Can Consumers be Protected If Their Biometric Information is Lost?

by Tim Sloane 0

In this New York Times opinion piece titled “Biometrics Are a Grave Threat to Privacy,” Claire Gartland argues that if biometrics are compromised then the consumer will be forever open to hacking since the biometric can’t be changed:

“Biometric identifiers – facial features, voice patterns, fingerprints or eye structures – reveal incredibly sensitive information, not simply because those characteristics are personal but because they’re permanent. The reason to use biometrics as identifiers at all is precisely because they are unique and unchanging over time.

If these identifiers are compromised, there will be severe privacy and security threats for the victims. It’s possible to replace a stolen credit card or bank account number, but how do you replace fingerprints, facial features or an iris? Instead of credit monitoring, will hacked companies offer their customers plastic surgery?”

Of course that horse has already left the barn from the perspective that facial recognition has already made privacy a thing of the distant past for many, especially those posting willy-nilly on Facebook. However, many consumers are happy to supply any biometric as long as it will provide them greater convenience.

Claire isn’t entirely accurate regarding the re-use of stolen biometrics:

“Big banks and internet firms pioneering the use of biometrics claim they do not store actual fingerprints or iris scans — only the authentication codes they are converted into — but the growing rate of data breaches in this industry casts doubts on those kinds of promises. This risk needs to be considered in the regulation, design and deployment of biometric systems before they become widespread.

Another risk is that, without regulation, this information and technology could be used or sold for targeted, location-based advertising. Facial recognition and other biometric systems would allow companies to instantly recognize individuals walking down the street or into a store.”

Banks are already highly regulated and would be out of compliance if they shared personal information regarding their account holders to any other commercial entity. This is why we all receive multiple privacy notices in the mail form of FIs. Also it should be noted that breaches of financial institutions are most often accomplished by criminals that hacked other systems to learn enough regarding the target consumer that they are able to mimic that consumer and gain access to the bank account. So biometrics are the fix that will prevent account takeovers.

Lastly, a properly designed biometric solution should be able to cancel the biometric hash that was initially generated so a new biometric sample can be taken and a new hash generated. The loss of the biometric hash would need to be discovered, but once discovered a new hash could be created.

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the full story here