I know I'm a promoter of mobile payments, but really I'm just a promoter of doing it easier and safer. I am not keen on fingerprint scanners, they are not easier or safer.
Fingerprints are not really useful for primary ID. It simply takes too long to get a match on a print. The problem is that comparing pictures of fingerprints with pictures of prints on file means a lot of data and to compare them with the millions or billions
of others takes a lot of computer power. Sure if you have a super-computer and a limited number of users it's fairly easy otherwise you have to compromise and that means compromising on security.
One obvious solution is to reduce the degree of detail recorded, which means that you aren't using the fingerprint, you're just selecting a few characteristics of the print, the less characteristics you use the less accuracy or reliability. This method has
been used by law enforcement for years to find likely prints and then a human has to do the real comparing, with hopefully just a few.
You could simply store all the prints on the local system with the locally known users at the 'front' of your database. I think everyone can spot the problem with that. Storing them anywhere really is a problem, but keeping them in every shop or supermarket
is completely ludicrous. Alternatively, if you keep them in a central database and transmit the print there for comparison you have the opportunity to use a dedicated and powerful computer to do it, but you also create opportunities for baddies to intercept
the data and all the other problems remain. You'll find it a lot easier to change your setup and even replace your mobile than you will to replace that fingerprint.
Like Citi, you could give the customer a PIN and have them type it in at the point of sale, and then scan their print to verify that the person using the PIN had the same fingerprint recorded and stored when the customer was enrolled and issued with the
PIN. Citi tried this in Singapore with I think, an eight digit PIN. I haven't seen the results but I guess the lack of noise about it signals the outcome.
If you have to put in a PIN and then the fingerprint it isn't really all that convenient and besides that I don't really fancy touching the same scanner as every other nose-picking bird-flu infected person who has come before me, and the keypad just to make
sure I catch it. I suspect the majority of consumers will find problems with it too.
If you think I'm paranoid well just consider that I wrote this whilst watching a news report that the Australian government has just set up a local facility to produce bird-flu vaccine. There have been reported 7 outbreaks in 2008 of H5N1 bird flu and 300,000+
reported cases of EV71 Hand,Foot & Mouth in one Asian country this year but at least you can use your Visa card at the Olympics, just take your own pen to sign and don't use the PIN pad.
I guess I'm not the only one who won't want to put their finger to the test, and even the staunchest of you may feel the same way if there is an outbreak. Occasionally it pays to think about the consumer when coming up with these new-fangled ideas.
I just don't think it's very smart for a merchant to roll out a payment system which could be stopped dead by a flu.
Added on 17th June Dean Procter
I have been a little busy with the solution to the problems mentioned by readers.
With respect to the FED Chris, what would they know? Their primary objective is to maintain faith in the financial system. How about some product warning that around 3 of every hundred signing up for banking will be defrauded and lose their identity? That
is - every year, meaning it'll happen to you eventually. The FDA bans drugs on lesser statistics.
The most important thing is to remember that for the consumer - perception is everything.
It's like the lottery, only the odds of fraud affecting you is much greater than the odds of winning a lottery. Consumers still buy lottery tickets by the truckload however at least with the lottery the cnsumer knows in advance what they are likely to lose
- the price of a ticket. Fraud is different.
I suggest that if you started selling lottery tickets where the consumers who lose might have to pay out some random amount determined by luck, and it could be all their money, some of their money or just their credit rating, then you would sell very few
tickets. I don't think it would matter how much the winning prize was.
How about lining up everyone when they sign up for an account and pick out a few and tell them they'll be defrauded or have their identity stolen and suffer great inconvenience? Watch the line shrink.
In the case of banking the upside is you get charged fees and rarely get paid any interest, and at the very best you get reasonably easy access to your funds and hopefully your funds won't be stolen.
The downside is you may lose your funds, have your credit rating destroyed, suffer all sorts of horrible inconvenience etc, etc.
That is perception. Try marketing that.
Banks are acting like TV stations, you know those ones which constantly run adverts telling you how fab their channel is. Consumers don't give a hoot about station identity. They don't give a hoot about the bank they bank with. When was the last time you
opened a converstaion with 'Gee I love XYZA bank' or some new service they offer?
Of course half the gadget salesmen in the world will be flogging some gadget to improve the consumer's perception and the other half will be selling something to undermine it.
I remember when the AntiPhishingWorkingGroup started up, it quickly evolved into the ScaryPhishingNewsGroup. I didn't see any activity which would lead to reduced phishing. That's too hard, it was just esasier for them to quantify the problem and turn it
into an industry. Many vendors jumped on the bandwagon. Despite all the rhetoric, phishing has developed into a global industry along with phishing prevention. I still perceive that there is just as much phishing going on, what about you?
Chris's blog I note a reader from Africa held the perception that the network provider/bank put some sort of software/firewall in place and yet fraud still happens. Is their perception that the provider is incompetent? It eventually will be.
Perhaps a little more understanding of consumers might be an idea.
Consumers appear to to have come to terms with being reamed by their bank and will put up with it so long as they don't perceive they're likely to get reamed by some random.
I have no doubt that the average loss for bank employees is $0, but you may perceive it somewhat differently if you a forced to be one of those 100 standing in the line and stand to lose your hard earned cash and rating along with a couple of other hapless
It's all moot anyway. No other solution I have seen is likely to change the current situation, and it is highly likely to just get worse.
The issue is greater than banking anyway and those who don't look at the integration of identity into everything we do will be missing the mark.
We are right on target, and everything the old fashioned financial industry is doing is just making what we propose look much more attractive to consumers. Empowerment.
As for Chip&PIN, what a load of crock, it won't protect anyone unless every single consumer and merchant in every corner of the earth is equipped and then
More's law tells me it will all fall apart when some smarty works out another way to beat it. What do you do then?
I suspect you'll be calling me and getting slightly more reamed than you might today.
I have previously offered to fix all the UK's card and ID fraud before, for a fixed price (£145 million p.a.) and cover any fraud losses and that includes reducing merchant chargeback losses too. I don't see the smart card industry or anyone gadget salesman
doing the same. It'll be slightly more for the US, but the offer is there. I expect that there will be 8.1 million US customers keen and ready to sign up straight away.
Unfortunately for consumers, the baddies won't concentrate on the members of the House for a while to give them a little taste of what drives consumer perception, because after all, the baddies are perfectly happy to continue with with the current hodge-podge
of hot air 'solutions'. Consumers however may not be.
It isn't funny when fraud or ID theft happens to you and at the current rate every every single person will be impacted directly in their lifetime and they'll have no control over how badly or when. What does that do for your perception?