Visa has conducted extensive research into consumer attitudes to biometric payments.The results show that Britons place trust in their banks to provide biometric services.
“This study establishes that there is a strong desire on the part of consumers to have a secure user experience when interacting and transacting online. The desire, may not align with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication aren’t fool proof, and there are challenges that may block widespread adoption in non-face-to-face interactions.
The fact that 85% of respondents see banks as the most trusted institution in the provision of biometric authentication isn’t surprising, given that they are part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering outstanding user experience.
Physical biometrics can be part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints, voice and retinal scans can be spoofed. And, unlike passwords, physical biometrics can’t be changed. It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data.
Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en-masse. As stolen data is often traded and consolidated into larger, more accurate profiles that can be re-used for a number of nefarious purposes from espionage, to identity theft, and financial fraud. Selfies and voice biometrics have contextual issues, like, it may not always be appropriate to take a selfie or provide a voice sample to authorise an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place). Beyond social and cultural issues, there are concerns how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day-to-day life.
While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials – effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.
The true strength of behavioural biometrics is in providing trust. While the consumer trusts the fingerprint, or the voice print, retinal scan or any other visible security the bank may choose, that is what they see and how they feel – it’s the guard at the door, if you will. Using passive and invisible behavioural biometrics (BB), the bank can also have full trust in their key objectives, protecting the user account and providing a good customer experience. In this way BB solutions can draw a straight line to a trust-trust relationship between banks and customers.
Another advantage of BB solutions is that they use non-static signals and indicators of human identity – signals that cannot be stolen, reused or replayed for impersonation. It can therefore provide a high degree of confidence in the identity of the user. Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint.
Additionally, with BB, users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving banks and e-commerce companies the unheard of potential to actually improve their brand experience with their security layer.”
– Robert Capps, VP of business development at NuData Security.