Australian bank taps facial authentication data to challenge disputed transactions

Commonwealth Bank of Australia (CBA) has reportedly been using facial recognition logins to its banking app to gauge whether customers who dispute transactions are legitimate.

IT News looks at an unfair dismissal case involving a former employee. The employee disputed multiple transactions totaling $500 from an unknown merchant, claiming he didn’t recognize the name of the third party point-of-sale company used by a pub where he spent the money, which appeared on his statement instead of the name of the pub.

In its investigation into the disputed funds, CBA found that facial recognition embedded within the Commonwealth Bank was used to make and review the transactions at the pub. They say the former employee knew what he was doing and that he lodged the dispute with fraudulent intent – and fired him for “serious misconduct,” hobbling his chances at finding another job in the financial sector.

The ex-employee says it might have been his cousin, who shares access to his phone’s facial recognition capabilities. The case is pending before the Australian Fair Work Commission.

The $500 in question may be paltry, but the implications of the case are much heftier. The privacy policy for CBA’s CommBank app says it doesn’t collect or store users’ biometric data. But, having based a dismissal on evidence from facial recognition, that appears to be a narrow interpretation. CBA was clearly able to track logins and transactions authenticated with face biometrics, and use them as a data point in an investigation.

There remain questions about how explicitly the data logs tie a user to a transaction, and whether the CommBank app’s fine print includes consent to track biometric data.

In comments posted to LinkedIn, Ted Dunstone, CEO of Biometix and BixeLab, underscores what’s wrong with using facial authentication to track individuals.

“Biometric logins are device-based, not identity-bound. Face ID or similar technologies confirm someone with a registered face used the phone – but not necessarily who. Shared access, especially among family members, is common. And yet, biometric login logs are now being used as quasi-proof of transaction authorship.”

In other words, it very well could have been the former employee’s cousin who authorized the transactions.

Much as instances wherein police are found to be overstepping bounds with biometric systems, corporate overreach or opacity in communicating the facts stands to erode trust in biometrics overall.

Dunstone says the incident should “concern all of us in the biometrics and digital identity space,” which needs to adhere to rigorous, standards-based testing of biometric systems in real-world conditions and provide clear communication to users about “what biometric login really implies.”

“In a world increasingly relying on biometrics there is a risk that people are falsely accused and this leads to serious consequences,” he writes.

In other CBA news, the bank has reported a new text scam telling users their award points are about to expire, and telling them to click a link. The bank says customers should only access their digital banking from the CommBank app or via the CBA website, never through a link in a text message.

Article Topics

Australia  |  banking  |  biometric binding  |  biometrics  |  BixeLab  |  data privacy  |  Dr. Ted Dunstone  |  facial authentication