Blog article
See all stories »

Biometrics - what's that all about then?

Almost daily I seem to be faced with "fingerprint this", "eyeball that" and "pheromone the other" as a means of adding "security" to the card transaction process (I wasn't serious about the pheromones).  Wouldn't it be neat if you could look the ATM in the eye and ask it for a tenner?  I only have to lay my hands on the vein reading, hand shape detecting, fingerprint scanner and my palm is instantly crossed with silver (all right then, two twenty pound notes and a tenner but you get the point).

Could this all be a little bit silly?  I'll say that it is.  I have said many times before that most of the £500m fraud loss is a direct result of less than perfect card issuing strategies - which is being addressed right now!  If the headline fraud is sitting pretty at £500m, the underlying fraud, since most of the headline fraud is the result of mag stripe clones being used abroad, is much lower and more manageable.  On the whole, chip and PIN works fine!  Fraud is unwelcome, but not un-manageable, and over the next few years I would expect fraud levels to fall as the proper security processes are put into place. 

Probably the most important feature about the ubiquitous card and PIN and the supporting global infrastructure is not its strength as an authentication and authorisation system, but in the ability of the system to respond to compromise - relatively quickly, easily and cost effectively.  The use of cloned cards is reported to the issuing bank, the cards are stopped and replacement cards are issued - job done!  The banks may even refund the lost cash, depending on the circumstances, and the bank!

For the values involved in normal credit / debit card transactions, this is easily good enough.  If a card is compromised, replace the card.  If a PIN is compromised (normally of no use unless the card has been compromised too) the card issuer's advice would usually be to change the PIN.

In both of these circumstances, the strength of the system lies in the fact that compromise is easy to manage - because the security is based on replaceable information.  But what if my transaction security is based on a scan of my retina?  In this case any compromise will present significant challenges, as the security revolves around non-replaceable information.  If someone copies my card, I get a new card.  If someone copies my eyeball - same thing?  I think not!  It's all very well presenting us with the "more secure than chip and PIN" hype (whatever that means), but does it really need to be?  What happens if my biometric is compromised?

We clearly have ourselves a technology solution looking for a problem, and we have hoards of consultants telling anybody that will listen what a wizard scheme biometrics really is.  We also have ourselves a government that is listening to the consultants telling them what a wizard scheme biometrics really is, and then telling us, in their own words, what a wizard scheme biometrics really is; and let's not forget that the consultants stand to make money a plenty from telling the government what a wizard scheme biometrics really is!

I think biometrics, and the application of biometrics, is fascinating.  The technologies are becoming more sophisticated by the day, and one day someone very clever will come up with a useful, interesting and acceptable large-scale use.  I have only one question, which, if you like, is biometric agnostic - it applies equally to fingerprints, eyeballs, and obviously pheromones too - what do you do if it goes wrong?

3836

Comments: (3)

Paul Penrose
Paul Penrose - Finextra - London 20 March, 2008, 09:57Be the first to give this comment the thumbs up 0 likes US vendor Pay By Touch spent $300 million of private funding from hedge funds and venture capitalists trying to prove the business case for biometrics at the point of sale. The firm won a couple of major scalps - including the UK's Co-operative chain as a test bed - but filed for bankruptcy protection in December. Holding company Solidus Networks has been flogging the company's assets over the past couple of months and yesterday announced that it was shutting down all biometric processing for its remaining customer merchant base at midnight. "It was determined that the enterprise could no longer support the biometric authentication and payment system as it currently exists, based on lack of funding and current market conditions."
Paul Penrose
Paul Penrose - Finextra - London 20 March, 2008, 10:35Be the first to give this comment the thumbs up 0 likes The Wall Street Journal has an interesting take on the demise of Pay By Touch: Another hot new technology turns cold
Andrew Muir
Andrew Muir - SWIFT - 28 March, 2008, 11:54Be the first to give this comment the thumbs up 0 likes

I too have heard, read and seen much about the coming biometric identity revolution. I worry only about one thing; today, it is possible for someone to pretend they are me, by stealing my password or copying an image of my credit card. Under a biometric identity scheme, it would be possible for someone to PROVE that they are me. Is this not worse?