By Anthony Eaton, CTO, IDEX Biometrics
The digital payments revolution is being driven by consumer demand for ever increasing convenience. This is leading the global digital payments market towards a value of US$204.1 billion by 2028. However, along with increased convenience, comes an implicit expectation to provide higher levels of security, especially when paying with contactless cards and digital wallets.
According to McKinsey, electronic payments are growing at twice the rate of GDP in North America and Europe. This expanding market has the fintech sector overstretched as they try to address operational risks without hampering customer experience and face increased fraud control expectations. If fintechs struggle to implement effective controls, they are likely to see heightened regulation in the future, which in turn can negatively impact consumer experience.
Amid this burgeoning market, fraudsters are continually looking for new vectors of attack. UK Finance’s 2021 Fraud Report showed that fraud losses on UK issued cards totalled £574.2 [AC1] million in one year alone. To counteract such fraud, card issuers and digital wallet providers are deploying biometric fingerprint technology, which itself is evolving year-on-year to offer ever-increasing security levels.
The front-door attack
Fingerprint spoofing is considered a front-door attack on the biometric system. It involves applying a fake finger, or so-called spoof, to the fingerprint sensor. When biometrics were first introduced on the iPhone in 2014 they did not deploy adequate anti-spoof technology. As a result it took just 48 hours before German hackers, the Chaos Computer Club, announced they had bypassed Apple’s new TouchID system with a fake fingerprint.
Attacks of this kind impact both consumer and industry confidence. As such, defending against this has been at the forefront of the emerging biometric payment card standards. Korean technology giant Samsung recently announced its entry into the biometric smart card space, and anti-spoof technology was at the centre of its story. This positioning reflects the need for added security and peace of mind in fraud prevention.
Anti-spoof: the heart of any biometric system
Anti-spoofing technology prevents fraudsters from defeating the fingerprint authentication process with false credentials. Today, it is used to increase security levels across a range of biometric systems, from smartphones to laptops and airport border control kiosks.
The biometric payment card has a compelling value proposition by bringing the biometric authentication process inside the secure enclave of the payment card’s Secure Element chip. The card’s off-grid nature ensures a much more limited surface of attack, compared with that of a highly connected smartphone. However, the challenges associated with implementing anti-spoof technology on this platform are not to be baulked at. The card has no battery and operates with limited on-board processing power. Without the luxury of the smartphone’s supercomputer-like processor a whole new wave of innovation has been needed.
As card issuers and digital wallet providers start to deploy fingerprint biometric payment cards to consumers, anti-spoofing technology must sit at the heart of their offering.
This can pave the way for a more secure future, from payment to digital and physical access, and to digital IDs and digital currencies.
Striking the balance between security and user experience
It’s clear that anti-spoofing technology must be included by default on biometric payment cards to reduce fraud and instil consumer confidence. But, despite the benefit of its added security it’s crucial to limit any potential impact on user experience. When paying for their shopping, consumers want to know that their card is safe, but more than that, they want to know their payment card will deliver a flawless user experience day-in, day-out.
When it comes to balancing security and user experience on a payment card, new design approaches have been required. The traditional approach to anti-spoof uses Neural Networks and Machine Learning techniques to train an image processing algorithm to detect the subtle characteristics of images captured from fake fingers. This requires an optimised processor and can quickly become impractical in a highly constrained smart card.
A second approach is to increase the security level of the traditional biometric authentication algorithm that matches a user’s fingerprint to the reference data captured during enrolment. This is very much a brute-force approach which, while helping to detect fake-finger attacks, will rapidly degrade user experience.
The optimum approach involves designing the fingerprint sensor, the biometric authentication algorithm, and the spoof detection system together – to all work in unison. Taking such a holistic, grounds-up approach opens up the design of biometric smart cards to new possibilities. Requirements can be met with margin allowing designers to achieve security targets and focus on delivering a flawless user experience.
Ready to fuel digital payment growth
To ensure the continued widespread adoption of biometric smart cards, it is important that all fingerprint biometric sensors are deployed with anti-spoofing technology while being optimised for user experience. Fingerprint biometric cards, when combined with anti-spoof technology allow for higher transaction limits and a faster, more secure transaction experience, while introducing increased obstacles to fraud.
Payment providers save money on fraud refunds whilst also increasing revenue thanks to higher limits and an enhanced customer base due to a secure and trusted reputation. The payment industry is already at a high level of security today. But with financial fraud on the rise, we must constantly improve to be ahead of cybercriminals and improve the customer experience for those using biometric payment services to enhance their lives.