Biometrics work well in controlled environments such as ATMs, it’s true. But it’s not clear — despite a number of roll-outs — whether they offer a realistic alternative to cards at POS because, as we have consistently advised our clients, biometrics at POS are driven by convenience, not by security.[From Digital Money Forum: Fingering suspects]
I think it’s fair to say that most people felt the same way, although there was some discussion on whether POS fraud is high enough to demand more security but the consensus was that it was not. As for the issue of technology, framed by the debate about convenience, it was not clear to me that the example often used, the fingerprint, has much role to play going forward. It doesn’t provide a particularly good trade-off between convenience and security, for one thing, and to many people it has connotations of criminality. Nevertheless, the technology is moving along and standardisation will help it:
“I think that ISO 19092:2008 will certainly be the kick start that biometric security needs, as it will provide the financial industry with some fantastic guidelines to enable them to implement both the architectural and policy/procedural changes required,” says Jason Pearce, director of sales engineering in Asia-Pacific for RSA, the security division of EMC.[From Vendor Articles: 4/7/2008 Biometrics usage to pick up with new ISO standard?]
There are plenty of other biometrics to choose from, but surely we will end up using voice, for the straightforward reason that it can function in both local and remote environment, unlike biometrics such as fingerprints (because a remote service provider couldn’t tell if you were really putting your finger on the reader or replaying someone else’s. But for the purposes of the discussion, we can assume that the technology is there (provided it’s main purpose is convenience rather than security). A couple of people mentioned the combination of biometrics and mobile phones as being a promising avenue for exploration and I must agree. The mobile phone is clearly going to be the key device in the consumer space, so for biometrics to go with the grain they have to embrace the mobile from the start.
The business case discussion naturally focused on fraud and the relationship between biometrics and other technologies (eg, contactless) at point of sale. I can’t say that this part of the discussion came to any particular conclusions (if it did, they’re not in my notes) but the fact is that the chip and PIN migration has led to substantial reductions in POS fraud (and substantial increases in CNP fraud) so there’s no desperate need for another technology at POS, especially when the retailers and banks are already engaged in rolling out contactless.
I think the key takeaway for me — other than the T-shirt (below) — was a reinforcement of the view that biometrics in this space are primarily about convenience and therefore any investments would need to be centred on making the customer experience simpler, easier and quicker rather than adding a layer of security / complexity to the transactions. A clear piece of evidence for this view is that biometrics don’t, in fact, add a layer of security anyway so there’s no point putting that on the critical path. Look at what’s been going on in the Netherlands recently…
Within weeks after its introduction, a security researcher has cracked the Tip2Pay fingerprint payment system for Dutch supermarket chain Albert Heijn. The researcher succeeded at paying for groceries by using a copied fingerprint.[From Computerworld – Researcher cracks fingerprint payment system]
It’s hardly a new vulnerability, but still of interest given the context. Anyway: if biometrics at POS are about convenience, if voice is the most convenient biometric and mobile phones the most convenient device, I think we can see the rudiments of the future POS landscape: for under £10 you wave your phone, for £10-£500 you put in a PIN and then wave your phone, for £500+ you say the amount, key in the PIN, then wave the phone. Sounds reasonable to me.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]