Two big pieces of news from the payments world have put the spotlight on biometric authentication tools for shopping and banking, and at a glance it seems like biometrics could fix a lot of the fraud challenges the retail and banking industries face. But other news and a growing chorus of input from security experts indicates that some types of biometrics are as vulnerable to exploitation as other consumer data—and far more potentially damaging once compromised. As consumers may increasingly expect to be able to use a thumbprint, voice, or facial scan to shop, merchants need to understand the usefulness and limits of biometric data for fraud prevention and customer experience.
More banks and card companies adopt biometric authentication
Biometrics have been in the news on both sides of the Atlantic this year. In April, the four major card brands dropped some or all of their consumer signature requirements for POS purchases in the US in a bid to reduce friction at checkout and reduce merchant processing costs. To replace signatures for customer authentication, Visa is trialing EMV contactless-compatible cards that have built-in fingerprint sensors. At the point of sale, users will touch the fingerprint sensor to validate their identity by comparing the impression to their stored fingerprint data.
Meanwhile, in Europe, the implementation of the revised Payment Services Directive (PSD2) means that banks and other payment services must support two-factor transaction authentication on mobile devices. Industry watchers and app developers expect biometrics to figure prominently in new security protocols because they create less friction than keying in passwords or codes delivered via SMS. It’s clear that biometrics are becoming part of the fraud-prevention landscape. What’s less clear is what happens when, not if, biometric data is compromised.
Physical biometrics are vulnerable to hackers and fraudsters
That’s because we can’t change our static biometric markers such as fingerprints and facial shapes after a data breach the way we can change passwords, and hackers and security testers have been able to create good enough copies to fool some biometric scanners. For several years running, there have been incidents of data breaches definitely or potentially including consumers’ biometric data. One headline-making example occurred in 2015, when data thieves stole more than 5 million US federal employees’ fingerprints and other personal data. The most recent troubling news comes from India. Aadhaar, the country’s huge biometric database of more than one billion citizens’ data, has been repeatedly hacked, leading to the sale of consumer data on social media for as little as $10.
Fingerprints aren’t the only problematic biometric. Google’s Arts & Culture app became a viral sensation in January as people used its “art selfie” function to match their selfies to classic works of art and shared them on social media. Along with the human interest story, media outlets looked at the ways everyday people and researchers exploit vulnerabilities inherent in facial recognition technology, from using snapshots of strangers to find their social media profiles to fooling facial scanners with a model of a person’s head based on their Facebook photos. Our faces are always on display, so there’s no way to protect that biometric marker from people with ill intent.
A better biometrics solution: behavioral biometrics as one security layer among many
One major advantage biometrics have over passwords and authentication codes is ease of use. Reducing friction leads to more completed transactions, which benefits consumers, merchants, and banks. And by using behavioral biometrics rather than physical ones, merchants and banks can provide customers with a low-friction experience while maintaining robust fraud protection.
That’s because behavioral biometrics are harder to steal and to fake. The way users hold their phone, key in data on a desktop computer, or even think (represented by the unique patterns of their brain waves) can all be used to authenticate user identity and are difficult to replicate. Difficult, but perhaps eventually not impossible, as organized fraudsters continue to find ways to work around security innovations. The constant “arms race” between fraud prevention teams and fraudsters means that biometrics, like any other form of authentication, are more effective as one of many layers of screening and authentication that verify user identity.
Biometrics, especially physical biometrics, are not a cure-all for CNP fraud. Fingerprints and facial data are too vulnerable to hacking and copying to be truly secure on their own. But behavioral biometrics embedded in a broader program of customer and device authentication can help stop fraud without slowing down customers.