Biometrics are a security supplement, but no more than that
Biometrics are one of the newest ways to authorize transactions and is being positioned by some as being one of the most secure payment authorization solutions available today.
This is due to the fact a “biometric” cannot be guessed, forgotten, or lost like a password and identifies an individual with a greater degree of accuracy. However, as with any advancement in anti-fraud protections, there will always be people looking to defraud the system. Although individuals have unique voices, fingerprints, faces, irises, veins, even DNA – these characteristics that help to prove authenticity are certainly not fool-proof.
A high-profile “hack” is the instance of an iPhone 5s touch ID being spoofed by ‘Chaos Computer Club’ within days of its release. The hack was made after a high-resolution photo was taken of a fingerprint on a glass surface and used to successfully unlock the device.
This also serves as a good example of the risk posed by the “paper trail” of information that we leave behind in shared spaces or on public transport, where biometrics can be obtained and used by anyone with the will and the means to act malevolently.
As biometric usage increases, fraudsters will switch their attention from more traditional methods of fraud to new methods of hacking and beating new systems. As a technology gets more advanced, so does the knowledge of the fraudsters and the lengths they will go to if the rewards are lucrative enough. Here are a few examples of biometric hacks:
Coercion. Through either charm or brute force, fraudsters may look to pressure subjects into making transactions involuntarily.
Impersonation (using fake samples). As the iPhone example above represents, using a copy of a biometric to spoof the system. This appears to be the primary way fraudsters would circumnavigate a system due to its relative simplicity compared with other options.
Impersonation (using body parts). A severe measure, but one which underlines the illegal nature of fraud operations and could be resorted to, particularly if payment channels become harder to breach through more subtle methods. However, some tests have shown this method may not work, or only work on less advanced systems due to natural degradation likely resulting in a no match scenario.
Obfuscation, through surgical procedure. Another severe measure and with a high degree of risk for the fraudster but may be a last resort or where rewards are most lucrative. Although this sounds like something straight out of Mission Impossible, fingerprint surgery has already been used to evade authorities and facial plastic surgery has also been tested to deceive with some success.
Adoption of new technology largely comes down to consumer trust (i.e. how well these fraud methods can be combated). Despite Amazon Alexa having now been on the market since 2014 through a range of enabled devices like the Echo, voice ordering has nowhere near reached a critical mass. The Information reports only 2% of people owning a device are using the order functionality, with 90% of these people not returning to use it again.
While Alexa is not a true reflection of biometric authorisation, payment friction is inarguably reduced, which should encourage adoption. However, the statistics prove otherwise, indicating this resistance to change can only be overcome by building trust through a more robust solution.
Using multiple biometric characteristics may offer a more robust solution, but in doing so it risks taking away the primary business driver of using biometrics in the first place - improved customer experience.
Historically, there has been an inverse relationship between the robustness of a fraud solution and consumer convenience; with stricter rules resulting in more dissatisfied customers through increased false positive fraud declines. Multiple biometric methods could therefore prolong the transaction process creating a downtick in convenience. Although fraudsters could still potentially find a way to navigate this by spoofing the primary method of authentication.
Another issue with a multiple biometric solution is in understanding its relevance to the customer base. If customers do not typically own smartphones (for fingerprint and face recognition, for example), then a good business case may not be attractive due to widespread inability to use the functionality.
A more practical scenario is to use a biometric (something I am) with a more traditional authentication approach (something I have or something I know), such as a smartcard or password.
If "something I am" is breached, this is almost impossible for an individual to change, exposing them to continued fraud victimisation. Therefore, a dual approach with one changeable authorization characteristic could help to ensure safe future use. Although once again, added security potentially comes at the cost of convenience.
As a result, biometrics should be viewed as a supplementary solution to existing authorization methods, not a direct replacement. While it may not reduce payment friction, it does add another layer of consumer protection without producing a substantially adverse effect on convenience. Biometric information can also improve fraud decision making, as it could provide a richer data set for training machine learning algorithms, allowing for new and increased ways of identifying fraud.