AirDefense sniffs out Bank of America Bluetooth-based ID system

Computerworld - Bank of America Corp. has started testing a Bluetooth-based, biometric customer identification system that uses the short-range wireless technology to transmit and release account information to a teller.

Jay Chaudhary, chairman of AirDefense Inc., an Alpharetta, Ga.-based wireless security company, said he accidentally discovered the Bank of America Bluetooth-based ID system while waiting in line at a local bank branch last week. When he booted up his company's Bluewatch detection and sniffing tool, it detected transmissions related to the Touch ID system being tested by Charlotte, N.C.-based Bank of America.

According to a brochure given to customers by the bank, the Touch ID device is "designed to significantly reduce personal identity theft and financial fraud" by allowing customers to use their fingerprints to authorize financial transactions by transmitting identification to a teller.

The brochure said customers using Touch ID place a fingertip against a reader at the teller window. A fingerprint sensor in the Touch ID device compares the electronic fingerprint with a fingerprint impression given by the customer when he enrolled in the pilot program. Once a match occurs, the Touch ID device transmits account information stored in the device to the teller, authorizing a transaction.

Bank of America said the Touch ID system "raises the identification security level to a new high" and "positively secures banking transactions, while at the same time protecting the privacy and legitimacy of our banking customers."

Though Chaudhary wondered about the security of a device he could find with his laptop while in a branch, Harvey Radin, a bank spokesman, said all information transmitted by the Touch ID system is encrypted, and he emphasized that the device doesn't transmit any transaction information. Radin said that about the only information a sniffer could grab would be the serial number of the device.

Although Bank of America is testing the Touch ID system, no decision has been made yet to deploy it nationwide.

Radin declined to identify the vendor that provided Touch ID to Bank of America. But Chaudhary said the brochure identified the vendor as Privaris Inc. in Charlottsville, Va. A photo of an ID device on the Privaris Web site matches a similar Bank of America device photographed by an AirDefense employee.

David Russell, founder of Privaris and now a consultant to the company, said that even if data were somehow captured from the Touch ID system it would be "undecipherable" due to encryption technologies he declined to specify.

Russell said it would take a million years to decipher whatever was sniffed and what was deciphered could not be associated with anyone's fingerprint, doing a hacker no good.