[yeukhon]

Most of the time they ask you for some four digit number, name, address and etc. I think the first two steps would be 1) send SMS message to the number, alert issue and have user read back the code, 2) access code sent to user's email address.

I remember there are banks give you biometric reader and only then you can log into your account. Cpatial One's mobile app allows you to use fingerprint to auth the app, great for convenient but we can probably make the app even more secure by demanding the same fingerprint used throughout. Of course, there have been some attacks on iPhone's fingerprint device, but first, you need to have access to that fingerprint, so most likely targeting at some big fish.

[newman314]

And what if your fingerprint gets stolen? Get a new finger?

Biometrics is horrible for auth. [1]

[1] https://technet.microsoft.com/en-us/library/cc512578.aspx

[yeukhon]

I did say there has been an attack on fingerprint in my comment above, BTW.

Everything can be stolen. I am not sure if you can stop identity thief. Someone would have done so if it can be stopped. The goal is to make stealing harder. Combine fingerprint with other verification (see above too). My original comment was on the fact that once you sign in with fingerprint, you are good to with for a duration (Captial One logs you out automatically after ~2 minute of inactivity on my iPhone, which is wayyyyyy more secured than other bank apps I have used).

[newman314]

Read the linked post. It explains why the distinction needs to be made between identity and authn/authz.

Point being biometrics is a bad idea to start with. CapitalOne doing this means they are failing to make the same distinction much like a 6 char password minimum etc. etc.