BarCampBank biometrics

Written by

Posted on Leave a comment

[Dave Birch] I’d never been to a BankCarCamp before so I wasn’t sure what to expect at the BarCampBank London last week. I needn’t have worried: as well as Forum friends such as Chris Skinner, Stephen Mason and James Gardner, there were both old pals and new acquaintances. The discussions were open and fluid and the combination of views did its job in generating new thinking. I was only sorry that I had to leave at lunch time to get over to OpenTech. One of the groups that I took part in was looking at the use of biometrics at retail POS and I tried to write up some notes to report on the key issues, as I thought blog readers would find them interesting. The discussion ranged over three fairly distinct areas: the drivers for biometrics at POS, the technologies and the business case. So far as the drivers go, the CHYP position has been reported before:

Biometrics work well in controlled environments such as ATMs, it’s true. But it’s not clear — despite a number of roll-outs — whether they offer a realistic alternative to cards at POS because, as we have consistently advised our clients, biometrics at POS are driven by convenience, not by security.

[From Digital Money Forum: Fingering suspects]

I think it’s fair to say that most people felt the same way, although there was some discussion on whether POS fraud is high enough to demand more security but the consensus was that it was not. As for the issue of technology, framed by the debate about convenience, it was not clear to me that the example often used, the fingerprint, has much role to play going forward. It doesn’t provide a particularly good trade-off between convenience and security, for one thing, and to many people it has connotations of criminality. Nevertheless, the technology is moving along and standardisation will help it:

“I think that ISO 19092:2008 will certainly be the kick start that biometric security needs, as it will provide the financial industry with some fantastic guidelines to enable them to implement both the architectural and policy/procedural changes required,” says Jason Pearce, director of sales engineering in Asia-Pacific for RSA, the security division of EMC.

[From Vendor Articles: 4/7/2008 Biometrics usage to pick up with new ISO standard?]

There are plenty of other biometrics to choose from, but surely we will end up using voice, for the straightforward reason that it can function in both local and remote environment, unlike biometrics such as fingerprints (because a remote service provider couldn’t tell if you were really putting your finger on the reader or replaying someone else’s. But for the purposes of the discussion, we can assume that the technology is there (provided it’s main purpose is convenience rather than security). A couple of people mentioned the combination of biometrics and mobile phones as being a promising avenue for exploration and I must agree. The mobile phone is clearly going to be the key device in the consumer space, so for biometrics to go with the grain they have to embrace the mobile from the start.

The business case discussion naturally focused on fraud and the relationship between biometrics and other technologies (eg, contactless) at point of sale. I can’t say that this part of the discussion came to any particular conclusions (if it did, they’re not in my notes) but the fact is that the chip and PIN migration has led to substantial reductions in POS fraud (and substantial increases in CNP fraud) so there’s no desperate need for another technology at POS, especially when the retailers and banks are already engaged in rolling out contactless.

I think the key takeaway for me — other than the T-shirt (below) — was a reinforcement of the view that biometrics in this space are primarily about convenience and therefore any investments would need to be centred on making the customer experience simpler, easier and quicker rather than adding a layer of security / complexity to the transactions. A clear piece of evidence for this view is that biometrics don’t, in fact, add a layer of security anyway so there’s no point putting that on the critical path. Look at what’s been going on in the Netherlands recently…

Within weeks after its introduction, a security researcher has cracked the Tip2Pay fingerprint payment system for Dutch supermarket chain Albert Heijn. The researcher succeeded at paying for groceries by using a copied fingerprint.

[From Computerworld – Researcher cracks fingerprint payment system]

It’s hardly a new vulnerability, but still of interest given the context. Anyway: if biometrics at POS are about convenience, if voice is the most convenient biometric and mobile phones the most convenient device, I think we can see the rudiments of the future POS landscape: for under £10 you wave your phone, for £10-£500 you put in a PIN and then wave your phone, for £500+ you say the amount, key in the PIN, then wave the phone. Sounds reasonable to me.

BankBarCamp Proof

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights