Digital Transactions Authoritative, insightful and timely information for payments professionals
With biometric authentication now enabled in millions of smart phones and the focus of intense technological development, some payments experts are warning that biometric data can, just like old-fashioned passwords, be stolen, potentially leading to big problems for consumers and payment-service providers.
“Biometrics are sure to proliferate in the next few years,” Julius Weyman, vice president of the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta, wrote in a blog post this month. “I think everyone ought to pause and consider whether or not the security advantages—that have the potential to be turned against us in a moment—are worth it.”
The argument for biometrics is that they are unique to each person, which would seem to make them infallible as identifiers. But current technology converts biometrics into data, which is subject to theft or misapplication. So while a stolen password, card, or bank-account number, or even a Social Security number, can be changed in the event of a data compromise, underlying biometric identifiers can’t.
“A virtual clone masquerading as me makes me shudder,” Weyman says. “Imagine standing up when they ask for the real you to do so—and then the dismay at not being believed.”
Gideon Samid, chief technology officer at digital-currency developer BitMint and security columnist for Digital Transactions magazine, first warned of biometrics’ security flaws several years ago. In an upcoming March magazine column in which he revisits the issue, Samid says the risks have only multiplied in recent years as consumers have supplied their fingerprints, palm layouts, irises, ocular vein structures, and even heartbeat patterns for all manner of identification applications.
“Once this information is out there, in a hackable state, your identity is at much greater risk than if you just lost a card, or a PIN, or digital cash,” Samid says in his upcoming “Security Notes” column.
Weyman says a form letter the federal government wrote last year to job applicants in the wake of two big data breaches at the Office of Personnel Management points out the dangers of biometrics. The breaches affected more than 25 million current or former federal employees, and job applicants—including 5.6 million records that had fingerprint IDs, according to The Washington Post.
“Our records also indicate your fingerprints were likely compromised during the cyber intrusion,” Weyman’s post says, quoting from the letter. “Federal experts believe the ability to misuse fingerprint data is currently limited … If new means are identified to misuse fingerprint data, additional information and guidance will be made available.”
Weyman wrote his post as a followup to a Retail Payments Risk Forum conference about biometrics in November.
“The conference made clear, to me anyway, that fingerprint data certainly has the potential to be misused—now. Experience leads me to conclude that it is bound to happen, especially if the biometric measurements captured at enrollment are not converted to templates that mask the data.”
Samid says biometric readers and databases need to be upgraded to provide more security. “I use this column to call upon major cybersecurity organizations, across-the-board privacy advocacies, and proactive government offices to think ahead, humbly, with the expectation that our biological identifiers will be compromised, and put us at grave risk,” he says.
