The Green Sheet Online Edition
November 28, 2016 • Issue 16:11:02
Biometrics hot at Money20/20
Money20/20, held in October in Las Vegas, is known as the world's largest payments and fintech event of the year. More than 20 keynote speeches and 100 panel sessions organized by subject tracks provided a plethora of learning opportunities this year. Plus, nearly 300 vendors were on hand exhibiting their wares.
Having attended the conference the past few years and learned about the mobile explosion and bitcoin/blockchain innovation, I was eager to explore this year's latest technology issues and advances.
Right away, I was fascinated by the attention given to authentication, especially in the area of biometrics. The number of vendors in the exhibit hall touting finger, hand, face, retina, iris, ECG (heartbeat) and voice recognition technologies, and more, was surprising. So was talk about biometric authentication innovation in many panel sessions. Since I love spy, science fiction, action, adventure and fantasy genres, the hubbub around biometrics made me giddy.
My introduction to biometrics, as well as the technology's potential for misuse, was as a child watching the Mission: Impossible television series during the late 1960s and early 1970s. The secret agents of the Impossible Missions Force were adept at faking fingerprints to gain access to locked or restricted rooms, safes and just about anything else. They also employed lifelike prosthetic masks as undercover disguises to trick unsuspecting family, friends and business associates, as well as defeat facial recognition surveillance.
In the 1980s, Admiral Kirk used retinal recognition to access information about Project Genesis in Star Trek II: The Wrath of Kahn. He also engaged the starship USS Enterprise in an auto-destruction sequence via voice authentication in Star Trek III: The Search for Spock.
Hollywood has regularly used biometrics-related special effects to fuel our imaginations. Think about the antics of James Bond, Ethan Hunt, Jason Bourne, the X-Men, Mr. and Mrs. Smith, Maxwell Smart, The Terminator, The X-Men and Captain America. Tom Cruise's Minority Report character John Anderton especially creeped me out when he underwent a risky eye transplant to avoid the city-wide optical recognition system.
Today, Mastercard seems to be leading the pack with several biometric pilots. It rolled out a pay-by-selfie service in a dozen European countries following a similar pilot in North America. And in March 2016, it launched selfie and fingerprint biometric corporate credit cards in the United States and Canada with BMO Financial Group.
An authentication primer
From a tech security standpoint, authentication is the process of determining whether someone is, in fact, who he or she claims to be in order to prevent data compromise and theft. In the payments arena, authentication provides a barrier, thus combating fraud.
Cardholder authentication comes in many forms. Store sales clerks are tasked with visually inspecting cards to see if they appear to be legitimate. Clerks are also supposed to compare receipt signatures with signatures on the backs of cards for credit transactions; however, few, if any, do. Personal Identification Numbers (PINs) enable cardholders to authenticate themselves with issuers at the POS.
Mastercard SecureCode, Verified by Visa and American Express SafeKey are 3-D Secure cardholder authentication schemes that verify cardholder identity online. Most recently in the United States, the rollout of EMV (Eurorpay, Mastercard and Visa) is meant to combat counterfeit, lost and stolen card fraud through authentication.
Payments dabbling in biometrics
Apple Inc.'s Touch ID is likely the biometric authentication technology we're most familiar with. Apple iPhone and iPad users enroll their fingerprints during device setup to enable biometric device unlocking, as well as activate the Apple Pay app for purchasing in stores, within apps and on websites. Biometrics is also the pillar of Samsung Pay.
But Apple Pay and Samsung Pay aren't the first introduction of biometrics in payments. Anybody remember San Francisco-based startup Pay By Touch? The company enabled people to pay with a swipe of the finger on a biometric sensor and provided secure access to checking, credit card, loyalty, healthcare and personal information through an individual's biometric features as early as 2002.
Pay By Touch attracted more than 3 million consumers and provided a service that worked. Several large grocery chains and other major retailers engaged in successful Pay By Touch deployments. Pay By Touch's demise was the result of business and not biometrics failure. Unrealistic goals, squandered investment capital, mismanaged operations, an untenable revenue model, questionable acquisitions and a host of other ills were all nails that sealed the Pay By Touch coffin.
Biometrics in payments: Why now?
As Money20/20 showcased, the payments industry is poised for another go at biometrics. The quest to Know Your Customer before doing business is being fueled by the unrelenting stream of data breaches and the ever increasing sophistication of bad actors.
Smartphone subscriptions are playing a big role in the push for mainstream implementation of biometrics. According to wireless carrier Ericsson, 6.1 billion smartphones will be in circulation globally by 2020, encompassing 70 percent of the world's population. Smartphones enable distributed storage of biometric data, and this approach discourages hackers because bulk repositories of biometric data do not exist, making one-off thefts tedious and unprofitable.
Technology is also driving biometrics adoption as scanning match rates and authentication speed for fingerprint, facial, voice recognition and more are no longer barriers.
Further, the Fast Identity Online (FIDO) Alliance developed guiding principles for authentication to drive ease of use, privacy, security and standardization. FIDO specifications support two approaches. The Universal Authentication Protocol leverages biometrics and similar techniques to enable authentication without passwords. The Universal Second Factor Protocol adds a second layer of security for strong authentication. Vendors following FIDO standards insure biometric information never leaves individual devices.
Biometrics proponents believe their use opens the door for new real-time payment services with a higher, more convenient level of security over signatures, PINS, passwords and more.
Biometrics: The be all, end all?
Individual distinctness makes biometrics intriguing. So do high-tech eye scanners, fingerprint readers, facial-recognition systems and other solutions that accurately distinguish friend from foe. However, biometrics is not a panacea for cardholder authentication security. While inherently more impenetrable than legacy authentication mechanisms, biometrics have a unique set of risks and vulnerabilities.
Once personal biometric markers are stolen, there's no going back ‒ there's no password reset or credit card replacement. They are out of an individual's control forever. And, unfortunately, remediation efforts most likely will be much more difficult, if not impossible.
Hackers, thieves and scammers are already hard at work in an effort to circumvent new biometric technologies. We can expect criminals to crack biometric technologies and use them to their full advantage. And when they do, they won't just be hacking our computers; they will be attacking the very essence: who we are as individuals on this Earth.
Nonetheless, biometric technology is poised to play a significant role in the future of payments, most likely in multifactor authentication systems offering an additional layer of security. As in every technology advance, there will be winners and losers. And as we all know from the painful pace of the U.S. EMV implementation, nothing in payments happens at light-speed. I'm curious to see what role biometrics plays when Money20/20 2017 rolls around, and I'm sure you will be, too.
Peggy Bekavac Olson is founder and principal of Strategic Marketing, a full-service marketing and communications firm specializing in financial services and electronic payments. She serves on the international marketing committee for the ATM Industry Association and on the Payment Sales and Strategy and Technology Committees for the Electronic Transactions Association. She can be reached at 480.706.0816 or firstname.lastname@example.org. Information about Strategic Marketing can be found at www.smktg.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.