Just because nobody is able to point to a current FaceID compromise doesn’t mean that there will never be one. There have been plenty of things previously thought secure that turned out not to be.
And if anybody here does know how to compromise FaceID I doubt they’d share it on this thread. They’d either be responsibly sharing it confidentially with Apple, or keeping it secret so they can use it for their own nefarious means.
This actually wouldn’t compromise Face ID for authentication in apps.
When you enable it in an app it will only work for the face already registered. If you add more faces to Face ID later, they simply won’t authenticate the apps it was previously set up for.
Yes, it might prevent someone new registering their image you can’t guarantee that someone previously registered on the phone, wouldn’t make a fraudulent transaction.
Sure, but that’s a super niche hypothetical. If you trust someone enough to have their face registered on your phone, that person is going to have ready access to a photo of your face too. And they’ll probably know your bank pin as well.
And yes, a photo can indeed fool the RBS system, just like it fools Atom. I’ve tested it.
Not that niche. Elderly/vulnerable abuse is a thing. There are scum out there who will target vulnerable people, worm their way in to their life, pretent to be helpful etc. The classic example is that they eventually scam or convince older people in to changing their wills to leave significant amounts to them, but draining their finances while alive also happens. The perp would in this case helpfully gives the victim an iPhone with their face already added so they can do xyz…
Again, if a bank relies on Face ID alone the bank has no record at all of the perpetrators. With the NWG system, they have an image of their face.
Again, with this sort of scam, they will readily have access to a photograph. Or they’ll deploy the same social engineering they used to set up their face under Face ID to get past NatWest’s biometrics too. It’s incredibly easy to social engineer vulnerable people. Scarily so. That’s why it’s the sort of fraud you hear about almost daily as opposed to the more elaborate plot you propose. It happens, sure, but it’s incredibly rare.
Assuming NatWest group are actually capturing and storing the photo, and not just comparing hash values, all they’ll see is that their system got fooled. And if they are indeed capturing and storing a photo/video plainly, that’s a huge privacy red flag for me and would deter me from enabling the feature.
That’s not to say the second factor (which is ignorant of whether the phones have biometrics or not) is bad. It’s a good thing. It replaces two things you know (passcode and card pin) with something you know (passcode [which can be tied to on device biometrics]) and something you have (your face, or a photo/video of it).
There’s a paradigm shift happening in how we view where the security starts, so I understand why people don’t like this. I don’t think the paradigm shift is without its flaws and it’s a debate that’s been had at length so I won’t rehash it here. The general gist is that in order that bank apps are already 3 factor just to login to, the additional auth here adds the illusion of a 4th. That’s how Monzo justify and get away with not having any authenticating for launching the app at all by default.
Multi factors is good, but to defend the approach to those who dislike what they’ve gone for as a means to prevent compromised biometrics is a bit asinine if you ask me. The only sort of attack on the integrity of on device biometrics this would work against isn’t the sort of attack vector it would need to defend against.
Clearly means the Child & Co branding is done doesn’t it. Ignore the fact they’ve redesigned the chequebooks and debit cards in the last few months, and the fact the bank themselves have confirmed multiple times that they have no intention of doing that…
I read into it that they want to keep a closer brand identity to the country they’re in - guessing they’re going to close RBS/Nw in NI and keep only Ulster open?
Given the deep historical association of The Royal Bank and Scotland and Ulster Bank with Northern Ireland I can’t see them ditching that one. They issue banknotes in Scotland and Northern Ireland too. Clydesdale Bank sold its soul to the devil IMO, adopting the Virgin Money brand. The NatWest group has done well to lose the toxicity of the RBS brand, calling itself The Royal Bank of Scotland north of the border.
Seems like something they should stop doing anyways - Bank of England notes are perfectly accepted all across our United Kingdom. They’re cutting branches to cut costs while printing notes that are already printed to begin with (and held with them in some form): makes sense?
Ending the useless “”Irish””/“”Scottish”” notes could be a not insignificant part to our Net Zero aspirations .