| Recurring |
multiple_organization |
(a) The software failure incident related to the security concerns with the fingerprint technology used by Royal Bank of Scotland (RBS) and NatWest has not been reported to have happened again within the same organization [33672].
(b) The software failure incident related to security vulnerabilities with fingerprint technology has been a concern for multiple organizations, as highlighted by the article mentioning that similar incidents have occurred in the past when hackers were able to bypass the Touch ID feature on iPhones using fake fingerprints [33672]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the implementation of fingerprint technology by Royal Bank of Scotland and NatWest for their mobile banking apps. Security experts, such as Professor Mike Jackson, raised concerns about the security of this technology, likening it to leaving house keys under the front doormat. They highlighted that the fingerprint technology utilized by the banks' apps, specifically Apple's Touch ID feature, may not be secure enough as it only examines the look of fingerprints, making it vulnerable to being fooled by high-quality photographs or clear images of the phone-owner's fingerprint [33672].
(b) The software failure incident related to the operation phase is evident in the potential risk posed to customers using the fingerprint technology for banking access. Experts warned that criminals could easily break into someone's bank account by obtaining a good fingerprint image, which could be sourced from the phone's screen itself. This highlights a failure in the operation or use of the system, as the technology's reliance on fingerprint recognition alone without additional security measures could lead to unauthorized access to bank accounts [33672]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident related to the fingerprint technology used by Royal Bank of Scotland and NatWest's mobile banking apps can be categorized as within_system. The failure originates from within the system itself, specifically the vulnerability of the Touch ID feature to being easily fooled by high-quality photographs or clear images of fingerprints [33672]. This vulnerability poses a significant security risk to customers using the fingerprint technology to access their bank accounts, highlighting an internal flaw within the system's design and implementation. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident related to non-human actions in this case is the vulnerability of the fingerprint technology used by Royal Bank of Scotland and NatWest for mobile banking apps. Security experts warned that almost anybody could crack the fingerprint technology by using a high-quality photograph or clear image of the phone-owner's fingerprint, which could easily lead to unauthorized access to bank accounts [33672].
(b) The software failure incident related to human actions in this case involves the decision by Royal Bank of Scotland and NatWest to implement the fingerprint technology for their mobile banking apps without considering the potential security risks associated with it. Despite warnings from cybersecurity experts about the insecurity of the technology, the banks proceeded with the implementation, potentially putting their customers' money at risk [33672]. |
| Dimension (Hardware/Software) |
hardware |
(a) The software failure incident related to hardware:
- The article discusses a potential security vulnerability in the fingerprint technology used by Royal Bank of Scotland and NatWest for mobile banking apps. Security experts warn that the technology offers limited security and can be easily compromised by using high-quality photographs or clear images of fingerprints, which could be obtained from the phone's screen itself [33672].
(b) The software failure incident related to software:
- The article does not specifically mention a software failure incident originating from software-related factors. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the article is related to a potential malicious aspect. Security experts warn that the fingerprint technology implemented by Royal Bank of Scotland and NatWest for their mobile banking apps could be easily cracked by almost anybody with access to a good fingerprint. Criminals could potentially break into someone's bank account by using a high-quality photograph or clear image of the phone-owner's fingerprint, which poses a significant security risk [33672]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
The software failure incident related to the use of fingerprint technology in the mobile banking apps of Royal Bank of Scotland and NatWest can be attributed to both poor decisions and accidental decisions.
1. Poor Decisions:
The incident reflects poor decisions made by the banks in implementing the fingerprint technology for authentication. Security experts, such as Professor Mike Jackson, criticized the technology, likening it to leaving house keys under the front doormat and stating that almost anybody could crack it [33672]. The decision to rely solely on fingerprint recognition, which can be easily fooled with high-quality photographs or clear images of fingerprints, indicates a lack of thorough risk assessment and consideration of potential vulnerabilities.
2. Accidental Decisions:
The use of fingerprint technology, which was intended to enhance convenience and security, may have led to unintended consequences. The article mentions that the banks were confident in the safety of the technology, citing its popularity with banks in the US and other countries [33672]. However, the ease with which hackers were able to bypass the system using fake fingerprints created from photographs highlights the unintended consequences of relying solely on fingerprint authentication without considering its limitations.
In summary, the software failure incident involving the fingerprint technology in the banking apps can be attributed to both poor decisions in implementation and accidental consequences of relying on a potentially insecure authentication method. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the implementation of fingerprint technology by Royal Bank of Scotland and NatWest for their mobile banking apps. Security experts, including Professor Mike Jackson, criticized the use of fingerprint technology, stating that it offers minimal security and can be easily compromised. Professor Jackson likened the security level provided by the technology to "leaving your house keys under the front doormat" [33672].
(b) The software failure incident related to accidental factors is demonstrated by the vulnerability of the Touch ID feature utilized by RBS and NatWest. Experts highlighted that the technology only examines the look of fingerprints, making it susceptible to being fooled by high-quality photographs or clear images of the phone-owner's fingerprint. This vulnerability could potentially allow criminals to break into someone's bank account by exploiting the flaws in the fingerprint-recognition system [33672]. |
| Duration |
unknown |
The articles do not mention any specific software failure incident related to either a permanent or temporary duration. Therefore, the duration of the software failure incident in this case is unknown. |
| Behaviour |
omission, value, other |
(a) crash: The articles do not mention any software crash incidents.
(b) omission: The software failure incident mentioned in the articles is related to the omission of performing the intended security function. The fingerprint technology used by Royal Bank of Scotland and NatWest for mobile banking apps was criticized by cybersecurity experts for offering security vulnerabilities that could allow almost anybody to crack the system and access bank accounts [33672].
(c) timing: The articles do not mention any software failure incidents related to timing issues.
(d) value: The software failure incident discussed in the articles is related to the system performing its intended functions incorrectly. The fingerprint technology was criticized for not providing adequate security as it could be easily fooled by using high-quality photographs or clear images of fingerprints, potentially allowing criminals to break into bank accounts [33672].
(e) byzantine: The articles do not mention any software failure incidents related to byzantine behavior.
(f) other: The other behavior of the software failure incident is related to the lack of adequate security measures in the system, leading to potential risks for customers' financial information and accounts [33672]. |