Consumers may wholeheartedly trust the biometric security built into their smartphones, but banks could be doing more to protect them.
Even with the latest handsets, identity verification is a big concern — fingerprint scanners can validate a print after enrollment, but they can't verify whether the person attached to the print is who they say they are. It's a problem that plagued Apple Pay in its early days, when fraudsters sidestepped Touch ID security by simply linking their own fingerprints to card accounts they had previously compromised.
Samsung is arguably an even bigger proponent of biometric authentication — the company made iris scanning a prominent feature of its most recent flagship phone — but it too must face the limits of this technology. And in doing so, the tech giant is reaching out to banks for help.
Knox is the name of Samsung's secure enclave inside its handsets that effectively gives its enterprise users the ability to have more than one identity. In Samsung's model, it handles the biometric technology while banks handle the more traditional aspects of identity verification.
"Should banks really care about iris scanning? No, they just want the user who registered the iris and for Samsung to verify them," said Thomas Ko, global general manager of Samsung Pay. "We want to make sure this service benefits banks so they can increase their tolerance against risk."
Samsung Pay gives the tech giant a foot in the door as it pursues business in the banking industry. As more consumers use mobile banking, fraud is expanding and the significance and meaning of customer identity and is changing.
"The fingerprint is still weak to our standard," Ko said, noting that a small percentage of people don’t have a fingerprint and current technologies don't check the vitality of users when capturing an eye print. "That’s why we’ve implemented [Knox] to increase security – to give them confidence."
Unlike the closed ecosystem of Apple's iOS, which provides an environment in which applications, content and media can be closely monitored and controlled and restricts access to unapproved applications and content, Android's system is open and thus more vulnerable, Ko said. For example, Android allows users to install apps from unapproved sources, while Apple uses its App Store as a gatekeeper.
So Samsung set out to build safe storage in its devices impenetrable to other areas of the phone.
"You almost have two identities that can’t talk to each other within one phone," he said. "We built a Knox container within your phone and what you have outside of Knox cannot be shared inside the Knox container."
The most obvious use case for Knox is maintaining distinct corporate and personal identities. It's usually pretty easy to copy something in a user's work email and paste it and share it in other email accounts; that's not possible with Knox, Ko said.
To gain access to a user's corporate identity, the corporate customer must be involved in the approval process, he explained. Samsung doesn't perform the actual ID verification, but banks can serve that role because they have access to trusted identity information.
"We aren’t the ones that can actually verify the user, we don't have the authority," Ko said. "That’s a weakness of ours because we aren’t deep authorities on sources of identification databases. But banks are."
A fingerprint reader may ensure everyday consumers they're the only ones that can access their phones, but Samsung still confirms corporate identities with employers. When users register a new fingerprint they input the usual security information – names, passwords, address, Social Security numbers, phone numbers. Samsung sends these details to the bank, which then matches the information entered against its own databases and gives Samsung the green light to verify the user.
"From that moment on the fingerprint matches the ID we received," Ko said. "Banks grant us permission to verify the user."
That's when Samsung actually puts the key into the devices so next time the user attempts to sign in, Samsung has complete authority to verify the ID information and grant access to the environment.
Earlier this year two Israeli researchers discovered three bugs that effectively allow information to be stolen out of earlier versions of Knox. Uri Kanonov and Avishai Wool reported the problems to Samsung before going public with their findings. It was enough time for Samsung to fix and deploy corrected software, according to Wool.
"What we've demonstrated in our paper is you can have a malicious app installed inside Knox and if that app has a lot of access it can exploit all kinds of things pretty easily," said Wool, a professor in the School of Electrical Engineering at Tel Aviv University.
Wool and Kanonov found the problems in the Galaxy 3 and 4 handsets that run version 1 of Knox. Samsung has corrected those issues in the latest version of Knox, but has not made fixes to its older phones, of which Wool estimates millions are still in circulation and still vulnerable. He also said Samsung made clear in talks that it has no plans to amend the older phones.
"Knox has not been the target of a whole lot of hacks because it's closed source and not easy to get a lot of info out of," Wool said. "The number of true attacks on the Knox system is not high but could change if it becomes more successful," because hacker interests rise with success of the system.
Still, the fail-fast-fail-often mantra is best left to nonbanks like Samsung. Security engineering is one of the first core problems Samsung Pay needs to address as it seeks to build a core ecosystem with banks. For now, it's working with them on biometrics.
"This is much stronger (than traditional bank security methods)," Ko said. That encryption they had could totally transfer to someone else if they had an easy-to-guess password. Biometric fingerprints cannot."