Biometrics are a catalyst to streamline authentication, though the technology contains a vulnerability that Payfone thinks it can solve with the SIM cards that match consumers to a computing device such as a smartphone.
Payfone is bullish on biometrics but thinks it should be paired with something that knows it's you, and thats the SIM, said Rodger Desai, CEO of Payfone, which provides authentication for mobile networks.
Payfone, which works with telcos and several of the top tier banks in the U.S. through its partnership with Early Warning, can tell mobile payment providers who purchased the device, from where and when, and who the SIM is registered to.
This is especially important since unlike other authenticators such as PIN numbers, biometrics cannot be revoked. Desai hopes to find demand from mobile payment providers that are worried about fingerprint fraud.
For instance, if a fraudster creates a new iTunes account with someone elses personal information but their thumb print, there is no way for Apple to know that the thumb print isnt that of the person whose personal information was input, Desai said. Apple just thinks the first thumb print is the correct one, he said. Fraudsters can use the same process with retinal scans and facial recognition as well.
Apple was criticized several months ago for the significantly high fraud rates among Apple Pay purchases as fraudsters took advantage of biometric security vulnerabilities.
The average fraud rate for Apple Pay was 600 basis points, which is 60 times the fraud rate you see with traditional cards, Julie Conroy, retail banking research director at Aite Group, said after speaking with several banks. And all of that was registration fraud, she said.
Apple, working with its issuer partners, has enhanced the registration process since the bad press. Initially there were only two paths an issuer could take: the green path, which meant the issuer immediately accepted the registration, and the yellow path where consumers were asked to call into the banks call center to further authenticate. Now there is a green, yellow and orange path, the latter which puts certain customers into a higher risk category so banks can do further verification.
Payfone may face headwinds because its solution requires added navigation, Conroy said. The biometric/SIM card link would add an additional step in the registration flow, especially if multiple people are being allowed to transact on the device, she said.
Apple might have heartburn over the kind of binding [Payfone] is proposing because right now its an adoption game, Conroy said. Apple wants to get as many consumers using Touch ID as they can so theyre really trying to make it about convenience than about a true end-to-end security solution. Apples preference is to err on the side of making it as easy as possible for the consumers.
Biometric authentication has existed for years, but financial institutions are increasing their focus on biometrics for mobile banking authentication and transaction confirmation, according to a survey by Mobey Forum. Banks are willing to collaborate but are also wary about the lack of standards among technology providers, as well as the competitive risk that telcos could use mobile biometrics to come in between the consumer and the bank.
Desai said while the concerns are legitimate, the phone companies want to do whatever they can to secure their biggest customers, and the majority of telcos enterprise profits come from banks.
"Especially as many [mobile network operators] are finding their commerce plans unraveling ... operators should play a role in mobile commerce security, given it's a natural extension of something they do aleady," said Jordan McKee, a senior analyst at 451 Research, in an email. Operators "must focus on building on their core competencies and existing assets, as opposed to inserting themselves into unnatural positions of the value chain (e.g. Softcard)."
And as far as standardization, the FIDO Alliance with the support of a number of banks is working on creating a standard for device-resident biometrics.
But there are other challenges when it comes to collaboration, said Conroy. With a central registry of biometrics, the banks could work together to spot fraudsters across multiple platforms and devices. But big data stores of personal consumer information are attractive for fraudsters and if a biometric is hacked, it cannot be revoked.