A closer look at biometrics within payments

By Monica Eaton, Founder of Chargebacks911.

  • 1 year ago Posted in

Biometric payments systems boast some of the most advanced security features on the market today, but with new shopping channels and payment preferences that have emerged over the last few years—such as fingerprint scanning or facial recognition— there comes a need for new verification methods to ensure this system of payment is secure and scalable. .

Biometric security is a body of varied technologies, strategies, and practices that ensure security through systematic authentication. Biometric security tools like iris or voice recognition can be used for anything requiring a confirmation of identity, from authorising consumer payments to providing access to secured buildings.

Biometric verification is, in general, much more secure and reliable than other security techniques. In a biometric payments system, different technologies work to measure different authentication factors and as a result, the effectiveness of using one specific indicator over another varies for different circumstances.

Understanding the vulnerabilities within biometric payment systems

Within biometric payment systems, there are three authentication factors to validate a user's identity in a transaction:

● Ownership: Something the user possesses (card)

● Knowledge: Something the user knows (PIN number to their card)

● Inherence: Something the user inherently possesses (fingerprint, facial features)

Firstly, ownership is easy to spoof. For example, the security measure is broken if the physical card is stolen. Plus, anyone with the right know-how can use stolen cardholder information to counterfeit the card. It's even more accessible online where no card is present; the fraudster can simply use the cardholder's information by posing as a legitimate buyer.

Second, knowledge is also easy to bypass. Fraudsters are skilled at phishing attacks, skimming, and camera manipulation to trick cardholders into surrendering sensitive information necessary to authorise purchases.

With alternate payments based on biometrics, though, inherent factors are employed. These are more secure because the method of verification is physiological. After all, it's much harder to copy someone's fingerprint than to replicate a plastic card or a password.

The most promising biometrics technologies

There are a handful of biometric payment methods that are currently available to authenticate eCommerce purchases. The first is device fingerprinting, a tool that uses a scanner to image the user's fingerprint digitally; the original image is destroyed, while a print mapping is saved.

Facial recognition and voice recognition are also both used as biometric authenticators. Facial recognition works like digital fingerprinting, with the technology mapping dozens of different points on the user's face to create a unique impression of the individual rather than saving the user's actual picture. Voice recognition compares the user's voice pattern to a pre-recorded sample. Voice isn't necessarily as distinct as a face shape or fingerprint, but it does have certain advantages like being cost-efficient and non-intrusive compared to other methods. Plus, more computers have built-in microphones than fingerprint scanners, which makes this method much more accessible.

Like our unique fingerprints, the random pattern of the human iris can help identify different individuals. This technology is highly-accurate at close range and can work with the cameras installed on most modern smartphones to map your eye, just like a fingerprint. Additionally, a palm vein scan uses infrared lighting to map the unique vein structures in your palm and converts the data points into encrypted code. Palm mapping is relatively new and hasn't been widely adopted. However, this is likely to change with the recent development of IOS and Android applications.

Ultimately, traditional payment card security is comparatively weak. Both the card-present and card-not-present environments rely exclusively on knowledge- and ownership-based authentication. If a criminal has physical possession of a stolen card, there is a good chance the person could complete a fraudulent purchase. With biometric technology, however, identity theft is much more difficult to accomplish. The inherence factor makes it exponentially more challenging for criminals to replicate features of a user's identity. This gives biometric payments an edge over many potential fraud tactics.

The case against biometrics

If many agree that biometrics offer considerable authentication and security benefits, why aren't they used more widely? Despite all the potential benefits of adopting biometric security, the technology still features several vulnerabilities and weak points.

First, it cannot be relied upon for a fingerprint scanner or smartphone camera to be available at every transaction. While consumers can use biometric authorisation on most mobile devices, desktops still make up a large portion of eCommerce sales.

Additionally, companies will have to adopt hardware capable of reading and interpreting this data to accept biometric payments. Depending on what is needed and how far a company wants to take contactless payments, the price of this hardware could be cost-prohibitive.

Lastly, consumers today are more anxious about their privacy and where personal data goes than ever before. Even if biometric scans do not actually “save” their fingerprints or other identifiers, many consumers will still refuse to provide that information.

The importance of a broader strategy

Regardless of how extraordinarily advanced and forward thinking biometric tech is and its place in the payment industry’s future, businesses will need more than one method to fight fraud and chargebacks. At the same time, authentication methods must be accurate and efficient without causing friction at checkout.

No single tool can be 100% effective, but a strategic mix of multiple tools can increase consumer protection and a business’s overall security. Other fraud tools to consider include CVV verification, AVS, 3DS technology, geolocation, and fraud blacklisting, just to name a few. In conclusion, companies need a coordinated, carefully planned strategy to make the most of the authentication tools at their disposal.

By Paul Gampe, Chief Technology Officer, Console Connect.
By Aaron Partouche, Innovation Director, Colt Technology Services.
By Will Larcombe, co-founder and director of Stellarmann.
By Ronda Cilsick, Chief Information Officer, Deltek.