André Malinowski, head of international business at payment service provider Computop
Biometric payment authentication – gambling with identity
Are wein danger of being too trusting in the biometric payment technology currently being rolled-out by card and payment providers without enough evidence that it is a reliable and secure means of payment authentication? For example, MasterCard recently announced a payment card featuring a fingerprint sensor. It has been trialled in South Africa and is now coming to a wallet or back pocket near you. The technology works almost exactly as it does in an iPhone – a finger is placed over a sensor and an ID authentication is made.
However, this news comes in the same week as researchers from New York University have found a way to overthrow counterfeit-proof scanners by creating a ‘master print’, a bit like a master key. What makes this flaw possible is really what also makes it so appealing to consumers – size. Sensors are embedded in tiny devices or cards, depending on whether they are in a phone or a credit card. This means that the resulting image is also very limited in size though.
To make up for this, biometric authentication technology often makes multiple partial impressions of a fingerprint during set up to make sure that at least one will match with the finger image at authentication point. A user is then successfully authenticated if the partial fingerprint matches any of the stored templates.
Using a three point methodology they found that 11.5 per cent of the tested partial impressions (around 940) have the master print. The researchers had a success rate for overcoming safety barriers of scanners in four percent of cases, which might sound low, but corresponds approximately to the hit probability with an easily guessed password such as ‘1234’.
Which leads me on to the question, I asked at the beginning. Are we too trusting of biometric payment technologies?
The MasterCard sensor is another in a raft of new biometric services designed to improve identify verification for cards, mobile phone payments and other wearable devices. The company is also testing voice and iris scanning as a means to authenticate credit card transactions and eliminate fraud.
I can understand the appeal of the proposition for consumers looking to take advantage of the convenience of mobile payments. For MasterCard it is likely to reduce the number of false transaction declines that cost it money each year. In 2016, the value of false declines hit $118bn per annum – more than 13 times the total amount lost annually to card fraud.Removing barriers to purchase increases conversion rates makes sense.
However, are we all really that ready to gamble our finances and our identities? As a payments industry veteran, you might think I’d be championing the latest and greatest technologies. However, experience has taught me to approach with caution where electronic transactions and authentications are concerned. The technology needs to be totally secure before rolling it out, and I don’t believe it is yet.
There are also are bigger questions to be asked here. Passwords can be changed. Fingers and fingerprints can’t be. As an industry we need watertight methods of storing this data securely before we risk breaching people’s identities.
Credit cards and mobile phones are famously prone to penetration by cyber criminals. Rigorous PCI standards already exist to protect users and merchants, especially where liability is concerned should things go wrong. What’s not clear in this scenario is whether liability will shift – and to whom.
Maybe there is a place for biometric at the moment as a secondary level authentication, but I certainly won’t be using my finger or thumb as a primary payment authorisation instrument for the time being. Hopefully in time, biometric data will open the way to a more secure, more convenient way for transacting that removes risk of fraud for us all. However, so long as there’s such a high a risk of a master print, I’ll be cautious who and what I’m running my finger over.