> Reprint: Payments Next
by Ned Hayes, General Manager, SureID
It’s Monday, and you need a little brain fuel in the form of caffeine intake. When you pull up to the ordering station, you name your drink. When you order, you tap the kiosk with one finger. A moment later, you pick up the triple-shot latte. At some locations, when order, you don’t even have to tap with a finger — the combination of your voice and your face are enough to pick up your latte.
Notice what was skipped there?
There was no moment of payment with fumbled cash, or an inserted credit card with a special poorly-remembered PIN code, or even a scrawled half-secure signature on a digital pad.
Instead, biometric authentication — with fingertips or voice and face — facilitated an immediate payment in real time. In the near future, this could be the reality for all transactions.
Biometric payments are gaining ground
Although using biometrics to make purchases is still far from the norm in North America, the practice is gaining ground quickly in other countries. In China, biometric payments have even become the norm for many retail events.
On November 11, the Chinese celebrate Singles’ Day (or Guanggun Jie). The holiday started in the 90s as an obscure anti-Valentine’s event, but it quickly became a shopping phenomenon when retailer Alibaba (the Chinese equivalent to Amazon.com) began promoting it in 2009 as a reason for people to buy themselves gifts. Last year, Alibaba pulled in a staggering $30.8 billion on Singles’ Day, an amount bigger than Black Friday and Cyber Monday sales combined. In 2018, 60.3% of Singles’ Day customers paid by scanning their fingerprint or taking a selfie.
Biometric payments are growing in other countries, as well. Transaction Network Services surveyed nearly 4,000 adults in Australia, the UK, and the US and learned that 16 percent of respondents used biometric payments in the past year. But the trend was much higher among adults age 18 to 24, with one in four reporting that they’ve used the technology.
Security and Convenience, and Vulnerability
You may accidentally drop your wallet in the store parking lot or forget it at home, but your fingertips and face go wherever you do. They’re also not something a thief can lift out of your back pocket. Although the chip and PIN system has helped reduce credit card fraud, credit cards, or the data associated with them, are still easily lost or stolen. Biometrics add another layer of security.
According to a 2017 Visa survey, consumers expressing confidence in biometrics as a secure form of authentication is up to 84 percent. That’s a significant increase from the previous year when a smaller majority, 59 percent, said they felt comfortable with biometric technology.
But are we too eager to accept biometrics as the new norm? Think of it this way: when you hand over your biometric data, you’re sharing something important and unique to you. You wouldn’t hand the keys to your house to a stranger, you’d vet that person first to determine whether you trust them to keep your valuable property safe and secure. Your practice should be the same for your trusted biometric data.
A Need for Standards and Government Oversight
To keep consumers safe and to protect the proper usage of biometric data, there are some best practices that need to come to the forefront sooner than later. Companies engaged in biometric data collection and transmission should have openly published standards about their usage, storage, and transmission of both PII and biometric identity data. In fact, if you don’t do this, it’s possible you and your shareholders could suffer for it — today, public companies risk shareholder and valuation issues if they don’t adhere to basic data security and privacy protection standards. (Look at the blowback on Facebook and others for their lack of transparency around data-sharing and promotional targeting.)
It’s also useful to note that many governments, including the US, have very high safety standards around biometric storage, transmission, and security. The governments in several countries including Germany, the UK, the US, and Ghana, the have taken adept steps to safeguard biometric data. Unfortunately, this hasn’t been the case in India, where government-provisioned/mandated systems have been repeatedly hacked, or in China, where biometric data has been proven to be used for political and self-serving purposes.
As we look toward the future and the complex world of multiple biometrics being used for many purposes, it’s likely that a service will emerge that will operate similarly to a credit bureau. Instead of checking your credit report for your lending and payment history, and scanning for errors that could indicate a security breach, you’ll rely on an organization with a name like Data Bank or My Data Check where you can see who has your data and what they’ve done with it lately. This kind of cross-system data check tool should emerge, either from an industry consortium or a public company, sometime in the next few years, ideally created with a view towards allowing consumers to check the usage and spread of their personal PII data as well as their biometric data.
These three elements of company self-reporting, government standards and regulation as well as consumer visibility into use and spread of biometric data, are three of the principal areas that are vital to continue to safeguard and protect consumer biometric data moving forward. If these systems can remain trusted and vibrant, it’s likely that we can move into that future of biometric transactions that are always available, easily accessible and highly secure.
Consumer Protection in Biometric Transactions
There are some steps that organizations can take though, to protect biometric data, without relying upon corporate, government or nonprofit entities to safeguard private information.
There are three critical behaviors that can almost entirely mitigate the threat exposed by new biometric exploits.
Enroll at high fidelity
One low-fidelity biometric (like those built into today’s smartphones) isn’t satisfactory for high-security authentication. If you’re doing a financial transaction, try to only use prints enrolled at high fidelity. This means using a mechanism like a ten-finger livescan machine used by a certified FBI or FINRA channeler. These highly trusted and certified channeling companies are required by law to enroll all ten fingerprints. This group of companies also enrolls at a much higher standard of fidelity than those exploited in recent hacks. These companies also provide storage, encryption and protection routines mandated by the FBI. If you need fingerprints for identity proofing, employ a system that enrolls fingerprints at high fidelity and transmits them securely.
If you are using facial geometry and iris scans for access or identity, then it is equally important to use a high-fidelity system to enroll the faces you wish to recognize. Enroll biometrics with multiple modalities and then use that data to cross-check at low fidelity to protect transactions.
Use multi-factor biometric solutions
First, it’s worth noting that systems that can enroll more than fingerprints are essential as well. If you’re using fingerprints, you may as well use facial scans, iris scans or even voice recognition in concert, creating a multi-modal biometric “signature”. One finger on a pad or one face read by a camera shouldn’t be enough to validate any transaction by itself.
Enrolled fingerprints alongside of face and voice can help create a holistic set of identifiers which are harder to “spoof” in most identity-proofing scenarios. When the fingerprints match the face, and the face matches the documents, you can authenticate a multi-factor identity which is highly secure.
Put a human being in the loop
Second, it’s important not to rely on machine-trained systems to cross-check all identities, even biometric identities. Rather, have an actual person show up and double-check the biometrically-locked identity. There are still vulnerabilities in this nascent technology, and having a person in the loop can raise your security bar. People are the ultimate biometric check.
The Future of Biometrics
The future of biometrics is already upon us. Innovations in biometric payments are moving forward quickly. In fact, a chip and fingerprint solution is gathering steam and seems likely to replace chip and pin technology in the near future. Mastercard debuted its biometric payment card in spring, 2018, saying they are, “on a mission to eliminate the use of passwords and recognize people by ‘what they are’ instead of ‘what they know’ through biometrics like fingerprints, facial recognition, and iris scans.”
Visa launched a biometric card pilot program, as well. Visa touts the advantages of strong security stored only on the card itself to ensure the cardholder’s data is protected, no need for vendor terminal hardware upgrades (any chip-based payment terminal is compatible), and self-charging cards with a biometric sensor powered by the payment terminal itself.
And these new launches are just the beginning of a global trend. In October 2018, Goode Intelligence forecast there will be 579 million biometric payment cards in use by 2023.
To make payments safer as we continue to use biometrics, it’s essential that corporate, government and nonprofit interests play their part. It’s also vital to ensure that companies trusted with data are enrolling at a high fidelity, deploying multi-factor solutions and are using actual humans to vet identities. With these safeguards in place, biometrics can be the future of safe, fast and secure payments around the world.