In the very near future, PINs and passwords may look as clunky and old-fashioned as old bunches of large iron keys – obsolete technology that wasn’t particularly secure even when it was relied on.
Instead you will breeze through life like an extra from Minority Report, blinking at a reader or merely stroking a terminal to process the payment for your grocery shopping, or your travel tickets or a new house.
Think it all sounds a little far-fetched? Or at least part of some distant future? The future is far closer than you think.
Biometrics security uses technology such as finger-print technology, facial scanners and even voice recognition to authenticate users and allow them access to a facility or service such as banking. It helps eliminate identity theft by using an individual’s physical characteristics to serve as an identifier, much more secure than a PIN or password that can be copied or stolen.
Earlier this month, MasterCard revealed it is in discussion with UK banks to introduce a biometric payment card that includes an inbuilt fingerprint sensor. In order to make a payment, the cardholder has to place their finger on the sensor, which then authorises the transaction.
Part of the drive for that is new EU regulations to tackle bank fraud, which come into force in just over a year and mean people must use two methods of authentication in order to make a payment.
However, fraud is a massively costly problem for both banks and consumers. Research carried out by comparethemarket.com last year showed that one in 10 people in the UK had to cancel a credit or debit card in the last year because of fraud and that more than £1bn had been stolen from bank accounts in 12 months alone.
And the Annual Fraud Indicator estimates that fraud cost the UK more than £190bn in 2017, an average value of £10,000 per UK family. The bulk of fraud is carried out against the private sector, but we all pay for it in the long run.
Consumers are wary of fraud but also weary of lengthy identification processes; they want their transactions to be as frictionless as possible. So could such technological developments finally outwit fraudsters and leave them unable to steal identities or is it just the latest development in an eternal arms race?
Stan Swearingen is chief executive officer at IDEX, the biometric technology provider for MasterCard. He’s optimistic that fingerprint-activated cards will be across the UK within the next year or two, and that there could even be a similar solution for secure online shopping in the near future as well.
“I believe it’s the future. When you look at the convenience and security, and what it does to the experience I believe it is the future. There are pilots all over the globe and next year we expect millions of units to be deployed.
“It really physically ties the card to you, it’s not that someone can look over your shoulder and steal your password.”
Susana Lopes, product manager for facial biometrics at identity verification company Onfido, agrees that this tech is going to be widespread in a very short period of time. “By 2020, we believe that most transactions that carry a risk will require an identity check involving some form of biometric authentication.
“Consumers are already seeing biometric technology in action, albeit in early form: Ant Financial, the financial services arm of e-commerce giant Alibaba, recently introduced a “Smile to Pay” service in China, where customers at select retailers can pay with just their faces. Apple’s FaceID is another early example.”
Biometrics may reduce the risk of commonplace fraud, for example copying PINs and cloning cards, but even the creators of new systems admit they could be cracked by particularly tenacious fraudsters.
Swearingen says identify theft with fingerprints is James Bond-levels of complex: “If someone was going to spoof this they would first have to get a latent high-quality fingerprint of yours, they would then have to lift that print, apply it to a substance, maybe gelatine, and then apply it to their finger to work in front of the shopkeeper.
“It could perhaps be done but it wouldn’t be scalable, you couldn’t do it to multiple accounts. Even if they could then the back-end analytics would flag it up as unusual shopper behaviour. When you combine it all together this is a compelling security offer.”
Whether this will mean an end to fraud is a question that makes him pause. “As smart as we are, the people who break these things are equally smart. There are a lot of smart people on both sides, I think it will always be an arms race.
“But where we’re getting to is a point where it’s not scalable.”
And that, along with other new technology, could play a significant role in protecting consumers from more everyday risks of fraud. Lopes explains: “Fraudsters like to commit fraud at scale; but by introducing measures like liveness tests, this becomes that more difficult.
“A liveness test requires a user to read out 3 randomly generated numbers to confirm that they’re alive and presenting the information, preventing ‘spoofing’ attempts such as using a picture of a face from the internet to trick the technology.”
Biometrics are not a silver bullet and some commentators suggest they bring their own new risks. Omri Kletter, head of fraud solutions at financial crime combating agency NICE Actimize, says: “Biometrics have many benefits; however, they are not perfect – it makes the card itself more expensive (which may have impact overall on operational costs), requires an enrolment process [and] exposes huge privacy risks in case of data breaches and cyber-attacks.”
His organisation is focused on improving machine-learning algorithms and customer profiling as an additional measure to detect fraud. After all, plenty of fraud takes place because the victim themselves is fooled into handing over large sums of money or authorising incorrect payments. “While authentication methods are becoming more advanced (and expansive, and biometrics is a good example) – card users may be even more exposed to social engineering, scams and manipulations that advanced authentication can’t stop.
“That’s why, while we should embrace these new forms of authentication, we should also develop a richer approach based also on analytics.”
David Emm, principal security researcher at Kaspersky Lab, has a more practical concern: “There’s one major downside to the use of biometrics. Biometric data stored by a service provider is just as valuable a target as a database containing usernames and passwords.
“In my view, they should rather be used to confirm our identity, with a password (or other mechanism – or ideally more than one) used to confirm that identity. If I choose a poor password and it is compromised, I can change it: if my fingerprint is compromised, there’s nothing I can do about it.”
It’s very clear that some of the brightest minds in the world are focused on improving and enhancing protections against fraud. Frustratingly, some of the other brightest minds are intently focused on breaking those protections. Biometrics are an important step and will soon be commonplace, but they do not yet mean an end to fraud