It’s a new year and so the new marketing budgets have kicked in meaning that we have a raft of ‘next big thing’ stories in all the press. One that seems to have been picked up and run with is a return to the idea of adding biometrics to the growing CVM list on a chip card such as in a recent BBC news story (here) subsequently picked up by industry press such as PYMNTS.com and Finextra. To be honest it’s something that would definitely make life a whole lot easier!
Essentially using biometrics for card payments means that at the Point of Sale (POS) or ATM you will no longer enter a PIN or sign for a transaction, but use some part of your body to validate you are who you say you are. In the past this has typically been fingerprint or iris scanning – but both can be defrauded or give unacceptable levels of false (negative or positive) results. Newly promoted biometrics are now appearing – recognising facial structure is already included on many passports, but also reading the pattern of veins in a finger or palm, or even the shape of someone’s ears are now seen as viable ways of authenticating that you are who you say you are. However, one of the first flaws with biometrics is the initial capture, e.g. how the biometric about you is bought into the card system so that it can be used to validate you. In countries such as India, where populations are into 10 digit numbers and other forms of unique identification are scarce there are already mass programs to capture this data into a single central database (here). However, in countries where ID legislation is more mature, particularly within the European Union, such databases become near impossible – why? because few pieces of data are considered more private than specific dimensions of your body parts and storing these up in a big ol’ database is the surest way to make sure that they don’t remain private for long.
So how do we get round this and start to realise our dream of using biometrics as a CVM? In the passport example I mentioned earlier, the need for a central database was bypassed by using a match-on-form process – basically the captured biometric is stored exclusively on the passport and is shared with the reader for purposes of matching the stored profile against the one being offered as authentication. This leaves the presenter in charge of their own data and certainly allays some privacy concerns, but of course removes the ability to travel or pay using uniquely a biometric identity – you still need a passport, token or card to give your profile to the system – and this technically remains as vulnerable as PIN or signature to fraud or criminal activity due to the vulnerability of sending a fake positive authentication to the system or somehow fooling into believing authentication has taken place (here).
All of this means that biometrics for payments will certainly take off in places where privacy is less of an issue that identity – typically BRIC and similar countries that are making the payment technology leapfrog over more traditional markets – but using your finger, eye, face, ear or silly walk are unlikely to be acceptable CVMs in traditional markets for the foreseeable future without even beginning to look at the practicality of upgrading countless millions of terminals and ATMs.
- We are not who we are (sgallagh.wordpress.com)
- Has chip and pin had its day? (bbc.co.uk)
- No rations for 720 millions Indians without “unique ID” (ivarfjeld.wordpress.com)