Banks ditch security questions, favoring fingerprints for mobile

Apple introduced fingerprint ID technology with its iPhone 5S in 2013.
Apple introduced fingerprint ID technology with its iPhone 5S in 2013.

A fingerprint used to mark criminals. Now it’s the key to unlocking bank accounts. Financial institutions seeking a quick but secure way to identify customers are increasingly shelving clunky security questions and passwords in favor of the simple thumbprint for banking on your phone.

Providence-based Citizens Financial Group Inc. incorporated fingerprint identification in its mobile banking app for some ­iPhone users last month. Fidelity Investments, headquartered in Boston, started earlier this year letting customers use their fingers to log in and pay bills and make trades.

Bank of America Corp., the second-largest bank in the country by assets, is scheduled to have touch identification for iPhone and Android customers in the next few months. And others, such as Eastern Bank, the largest community bank in Massachusetts, are considering the technology.

Citizens moved to fingerprinting to meet consumer demand, but also because it is “possibly more secure than a password,” said Brad Conner, vice chairman of consumer banking for the bank.

“The customer expectation is for banks to keep up,” he said. “What customers see as capabilities in other areas they expect their financial institutions to provide.”

Before Citizens introduced the technology, the bank received questions on Twitter and other social media from customers demanding to know when they could expect touch identification.

“Finally,” one Twitter user told the bank after it announced that fingerprint access was available. “Now I don’t have to type in my stupid password anymore.”

For touch identification, banks are piggybacking on existing hardware and software available on newer mobile devices. The fingerprints remain on the device and aren’t given to the bank.

Since Apple introduced a fingerprint reader on its ­iPhone 5S two years ago, the thumbprint has become an increasingly popular form of identification, even beyond the phone. Your print will even let you skip the long lines to enter Yankee Stadium to watch a baseball game. The ballpark announced last week that it was joining San Francisco’s AT&T Park and Denver’s Coors Field in allowing visitors who register their fingerprints to bypass the gate lines.

More importantly for banks, fingerprints and biometric technology, which identifies people based on physical and behavioral traits, promises better security, said Ed O’Brien, a director at Maynard-based Mercator Advisory Group Inc., a bank consulting firm.

A retinal scan or palm print could someday be used to access an ATM machine. And at some banks, such as Eastern, customers who call in with a problem are recognized within seconds of speaking.

“We’re getting to the next level of security,” O’Brien said.

There’s a reason for this migration to biometric-based security. Last year, banks lost $4 billion to fraud when 1.6 million consumers had at least one of their bank or credit card accounts compromised, according to Javelin Strategy & Research, a California-based consulting firm.

Information that can help thieves to hack an account and answer traditional security questions, such as the name of a high school mascot or nickname in high school, can be easily culled from social media and public websites, said Al Pascual, a director for fraud and security at Javelin.

Banks are looking for customer-identification methods that are harder to replicate, such as a fingerprint or a voice, he said. Eventually, passwords may become a relic, much as dial-up Internet did. For online and mobile banking, “the password will be gone by the end of the decade,” Pascual said.

But some security experts warned that fingerprints aren’t foolproof.

A European hacking group last year claimed to have produced a duplicate thumbprint of the German defense minister using a photograph. And once your fingerprint is compromised, unlike a password, it can’t easily be changed, said Suzanne Martin, a spokeswoman for NowSecure Inc., an Illinois-based mobile security firm.

Martin suggests that consumers use both the fingerprint and a password to log into their phones and, if banks offer it, to get into their account.

“It’s a proceed-with-caution,” Martin said about fingerprint technology. “You only have one fingerprint and you can’t change it. People need to be aware to manage the risk.”