As financial transactions have gone digital, so has more personal and financial information, and the risk of theft and fraud has skyrocketed. Unfortunately, many of us have experienced the stress of our accounts being hacked firsthand. The need for additional security measures has led to rapid advancements in biometric authentication, or confirming your identity with a fingerprint instead of a just a password or PIN.
Biometrics has a proven track record in government and law enforcement applications such as verifying security clearance and identifying criminals. Countries such as Brazil, India, Poland and Japan support biometrics for ATM cash withdrawals, and growth is expected in Asia and Africa. Biometrics is widely considered fast, efficient and convenient. But is it secure?
Many banks consider biometrics to be the solution to combating two key security issues:
- Identity theft, especially in the form of enrollment fraud, where a customer applies for credit using a fake I.D.
- ATM fraud, especially in the form of card trapping, where the card is physically captured and compromised, or skimming, where the information is captured and used to create counterfeit cards.
A number of
banks already attribute a substantial reduction in security losses to their biometric
UL, an independent safety science company, performed an
intensive study to identify the risks in using biometric authentication that
both businesses and customers should be aware of. Risks were found in three key
areas: hardware, data and standardization.
- Hardware—Some fingerprint scanners can actually be fooled by creating an artificial or “gummy” fingerprint that copies the true owner’s. Enhanced scanners can verify that a finger is live, but the sensitivity of each system still comes with trade-offs. There’s a tricky balance between a system either accepting too many false fingerprints and rejecting too many authentic fingerprints, locking true customers out of their own accounts. Other biometric methods, such as reading the veins in the hand and facial recognition, are harder to forge and gaining popularity.
- Data—Biometric data can be compromised once it goes digital and is stored in a centralized database, just like any other financial and personal data. Many banks have assumed this risk, but not all. In the case of a security breach, credit cards can be re-issued while fingerprints cannot, causing additional liabilities that have yet to be measured. Alternative methods are being explored for keeping the biometric information literally in the user’s hands and on their smart devices, not shared across an insecure network.
- Standardization—There isn’t yet a standard, industry-wide method for validating the security of biometric data for payments. Different companies operate under different degrees of scrutiny. Their security is also connected to every other company involved in the payment process, from their own data transmission and storage partners to the maker of your smart phone and your Internet service provider. A biometric system is only as secure as its weakest link. The good news is there is widespread awareness of the need for common standards in the industry, and initiatives are underway to develop strict specifications.
The outcome of the UL study could be characterized as cautiously optimistic. Biometrics has clear benefits and widening applications. And it certainly is cool. But biometrics is still a young technology that needs to mature before customers can truly embrace it with confidence.
Learn more at UL.com.