Biometric Customer Authentication is Hot Right Now, But It’s Not a Cure-All for CNP Fraud. Two big pieces of news from the payments world have put the spotlight on biometric authentication tools for shopping and banking, and at a glance it seems like biometrics could fix a lot of the fraud challenges the retail and banking industries face. But other news and a growing chorus of input from security experts indicates that some types of biometrics are as vulnerable to exploitation as other consumer data—and far more potentially damaging once compromised. As consumers may increasingly expect to be able to use a thumbprint, voice, or facial scan to shop, merchants need to understand the usefulness and limits of biometric data for fraud prevention and customer experience.
Biometrics have been in the news on both sides of the Atlantic this year. In April, the four major card brands dropped some or all of their consumer signature requirements for POS purchases in the US in a bid to reduce friction at checkout and reduce merchant processing costs. To replace signatures for customer authentication, Visa is trialing EMV contactless-compatible cards that have built-in fingerprint sensors. At the point of sale, users will touch the fingerprint sensor to validate their identity by comparing the impression to their stored fingerprint data.
Meanwhile, in Europe, the implementation of the revised Payment Services Directive (PSD2) means that banks and other payment services must support two-factor transaction authentication on mobile devices. Industry watchers and app developers expect biometrics to figure prominently in new security protocols because they create less friction than keying in passwords or codes delivered via SMS. It’s clear that biometrics are becoming part of the fraud-prevention landscape. What’s less clear is what happens when, not if, biometric data is compromised.
That’s because we can’t change our static biometric markers such as fingerprints and facial shapes after a data breach the way we can change passwords, and hackers and security testers have been able to create good enough copies to fool some biometric scanners. For several years running, there have been incidents of data breaches definitely or potentially including consumers’ biometric data. One headline-making example occurred in 2015, when data thieves stole more than 5 million US federal employees’ fingerprints and other personal data. The most recent troubling news comes from India. Aadhaar, the country’s huge biometric database of more than one billion citizens’ data, has been repeatedly hacked, leading to the sale of consumer data on social media for as little as $10.