Biometrics for Payment Security
One of the main issues in the payments industry is how to combat fraud. Although fraud impacts less than 1% of all transactions by some estimates, it’s still a major concern for consumers, banks, card networks, and businesses.
In 2015, credit and debit card fraud caused losses of nearly $22 billion. Anything that can reduce the impact of fraud will significantly improve confidence throughout the payments marketplace and save businesses money. One potential way to fight fraud is through the use of biometrics — your uniquely identifying personal features like fingerprints, voice, face, or eyes. Let’s take a look at how biometrics may be used for added security in payments.
- Understanding Payment Authentication
- Issues with Two-Factor Authentication
- Where Biometrics Comes In
- Advantages of Biometrics
- Concerns About Biometrics
- Current Use of Biometrics in the Payments Industry
- Biometrics and Risk
Understanding Payment Authentication
Before digging into how biometrics could benefit the industry, let’s explore the main security features of debit, credit, and other payment systems. Many systems use “two-factor authentication” (TFA) to prove the identity of a person making the payment, and their authority to spend that money. The two factors used are “something you own” and “something you know.”
Something You Own
The “something you own” in TFA is normally the debit or credit card you are using. In addition to the card number itself, there’s security information encoded on the magnetic strip or EMV chip in the card itself. Another layer of security is provided by the security code normally printed on the back of the card.
In a smartphone or other mobile payment device, the “something you own” is embedded in NFC in the device itself. For example, many banks now offer “secure tokens” letting account holders log in by creating a unique one-time password. Some institutions use SMS and text messaging for an additional layer of security.
Regardless of the form it takes, the “something you own” is the most basic level of payment security — you generally can’t make a payment without a card.
Something You Know
The “something you know” is the personal identification number (PIN) associated with a chip card, or your signature for magnetic strip cards. For a phone, you may have to swipe a particular pattern or enter a password to make payment. For online services like PayPal, you typically just need to enter a password.
Related Article: The Difference Between EMV and NFC.
Issues with Two Factor Authentication
While two-factor authentication is a good start for secure systems, there are still several possible issues:
- Cards can be cloned using skimmers
- Cards can be stolen
- Cashiers don’t always check signatures
- Passwords can be hacked
These risk factors are always present, and even new technology (like EMV chip cards) can’t stop hackers forever. While skimming devices are so far primarily used on magnetic strip cards, newer versions (called “shimmers”) designed to skim info from EMV cards have already been discovered in use in Mexico.
Where Biometrics Comes In
Biometrics adds another layer to security: “Something You Are.” Essentially, it uses a physical characteristic that’s unique to you to verify your identity. Biometric authentication can use several different physical characteristics. The most commonly used are fingerprint recognition, face recognition, iris recognition, and voice recognition.
Although it seems like biometrics is a very new technology, payment verification through biometrics has been around since 2005. In 2017, most biometrics payments are through smartphones, and some industry insiders predict that almost all smartphones will have built-in fingerprint scanners by 2021.
Advantages of Biometrics
Using biometrics for payment has several advantages. Firstly, it’s difficult to counterfeit biometric authentication or to fool biometric systems. Secondly, biometrics are unique to each particular consumer; the chances of false negatives or false positives are very low. Lastly, they are easily accessible. Users don’t need to remember to take something with them.
Essentially, biometric authentication adds another layer of security and reduces the potential for fraud, which can increase consumer trust and have positive effects on a business’ bottom line.
Concerns About Biometrics
One of the issues with biometrics is privacy concerns, like businesses having access to a person’s unique biometric identifiers. However, these privacy concerns don’t seem to be as important as security issues to consumers, and more people are becoming comfortable with using biometrics for payment verification.
Heavy encryption of consumer biometric data is essential. Protecting this information from hackers is one of the most important factors affecting widespread use of the technology. After all, in the event of a breach, a person can’t change their fingerprint or voice like they could a password.
There’s also the issue of regulation, or lack of it. The way companies collect and use biometric data is largely unregulated. There are understandable concerns about user consent, security, and biometric data sharing between businesses, state, and federal organizations. Although businesses like Google, Microsoft, and Apple are self-regulating how they use biometric data, the lack of oversight is a concern to many.
Current Use of Biometrics in the Payments Industry
There are several payment providers and technology companies making significant plays in biometric payment authentication, including Mastercard, digital wallet creators like Apple, and more.
In 2016, Mastercard began rolling out “Identity Check Mobile” saying that it would eliminate the need to remember passwords and could reduce digital checkout time. Consumers can use Identity Check with a fingerprint scanner on their phone or by taking a photo of themselves for facial recognition. The company offers this video about their Identity Check solution:
Mastercard is also working on a wearable sensor that verifies your identity via your heartbeat. It sounds a little strange, but the company says that you’d wear a payment authentication wristband, which can initiate payments through NFC technology when held to a compatible contactless POS terminal. The band will read the wearer’s heartbeat to authorize the transaction.
Digital Wallet Creators
In addition to Mastercard, companies that offer digital wallets and smartphone payments, like Apple, Samsung, and PayPal, have already implemented biometrics. The Apple Touch ID is in use on many devices and works with Apple Pay, while Samsung allows fingerprint scanning or iris scanning for authentication. PayPal is also working on fingerprint scanning, partnering with Samsung and Lenovo.
Biometrics and Risk
With any new technology, especially where data is stored online, comes risk. There have been a couple of notable breaches or near breaches already.
The US Office of Personnel Management had over 5 million fingerprint records stolen in a data breach in 2015. Wired magazine noted that the agency admitted that hackers may be able to find ways to continue to exploit stolen fingerprint data as technology changes.
Avanti, a provider of kiosk-based services to allow employees to buy food using fingerprint scans, had its own brush with security. In July 2017, the company was targeted by malware. Although biometric information was ultimately not compromised, the scare renewed some concerns about the security of biometric data.
Biometrics are only going to become more embedded in our payment transaction and verification systems. The drive to reduce fraud is a strong one, but it needs to be balanced against consumer concerns and the very real risk of data breaches. If the payment provider and technology companies can resolve these issues and build consumer confidence, the widespread adoption of biometric payments is inevitable.
Paul Maplesden is a writer specializing in business, finance, and technology. He finds research and writing about money deeply interesting.