In the coming years, biometrics will be the leading security metric to protect payment systems, but a single ultra-hack could derail this progression permanently.
It’s up to financial institutions to recognize the importance of protecting biometric data and the need to build a secure, sustainable infrastructure on their payment systems. This is a vital step for protecting their customers in the future.
From Wells Fargo to Visa, MasterCard to Bank of America, it’s clear that more financial institutions are working with technology providers to shift away from traditional passwords toward biometric authentication for security. In fact, a recent report projects that there will be 770 million biometric authentication apps downloaded annually by 2019. Another report estimates that the worldwide mobile biometrics market will reach $3.5 billion by 2024, growing from $259 million in 2015.
Biometric security has significant advantages over all other forms of identification, authentication and verification—hence why so many financial institutions are adopting biometrics. It’s fast and easy to use, and unlike a login or password, which requires memorization and is easily replicable, an individual’s fingerprints, irises, facial constructs and other biological traits should be impossible to duplicate.
But what happens if a person loses his or her device? There’s a chance it could end up in the wrong hands, and if there are any flaws with the security in the device the attacker could easily access funds and sensitive data – like their biometrics.
How is this possible you might ask? Well, under the current protocols, biometric data is stored on devices, and, as you’re probably aware, threats to data are everywhere. Many consumers believe that, because their mobile phone is physically in their hands, the data inside is safe. However, thieves can install malware into a mobile phone without any direct contact. Data breaches have been similarly achieved through email, apps and the interception of a Wi-Fi connection.
Think about it. Because the future of identity is biometrics, there’s no doubt that the future of identity theft will involve compromising biometrics, and attackers are already working on finding a way around these systems. Despite what we’ve seen on the big screen, hacking biometrics isn’t as drastic as Hollywood portrays. As we’ve seen over the past few years, a data breach can cost an institution billions of dollars and do a great deal of damage to its reputation. Consider the consequences if, or more accurately, when, complex biometric data is compromised. The remediation of the problem will be much more difficult. Unless people are willing to go under dramatic surgery, they cannot change their fingerprints or faces like they can with compromised passwords.
Although uncommon, an additional major security concern for all biometric authentication mobile solutions is the “virtualization threat.” This is when a hacker can take a payment app that uses biometric authentication and clone it, essentially creating a copy they can then change at will. This allows the attacker to repackage the payment app and install it on the intended victim’s phone, gaining full access to their accounts once they have authenticated, without the user even knowing.
Direct security risks aren’t the only issues with biometrics solutions. One of the biggest challenges with using biometrics to protect payment systems is adopting a standards-based protocol for communication and the handling of transactions. This protocol has to ensure that only authorized users have access to perform functions. Without having proper standardization in place to clearly secure and authenticate the user’s identity in a comprehensive manner, information is left open to attack.
Furthermore, it is absolutely critical that companies invest in standards that can include ways to prove the who, when and where of each authentication event – the person authenticating, the device they are authenticating on and the exact time they perform this action – in order to provide the legal foundation for security.
Chuck Goldman is president of Hoyos Labs.