With incidents of security breaches and fraud increases, the payment industry is paying close attention to secure identification and personal verification methods – could 2014 be the year that biometric payment technology takes off?
Only a decade ago, ideas such as fingerprint scanning, iris scanning and so on would
have come straight out of science fiction, but now they are very much a reality. The appeal of biometric payment comes from several factors – it can speed up transaction times and flows, prevent identity fraud and theft and lower the costs for financial institutions in relation to security measures put in place – writes Victoria Conroy.
The proliferation of biometric payment technology is not without challenges, particularly in developed markets like North America and Europe, where there are several legal, logistical, regulatory and consumer privacy concerns to take into consideration. But in the emerging markets of Africa, Asia-Pacific and Latin America, where there are less obstacles in place, several governments have embarked on widespread national ID databases incorporating biometric authentication, which is now being incorporated into the retail banking sector.
Examples include India’s Aadhaar, a national biometric identity system under which banks in the country can issue prepaid cards to anyone with an Aadhaar number. Another example of the convergence of e-ID with biometric payment is in Nigeria where the government last year launched a national ID programme that combines a biometric identification solution with prepaid payment functionality powered by MasterCard. It is the largest formal electronic payment solution in Nigeria and the broadest financial inclusion initiative of its kind on the African continent. Over 12 million cards have been issued under this scheme.
Biometric devices on the increase
The proliferation of smartphones, tablets, enhanced internet and 3G/4G telco coverage and other biometric-capable devices worldwide is providing biometric solution specialists with more opportunities than ever before to promote the technology.
Several industry predictions state that the next-generation biometric market, including face, fingerprint, iris/retina, voice, vein, signature, palm-print, and DNA recognition, will be worth anywhere between $5 billion and $23 billion by 2020.
A slew of recent announcements shows how biometric solutions are beginning to gain momentum. In April this year, global payment processor and solution provider TSYS announced that its client Vietnam Export Import Commercial Joint Stock Bank (Vietnam Eximbank) was deploying fingerprint authentication technology for over-the-counter or ATM transactions.
Vietnam Eximbank is one of the first banks in Vietnam to apply this technology that enables customers to make a transaction without having the physical card, ID, phone or card number present for identification, and uses only fingerprint verification when performing transactions at the counter or at the ATM.
Also in April this year, ATM manufacturer Fujitsu launched a new range of ATMs on the European market incorporating its PalmSecure biometric technology and support for mobile NFC. PalmSecure authenticates the user by reading the unique pattern of veins in the palm of the hand. According to Fujitsu, this technology maximises security levels when incorporating mobile applications, such as access to the ATM using contactless technology, or interacting with mobile devices via NFC.
However, industry sources claim that it is not as simple as user simply scanning their palm to make a withdrawal, as the palm scan needs to be matched against a customer database which will bring up a number of false matches and error rates. Users will also need another form factor such as a card or phone. The proliferation of cardless ATMs requires customers to enter their date of birth and a PIN.
Some vendors are even mixing biometrics with bitcoin, as illustrated by the launch of an ATM in Australia which uses a combination of biometrics to register and verify user identities. The ATM, deployed by Australia Bitcoin ATMs and manufactured by Robocoin, allows people to buy and sell bitcoins or exchange them for cash. Registration requires government-issued IDs, from which facial images are compared using a camera and a live image. Users also register palm prints, which is used to verify identity in future transactions. Another biometric specialist, Bionym, announced earlier this year that its “Nymi” wearable electrocardiogram authentication device will launch with a bitcoin wallet as one of its initial applications.
“There’s something almost viscerally exciting about biometrics – it feels like the delivery of a science fiction promise.”
In May this year, SmartMetric, a developer of in-card biometric identity solutions, announced the launch of an in-card fingerprint reader that scans a credit, debit or ATM cardholder’s fingerprint that then switches on the payment card’s EMV chip prior to entering PIN numbers at a retail check-out or ATM.
According to the company, the introduction of a biometric fingerprint scanner inside an EMV chip card and using the person’s unique fingerprint to activate the payment card affords an unparalled level of security. Even if a person’s PIN number has been hacked, the card will not function without the user’s fingerprint being matched with their fingerprint stored inside the card. And in order to protect the card user’s privacy, their fingerprint is stored inside the card and not on a remote server.
ATM manufacturer NEC has taken a pioneering lead in the use of facial recognition biometrics with its “NeoFace” proposition, which incorporates NEC’s core facial recognition capabilities, such as image processing, face detection, quality assessment, template encoding and matching. According to NEC, its face-matching algorithms ensure accuracy and selectivity, regardless of database size and image quality. Additionally, the use of facial recognition biometrics removes the need for one-time password (OTP) devices that are often required for strong authentication. This particular technology would seem to be a logical fit with the number of mobile devices now incorporating front-facing cameras and powerful processors, along with organisations’ open standards approach.
In New Zealand, Westpac Bank is trialling a fingerprint scanning project which will allow the bank’s customers to log into their mobile banking app. The bank is using the Samsung Galaxy S5 handset which incorporates a fingerprint sensor for the trial. If the system meets security standards, by the end of 2014 customers will be able to swipe their finger on their S5 to access their account. Westpac plans to bring the feature to other handsets, including the iPhone 5S, although Apple has yet to open the handset’s fingerprint scanner to third parties.
Online payment giant PayPal is also using the Galaxy S5’s biometric functionality, letting customers log in and shop at merchants on mobile and in-stores with their fingerprint. PayPal has long touted the benefits of biometric payment.
In late 2013, it teamed up with the US National Cyber Security Alliance for a survey in which it stated that the majority of US consumers are comfortable with the idea of using their biometric information instead of passwords and PIN numbers. Around 5% of those surveyed are “comfortable” with using fingerprints, 45% would opt for a retinal scan, and 41% are comfortable with photo identification. Given that people tend to keep their phones with them at all times, it’s no wonder that PayPal is keen to develop biometric mobile payment offerings.
However, the security of fingerprint sensors and scanners has been called into question after researchers from security firm SR Labs claimed to have hacked the Galaxy S5’s fingerprint reader, gaining access to the handset and using it to make PayPal transactions. SR Labs used a camera phone image of a latent print taken from a handset screen to create a mould from wood glue which could fool the S5’s scanner.
Once inside the phone, the researchers also managed to use the same technique to access the PayPal app – which uses the fingerprint scanner instead of passwords to authenticate users – and wire money from an account. However, PayPal has rebuffed the claims, saying: “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.”
Security and standards
Thomas Bostrøm Jørgensen, CEO of Encap, told PCM: “There’s something almost viscerally exciting about biometrics – it feels like the delivery of a science fiction promise. However, fingerprint sensors and other biometric authentication methods such as finger vein scans and face recognition, are not on their own the best way to guarantee identity and fight fraud. Their strength is also their biggest flaw – unique biometric data cannot be reset and changed like a password or PIN.
“If biometrics data is compromised – something that’s very possible, as we’ve seen from the Chaos Computer Club hack of the iPhone fingerprint scanner – then this could cause real difficulty for anyone putting trust in biometrics.
“The fight against fraud is best achieved through the adoption of multi-factor authentication, where biometrics is a part of the way a user is identified, rather than the main way. A single factor, whether it’s a PIN (something you know), a smartphone (something you have) or a fingerprint (who you are), is not enough on its own. The combination of these factors, alongside others such as location and behavioural data, is the best way to prevent fraud.”