A 40% increase in the number of people being impersonated indicates that the flat trend seen in 2008 (where identity fraud increased by only 0.06% from 2007) was exceptional. While last year’s figures were a surprise, the sudden and significant increase in the first quarter of 2009 heralds an unwelcome return of identity fraud as the fraudsters’ method of choice; as fraudsters assume creditworthy identities in order to swindle individuals and companies alike: stealing funds, goods and services at someone else’s expense… During this quarter, a staggering 75% increase in facility takeover (also known as account takeover) frauds – where the fraudster gains access to, and plunders the legitimately obtained accounts of innocent victims – continued the steep upward trend seen throughout 2008.[From Fraud trends and recession go hand in hand – CIFAS Online]
If biometrics could make a dent in that, you would think that banks would be rushing to implement them. After all, as CIFAS notes, the account takeover fraud explosion has been going on for some time. Plenty of time to plan and develop a biometric countermeasure, you might think.
UK account takeover fraud grows 207% year-on-year in 2008 – study [From UK account takeover fraud grows 207% year-on-year in 2008 – study]
Yet nothing much is happening. Identity theft is growing and, in the UK at least, the government’s identity card scheme won’t do anything to help. But why? Max made a very interesting point, which goes back to my current obsession, the “narrative”. In his presentation, he pointed out that because the biometric sector had its origins in the identification problem, that is how they see the world. So they would see the retail payments problem as an identification problem, which leads to PayByTouch. On the other hand, other people (eg, me) see the retail payments problem as an authentication problem: so we need progress in what he called “anonymous” biometrics to get down to solving that particular problem. And he made a very positive suggestion that I had not considered before.
Let’s go back to the prosaic retail payments problem. Suppose we introduce chip & fingerprint to follow on from chip & PIN (it wouldn’t help, of course, unless we implement some other basic security countermeasures, such as taking the “hello 1964” magnetic stripe off of the cards), thus giving us the next generation of EMV cards: for small purchases you just wave it (contactless, no PIN transactions are allowed up to £10 in the UK at present), for medium purchases you punch in a PIN and wave it, and for larger transactions (and cash withdrawals) you punch in a PIN, wave the card and then put your finger on a scanner. Sounds good, and it fulfills the criteria of moving away from identification space. The card is used for identification, the biometric (which is locally matched on the card, just like the PIN) is used for authentication.
This would be a bad idea, and for this reason. That specific biometric, the fingerprint, is already used for other purposes. In particular, it is already used for identification. This is also true of faces. We might generalise and say that we should not do authentication at all using the biometrics chosen for identification by governments. This basically does mean face and fingerprints, as used in the new e-passports. Well, I say “used”…
While EU countries have to start issuing e-passports with EAC by next June there is no deadline to actually read the biometric data from the passports… The UK was talking about initial inspection by the end of 2009, scanning the full biometrics of some people, but only about 1% of travelers, and moving to 30% by 2016. There are numerous reasons for the seemingly long timeline. First and foremost, governments don’t know how it will work.[From ContactlessNews | The next generation electronic passport]
So not only might be citizens be upset, because they mentally associate mugshots and dabs with identification (and criminality), we should be too. If the fingerprint is compromised at point of use, then the identification systems are subverted. Therefore, the design principles should be: use a token for identification and use a biometric for authentication, but it must be a biometric that it not used for identification and (above all) is not used by the government for identification purposes. Part of the reason why the proposed UK ID card won’t help is that it will be using the ICAO standard, developed for identification, and that cannot be used for practical authentication in this kind of mass market.
So, a plausible idea for son-of-chip-and-PIN, taking on board Max’s idea and merging it with our experiences gained implementing and doing security risk analysis for EMV schemes in a number of countries, might be as follows:
- For micropayment, cash-replacement transactions: just wave the token (well, let’s say it, the mobile phone);
- For mesopayment, card-replacement transactions: enter the PIN, preferably into the mobile phone not the terminal, then wave the phone over the terminal;
- For megapayment, EFT-replacement transactions: enter the PIN, put the phone on the terminal and then put your finger in a vein scanner (such as the Hitachi system used in Japan).
This is a practical solution to the mass market use of biometrics, and you can make it work online as well by using challenge/response voice biometrics instead of vein scanning. In the short term, I’m not sure that biometrics will help the cards guys much, although in the long term the technology will clearly transform all of the identity and authentication mass market and not just retail point-of-sale. Nevertheless, as we’ll be hearing at the Identity & Privacy Forum in London on 14th/15th May, voice and other biometrics are already finding decent niches in the mass market. I’m not being in the least bit negative about biometrics as a technology: what I am saying is that it’s a matter of horses for courses.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Don’t you also want the biometric checking to take place on your own phone/token, entirely under your own control? Costlier, but you might already want that capability to protect your device.