The importance of cybersecurity, particularly to banking, is under a spotlight at the moment, as online and mobile banking users and financial consumers find themselves dealing with hacks, Trojans, and malware bots, all gaining ground in the last two months.
Whenever cybersecurity is discussed, the topic of biometric authentication rises alongside it as a better, more effective, more secure method of security. But is it? Do biometrics actually provide a safer way to complete purchase transactions online?
“Biometrics are a device-specific authentication method,” said Madeline Aufseeser, CEO of online fraud prevention company Tender Armor, of the ways biometric authentication is presently used to secure a digital purchase transaction (as opposed to logging into a bank’s web site, to view an account or transfer money). “Typically the same biometric method does not work across multiple purchasing channels today. The fingerprint used to make a purchase with a smartphone cannot necessarily be used to authenticate a phone order purchase or purchase made with a computer. When you confirm [a purchase transaction] with your fingerprint on a smartphone, all that’s saying is that’s the same fingerprint that’s allowed to use this phone, or the specific application on the phone. Because the fingerprint is only resident and stored on the phone, the phone is authenticating itself, not the cardholder conducting the transaction.”
This sounds a little odd compared to what we might have heard about the capabilities of biometrics previously, mainly because it goes against a core assumption: that a biometric identifier (like a fingerprint) goes with transactional data, from the phone or device, to the payment processor, to the merchant.
This doesn’t happen. Rather, using a fingerprint to authenticate a purchase on your phone just lets that phone know it is allowed to send the data to make that purchase; when that data moves, the biometric identifier does not. Furthermore, the identifier is saved in that specific phone.
This is an issue, especially when one looks into another core assumption: the belief that a fingerprint, iris pattern, voice print, facial match, or other forms of biometric identification are inherently more secure because they match an individual person, unlike what some in biometrics have termed ‘static’ methods, like PINs or passwords. However, biometrics may not be as ‘active’ as some have purported.
“Nor is all biometric data dynamic, which means it can be compromised and copied. Does your fingerprint change?” Aufseeser says. “There is a perception—unproven—that biometrics can be an easy method to authenticate a transaction. Will it reduce some of the fraud? Absolutely. Is it bulletproof? No, as we saw with the Android Trojan.”
Continued Aufseeser:
“The biggest problem with biometrics authentication being used for purchases is that cardholder biometric data is not being collected and stored by banks. That means that the banks have no means to validate the biometric data being used to authenticate the purchase.”
These assumptions are, according to Aufseeser, “creating a false sense of security around biometric data utility with consumers and within the industry.”
As you might be aware, as a fintech watcher, or merely a member of the modern world, we have yet to find a security method that’s undefeatable, and even those in the field admit biometrics is no exception.
“It’s important not to put faith in one biometric, one modality, or even one biometric algorithm,” says George Avetisov, CEO of biometric startup HYPR Corp, which raised new funding last month to help with its goal of protecting biometric identification data from bad actors.
Though biometric solutions may not be fully interoperable yet, the full potential of the technology has yet to be seen, and Avetisov believes their success as a security method is linked to the success of other fledgling devices.
“Biometrics aren’t new,” he said. “What’s new is that we have customer devices with biometric sensors. Our vision is a truly biometric IoT.”
Making that vision a reality will probably mean integrating biometrics into the data stream of every single consumer transaction, across global payment networks, merchants, and banks. Good thing fintech startups love a challenge.