Biometric authentication has rightly been hailed as a safer and more secure way to verify the person initiating a payment. As we’ve moved from signature cards to PINs, so the next step is from the PIN to a fingerprint scan, pulse monitor or iris sensor. Because of biometric authentication available on the latest smartphones, limits on some contactless payments made using a phone are being scrapped.
But is biometric data as secure as we imagine it to be?
While a password, PIN or other code can be compromised, the industry has been thus far been working on the basis that a criminal cannot duplicate a fingerprint. However, a major data breach at the US Office of Personnel Management (OPM) has cast this into doubt. Hackers breached its systems and stole the fingerprint records of 5.6 million individuals. They also stole the Social Security numbers of 21.5 million, which included those who had their fingerprint data compromised.
While it’s unclear what sort of fraud could be committed, the financial services industry is taking note of the theft. In a statement, the OPM said: “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves.”
The US government is taking this seriously and has commissioned an interagency working group, including the FBI and members of the intelligence community, to review the potential ways fingerprint data could be misused. While the government may have national security concerns to worry about, for the financial services industry there are some important considerations.
Two clear avenues of potential fraud are opened up with biometric theft of this sort.
First is straight payment fraud – coupled with stolen card or bank details, biometric data could be used to make fraudulent transactions, or even withdraw large sums from customer accounts. In theory, having someone’s fingerprint details effectively nullifies authentication security. It’s like the fraudster stealing 5.6 million PINs – if they can make use of the data, that is.
Second, arguably more worryingly, is the prospect of mass first party fraud. Coupled with Social Security numbers, criminals could set up fake identities supported by seemingly bona fide biometric data. This could create huge problems for the industry and may never be fully understood.
As ever, when we’re talking about payments and banking, there is never a 100 per cent secure system. Fraudsters always find a weak link the armour – we just didn’t think biometric data could be it. Perhaps what this really shows is not the flaw in biometrics, but the problem with a static piece of ID like a fingerprint, or even a retina scan. A fingerprint doesn’t change – and indeed can’t be changed if it is compromised. In the case of biometric technology, we could need to look to something that is dynamic like a heartbeat. Although, it would be arrogant to suggest that this ‘signature’ too could not somehow be stolen and then replicated.
What it does show is that we need to take a layered approach to security, not simply relying on one defence. And it highlights that intelligent fraud detection systems that can react to the changing threat patterns are essential. The OPM may be right in saying that, at the moment at least, the ability to use this data is limited – and it is certainly true that it will be much more difficult and complex for a fraudster to use biometric data than information such as a PIN. But given our experience in payment fraud, it can’t be long before it can be harnessed by the criminals.