% of merchants are equipped with the new terminals, according to a new report from The Strawhecker Group. Furthermore, not all of those merchants that have installed EMV-enabled systems are using them. Only 29% of U.S. merchants can actually accept chip cards, the report said, with terminal certification delays the main culprit.
Despite fewer U.S. merchants accepting chip transactions a year into the transition to EMV than predicted, however, the effects experts predicted have largely come true. Studies over the past few months have consistently shown that counterfeit fraud at the physical point of sale is dropping, while card-not-present fraud is surging.
Lisa Baergen, director at NuData Security:
“In October 2015, the U.S. began complying with the mandated shift to EMV credit and debit chip cards. The U.S. market had the advantage of being able to learn from its European counterparts who had made the shift years earlier. The implementation has been a long and difficult process, particularly for merchants, where the cost to implement is relatively high, and the perceived value was just not there. While the deadline for the U.S switch was October 2015, not all merchants have upgraded – only about 40% of merchants have completed EMV implementation. Furthermore, these new EMV cards are still compatible with old systems, which put them at the same risk for fraud as they were before the switch.
Compounding the problem, some issuers are deciding to phase in PIN compliance, as it was not part of the October 2015 deadline. Without the PIN, these EMV cards require the far less secure signature to authorise the transaction, stripping the card of its two-factor authentication protection.
A period of overlap will continue, with the increases in account takeover, fraudulent account creation and traditional credit card theft this report highlights. This scenario provides even more reason for organisations to switch from traditional fraud detection methods to behavioural analytics and passive biometrics to detect and protect good users and reveal and block bad actors.
If you truly know the human behind the device, you can finally focus your efforts: protect legitimate accounts, provide streamlined experiences for customers you trust, and block actual fraudsters completely without customer friction.”
Smrithi Konanur, global product manager at HPE Data Security  – Payments, Web and Mobile:
“The fact that card-not-present fraud in the U.S is surging is no surprise. Earlier EMV adoption in other regions, such as Europe and Canada, have experienced the same shift to fraudulent card-not-present transactions. EMV makes it much harder and more expensive to replicate a physical credit card, but if fraudsters can steal card holder data, it is much easier to do online transactions, where EMV does not come into play. In order to mitigate card-not-present fraud, businesses should implement security strategies that include additional authentication like 3D-secure, end-to-end encryption, and tokenization. These technologies provide the layered protection that plugs various gaps in the payments transaction data flow. Data-centric technologies like format-preserving encryption provides the security solutions for businesses which are effective, optimal, scalable, and flexible to keep card holder data safe from hackers in case of a breach or attempted theft of data.
However, for card-present transactions, EMV provides no protection for the transmission of sensitive payment information to the acquiring bank. After the EMV card validation process, the cardholder data must be delivered safely to the payment processor. By default, EMV does not provide ANY protections of data in transit to the processor. Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payments data they need from unsuspecting retailers, despite the use of EMV, and then can use the stolen data for card-not-present transactions. When such data breaches occur, retailers pay a hefty toll in the form of lost revenue, fines and penalties, executive job loss and even board-level lawsuits, as well as loss of consumer confidence and customers.”



WordPress Simple Share Buttons plug-in update could affect user privacy on thousands of websites

Paul Bischoff, security and privacy advocate for, is today warning website owners who use the Simple Share Buttons plug-in for WordPress that simply clicking to “accept” the terms and conditions of the latest update could allow their websites to subject users to things like adware and other threats.
The nature of the update essentially coerces users into making a decision that sacrifices the privacy of readers. With over 100,000 active installs according to, the popular plug-in is used by everyone from casual bloggers and small businesses to large publishers. Even if just a fraction of these users blindly hit the accept button in order to make the message disappear, that would lead to thousands of websites exposing visitors to adware and other threats.



NHS to face rise in cyber-attacks, warn experts

NHS experts have warned of a major growth in cyber-attacks over the next few years, ahead of one of the UK’s largest gathering of healthcare professionals taking place later this month. 
Thousands of delegates will attend the UK Health Show on 28th September in London’s Olympia, to engage on issues crucial to the future of the NHS. 
Some 98% of those questioned in a survey ahead of the event expressed concerns about cyber security threats now facing the NHS, with more than 84% adding that they expected their organisation to face an increase in attacks during the next several years.
Health secretary Jeremy Hunt called in September for the NHS to better reflect the “era of the smartphone”, with plans for greater use of smartphones and tablet devices by patients to access healthcare records, NHS services and medical advice. But 70% of professionals due to attend the Cyber Security in Healthcare conference, part of the UK Health Show, cast doubts on the NHS’ ability to securely share confidential patient data on apps and mobile devices. 
NHS professionals due to attend a dedicated healthcare technology conference at the show, also revealed further concerns in an additional survey. The majority agreed that NHS use of digital tools had improved in recent years, and that technological transformation was now essential for NHS efficiency and greater patient involvement in care decisions. But more than 80% of delegates expressed a lack of confidence that the NHS would meet its 2020 paperless deadline. 
The widely held view supports findings from an independent review commissioned by Jeremy Hunt and led by  Professor Bob Wachter, which only weeks ago called on the government to abandon its 2020 paperless NHS target, arguing that no change facing the health service is likely to be as “important or challenging as creating a fully digitised NHS”. Professor Wachter will be addressing delegates at the UK Health Show conference via a live-stream. 
Across the two surveys more than 500 senior healthcare professionals due to attend September’s event responded.   
Alexander Rushton, UK Health Show event director, said: “Technology will play a big role in shaping the future of the NHS and the way patients access services. UK Health Show delegates responding to the surveys have shown overwhelming confidence in the transformational power of data and technology, but have also revealed areas requiring immediate attention for this to happen. 
“Delegates will now gather next week to discuss these issues and learn and benefit from best practice case studies on how to prepare for cyber-attacks and more generally about how technology is being used to improve patient care and save money.” 
The UK Health Show will feature contributions from NHS England, Department of Health, NHS Digital, NHS Improvement, the Information Commissioner’s Office, NICE, NHS Clinical Commissioners, the Care Quality Commission and Public Health England and will feature presentations from senior leaders across healthcare.  
The UK Health Show is a merger of several large events on the healthcare calendar, including the well-established Healthcare Efficiency Through Technology (HETT) event, which has allowed innovative NHS uses of technology to be shared more widely. HETT has been combined with Commissioning in Healthcare, another key event in the sector, along with three entirely new conference streams on procurement, estates and cyber security, to provide a wide-reaching learning opportunity for NHS professionals in a single day.
Key speakers include globally renowned digital expert Professor Bob Wachter, Andy Williams, chief executive of NHS Digital, Keith McNeil, chief clinical information officer at NHS England; Professor Martin Severs, Caldicott guardian on the National Data Guardian’s Panel; Jim Mackey, chief executive of NHS Improvement; Dr Phil Moore, chair of NHS Clinical Commissioners Mental Health Network; and Julia Manning, chief executive of 2020health. 



Britons place trust in banks to provide biometric services

Visa has conducted extensive research into consumer attitudes to biometric payments.The results show that Britons place trust in their banks to provide biometric services.

“This study establishes that there is a strong desire on the part of consumers to have a secure user experience when interacting and transacting online. The desire, may not align with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication aren’t fool proof, and there are challenges that may block widespread adoption in non-face-to-face interactions.
The fact that 85% of respondents see banks as the most trusted institution in the provision of biometric authentication isn’t surprising, given that they are part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering outstanding user experience. 
Physical biometrics can be part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints, voice and retinal scans can be spoofed. And, unlike passwords, physical biometrics can’t be changed. It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data.
Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en-masse. As stolen data is often traded and consolidated into larger, more accurate profiles that can be re-used for a number of nefarious purposes from espionage, to identity theft, and financial fraud. Selfies and voice biometrics have contextual issues, like, it may not always be appropriate to take a selfie or provide a voice sample to authorise an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place). Beyond social and cultural issues, there are concerns how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day-to-day life.
While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials – effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.
The true strength of behavioural biometrics is in providing trust. While the consumer trusts the fingerprint, or the voice print, retinal scan or any other visible security the bank may choose, that is what they see and how they feel – it’s the guard at the door, if you will. Using passive and invisible behavioural biometrics (BB), the bank can also have full trust in their key objectives, protecting the user account and providing a good customer experience. In this way BB solutions can draw a straight line to a trust-trust relationship between banks and customers.
Another advantage of BB solutions is that they use non-static signals and indicators of human identity – signals that cannot be stolen, reused or replayed for impersonation. It can therefore provide a high degree of confidence in the identity of the user. Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint.  
Additionally, with BB, users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving banks and e-commerce companies the unheard of potential to actually improve their brand experience with their security layer.”

Robert Capps, VP of business development at NuData Security.