Exploring biometrics within payments
eyePOS payment device. Supplied by PayEye.
By Monica Eaton, founder of Chargebacks911
Biometric payment systems have some of the most advanced security features on the market today, but as new shopping channels and payment preferences emerge so does the need for new verification methods (fingerprint scanning, facial recognition, etc.) to ensure these payment systems remain secure and scalable.
These methods can more securely authorize transactions and protect customers’ sensitive information.
Biometric security is a complex mix of technologies, strategies and natural-born traits. When combined, they ensure authentication through biological characteristics that are much harder for fraudsters to steal, duplicate or manipulate. For example, iris, voice or fingerprint recognition tools can be used for anything requiring a confirmation of identity, from authorizing consumer payments to providing access to secured buildings.
In general, biometric verification is more secure and reliable than traditional security techniques. Within a biometric payments system, different technologies work to measure various authentication factors, meaning the effectiveness of using one specific indicator over another varies for different circumstances. With that said, let’s further explore biometrics within payments.
Are there weaknesses within biometric payment systems?
Within biometric payment systems, there are three authentication factors to validate a user’s identity in a transaction. The first is ownership – something the user possesses (card). Next is knowledge, which is something the user knows (PIN number to their card). Finally, there’s inherence, or something the user inherently possesses (fingerprint, facial features).
Firstly, the ownership factor can be compromised if the physical card is stolen. Plus, anyone with the right know-how can use stolen cardholder information to counterfeit the card. It’s even more accessible in online transactions, where no card is present; the fraudster can simply use the cardholder’s information by posing as a legitimate buyer.
Similarly, knowledge is also easy to bypass. Fraudsters are skilled at phishing attacks, skimming, and camera manipulation to trick cardholders into surrendering sensitive information necessary to authorize purchases.
However, inherence is more secure because the method of verification is physiological, making it much harder to copy someone’s physical features like a fingerprint than to replicate a plastic card or a password.
Biometrics: an edge in payments security
There are a few biometric payment methods that are currently available to authenticate eCommerce purchases:
- Device fingerprinting, a tool that uses a scanner to image the user’s fingerprint digitally; the original image is destroyed, while a print mapping is saved.
- Facial recognition works like digital fingerprinting, with the technology mapping dozens of different points on the user’s face to create a unique impression of the individual rather than saving the user’s actual picture.
- Voice recognition compares the user’s voice pattern to a pre-recorded sample. Voice isn’t necessarily as distinct as a face shape or fingerprint, but it does have certain advantages like being cost-efficient and non-intrusive compared to other methods.
- Iris recognition, much like our unique fingerprints, uses the random pattern of the human iris to help identify different individuals. This technology is highly accurate at close range and can work with the cameras installed on most modern smartphones to map your eye, just like a fingerprint.
- Palm recognition. A palm vein scan uses infrared lighting to map the unique vein structures in your palm and converts the data points into encrypted code. Palm mapping is relatively new and hasn’t been widely adopted. However, this is likely to change with the recent development of IOS and Android applications.
Why aren’t biometrics used more widely?
It’s an obvious question but despite all the potential benefits of adopting biometric security, the technology still features several vulnerabilities and weak points. First, it cannot be relied upon for a fingerprint scanner or smartphone camera to be available at every transaction. While consumers can use biometric authorization on most mobile devices, desktops still make up a large portion of eCommerce sales.
Additionally, companies will need to adopt hardware capable of reading and interpreting this data to accept biometric payments. The price of this hardware could be cost-prohibitive, depending on what is needed and how far a company wants to take contactless payments.
Finally, we cannot forget the consumer factor. They are more anxious about their privacy and where personal data goes than ever before. Even if biometric scans do not actually save or store their biometric information, many consumers might still refuse to provide these identifiers.
A broader strategy to fight fraud and chargebacks
Ultimately, it doesn’t matter how advanced biometrics technology is. Businesses will need more than one method to fight fraud and chargebacks. No single tool can be 100 percent effective, but a strategic mix of multiple tools can increase consumer protection and a business’s overall security. Other fraud tools to consider include CVV verification, AVS, 3DS technology, geolocation, and fraud blacklisting, just to name a few. Companies need a coordinated, carefully planned strategy to make the most of the authentication tools at their disposal.
About the author
Monica Eaton is the Founder of Chargebacks911 and Fi911 and Chief Information Officer of Global Risk Technologies. Monica has worked tirelessly to educate merchants and financial institutions about hidden threats in the rapidly changing payment fraud landscape. She has earned numerous awards, distinctions and special recognitions, including the Retail Systems Awards, where she received the ‘Outstanding Individual Achievement Award’ and was named ‘Global Leader of the Year’ at the Women in IT Awards.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.