Biometric security has become a hot topic in the payments industry with many experts lauding its convenience and effectiveness. But there's no consensus on whether to store biometric data locally or in the cloud.
Storing this information in the cloud could make it accessible to fraudsters, some experts say, but others insist cloud storage is perfectly secure since biometric information is recorded as a hash function which cannot be easily inverted to recreate the original image. If any fraudsters gained access, they would just get garbled data rather than a picture of a fingerprint or a recording of a user's voice.
To fraudsters, "in isolation voice biometric data is useless information," said Edward Maine, marketing and communications manager at ValidSoft.
"There's a slight misunderstanding of what a voice biometric is," Maine said. "Many people think it's an MP4 of their voice. In reality biometric data is essentially a complex series of numbers, encrypted and interpreted in different deployments and by different companies, thereby greatly reducing the risk of storing such data in the cloud."
For instance, if a major bank were to implement voice biometrics at its call centers, the biometric template even for the same customer would differ from the biometric template used to secure a mobile app.
"An individual can have a whole series of voice signatures depending on the scenario," Maine said. "The biometric is a representation of an individual rather than a static piece of vulnerable data."
To illustrate this key point, ValidSoft CEO Paul Burmester shows potential clients a slide with his unique voice biometric signature. He feels more confident sharing this data compared to more traditional sensitive data such as a private address or personal telephone number.
Nevertheless, to quell fears of a biometric data breach and potentially boost consumer adoption, some providers prefer to store biometric capabilities on each user's mobile device or PC. This is the approach PayPal supports.
Samsung, which put a fingerprint reader in its flagship Galaxy S5 phone, is also an advocate for storing biometrics on the device. And the FIDO Alliance backs device storage for biometrics.
"Biometrics should not be stored in the cloud, especially for consumer-based activities," said Bill Smith, senior policy advisor at PayPal and a board member at the FIDO Alliance. "Doing so puts biometrics up in a space where they're available to anyone, hackers, third parties, law enforcement."
Smith and the groups he's a part of think storing biometric data locally is important from a privacy perspective too. With cloud-based storage, consumer data could be shared between third parties without providing their consent, he said.
But ValidSoft's Burmester says storing the biometric on the consumer's device is "passing the buck." Data stored on a device is easier to spoof with malware and so the consumer is more at risk, he said.
This type of attack isn't scalable though, so fraudsters may choose to ignore individual devices and work on infiltrating large storage centers.
Payment companies would also be at a disadvantage if they use local storage, since the potential uses for the data would be under the control of the device manufacturer.
While Apple's deployment of TouchID fingerprint scanners on iPhones adds another layer of authentication for Apple Pay transactions, "banks want an additional biometric that they can control, stored in the cloud," said Jon Alford, product director at ValidSoft.
Banks could deploy voice biometric technologies that don't rely on a specific set of words, like a password, for customers to speak. Instead banks could authenticate customers as they're having a conversation with the call center representative, or use dynamic words or phrases to boost security, said Alford.
And these enhanced forms of authentication might only be implemented for higher-risk transactions, such as wiring a large amount of money, than just a recurring bill payment.
Storing biometrics in the cloud also allows this data to be used across multiple channels, including a customer's desktop, smartphone and tablet, Alford said. And when a consumer upgrades to a new phone, there is no need to re-enroll.
Cloud-stored biometrics can also be used to blacklist fraudsters.
Biometric authentication is a step in the right direction for eliminating usernames and passwords, PayPal's Smith said. Some of the payments industry's biggest players, including MasterCard, Visa and the FIDO Alliance, came out in favor of eradicating consumer-chosen usernames and passwords as they can be the weakest link for fraudsters to attack.
Government agencies have been storing biometrics in the cloud for years quite effectively, said Maxine Most, principal at Acuity Market Intelligence, a biometric and electronic identity market analysis provider. Visa application systems store fingerprint data in the cloud so it can search through biometrics when someone is applying for a work visa or asylum.
But some worry about the ramifications of a biometric data breach.
"If your biometrics are compromised you can't change them or revoke them," said Adrian Sanabria, senior security analyst at 451 Research. "They become useless as an authentication method for the rest of your life."
Pointing to the high-profile data breaches over the past year, Sanabria said, "Assuming they'll be encrypted is naïve at best."
Smith agrees that fraudsters will want to access this data. "It's important to eliminate attacks at scale," he said.
However if a biometric database were hacked, fraudsters would get the encrypted version of biometric templates and would first have to know the algorithm to decrypt them and then have access to the device the consumer has previously registered to use the biometric on, Most said.
Attention has recently turned to the security of fingerprint biometrics. Recently a German hacker demonstrated that he could recreate the German defense minister's thumbprint using only commercial software and a high-resolution image.
But fingerprint biometrics are sometimes used to provide the perception of security. In Apple Pay, for example, TouchID is just one layer of security used to protect payment data; the phone also uses EMV and tokenization for each transaction, but these methods are invisible to the consumer.
Creating biometric templates that last for a year or that are renewed every 90 days could be an effective way to mitigate the risk of fraud, Most said.