Sign up to our newsletter
Society has long been fascinated by the idea of biometric technology and a quick glance at films in the early part of the 21st century is testament to this point. Movies such as Minority Report, iRobot and even James Bond’s Skyfall – where his biometric PPK gun won’t fire unless the licensed killer himself is holding it – have hinted of a future where our DNA is intrinsically linked with our digital identity.
However, in recent years, what was once the stuff of fantasy has become real – biometrics has quickly moved from fiction to reality. Your face, fingerprint or iris could be the future of authorizing payments from your desktop computer or mobile device.
This feature explores whether this emerging system of payment is fad, fiction or the future, and delves into the security challenges which may emerge along the way.
Once a niche technology mainly restricted to being used in a few manufacturing plants or in other niche verticals, biometric technology can now be found on millions of Apple and Android mobile phones, in some of the biggest banks and at most large airports.
Through Apple’s Touch ID technology, for example, hundreds of banks have used fingerprint technology to authorize payments on smartphones and more is sure to come with iris detection in front-facing smartphone cameras. Fujitsu, for example, has been developing iris-scanning technology for future mobile devices.
Earlier this year, First Tech Federal Credit Union and MasterCard announced the launch of the first US biometrics payments pilot. The concept, which is being referred to as “Selfie Pay”, aspires to make any form of payment, whether in person or online, as secure as possible.
This is by no means unique, as in the UK, Barclays has already introduced voice recognition for users of its telephone banking service, as well as finger vein biometric scanners. The voice recognition system verifies customers based on their speech patterns and is being initially offered to Barclay’s Wealth customers, with the rest of its 12 million customers to follow later this year.
Likewise, in Europe, there is similar activity. Biometrics, it seems, is a truly international phenomenon. In Poland, 1,730 cash machines have been equipped with finger vein technology, allowing people to scan their finger to withdraw money from an ATM without a card or PIN number, while in Sweden, there are also payment machines that only require your veins to withdraw money.
This may sound alarming to some readers, but it’s clear that biometrics is increasingly being accepted as an authentication method by the general public, with many UK consumers happy to share their DNA with banks.
Multiple studies attest to this mood. A survey from Visa Europe, for example, revealed that the majority of those aged 16 to 24 would feel comfortable with biometric security replacing the traditional password for their day-to-day security, while a WorldPay survey earlier this year found that 49 per cent of European consumers would most like to see biometric payments emerge as a payment technology alternative.
Despite this convenience and simplicity, not to mention how it could save banks millions in online fraud, information security practitioners have raised numerous concerns around biometric payment security and privacy.
One of the main concerns is that the biometric measurement is being used as a password or passkey equivalent, rather than a proof-of-identity with a password or PIN then used to authenticate that information. This raises the concern that physical and information crime will begin to blur, with some speculating that this opens up biometrics to gruesome, targeted attacks.
This is not hyperbole. Japanese cryptographer Tsutomu Matsumoto was famously able to fool fingerprint security systems using a ‘gummy finger’ made directly from the target some years ago.
Some flaws have also been found with biometric mobile payment technology. Researchers revealed last September that Apple’s TouchID could be fooled using fake fingerprints and a similar proof-of-concept (POC) emerged with the fingerprint scanner on Samsung’s Galaxy S5. Some users, meanwhile, have complained of high false acceptance rates.
Couple this with the possibility of this biometric data being stolen, and the danger of this ultimately leading to identity theft and it’s clear that its still early days for biometric payments. Nevertheless, there’s little doubting that this technology – and the idea of a ‘connected self’ in the age of the Internet of Things – is here to stay. We hope you’re ready.
Author Editor, ESET