SECURITY
BIOMETRICS By: Jason Chaikin President Vkansee
B
iometrics is the stuff of movies. For over twenty years, we have seen heroes’ and villains’ fingerprints and iris patterns used to secure their secret lairs and protect the confidential information located inside. We have also seen the biometrics defeated by both simple and complex methods including cutting fingertips off and removing eyes. Truthfully, the reality of biometric security is not far from what is portrayed onscreen; we are on the cusp of integrating biometrics into everyday life, with mobile payments being the launching pad of this movement. With Apple pioneering the use of fingerprint sensors in their iPhone 5S (and subsequent ApplePay), the reality of biometrics is an actuality. In 2015, more than 50 phones had incorporated fingerprint sensors within their systems; Apple, Samsung and Google have all either purchased biometric companies or developed complex systems to enable secure payment by fingerprint. As merchants across the world change their credit card readers to support the new chip-based cards, these readers come equipped to receive the future mobile transactions. Unlike other features on phones such as screen size and camera resolution, biometrics were not driven by direct consumer demand. Users were not demanding fingerprint sensors in their mobile devices. However, after initial positive reactions to conveniently and securely access a phone, many people have realized the benefit of using biometrics as an added layer of security, and they have come to demand them in mobile phones. This relatively new biometric
14
Payment Quarterly | Q1 2016
with
&
PAYMENTS SECURITY
authentication platform is the future of how we will tender for goods and services, and we are entering a guerilla war that will be fought between tech giants rather than traditional banks and payment networks. How the processing fees on transactions across the payment, healthcare, finance sectors, and the costs of backend process get divided in the future will be measured in hundreds of billions of dollars annually. These changes did not come from a vacuum – for years we heard almost daily stories of data breaches, banking fraud and rampant abuses in healthcare reaching billions every year. Thankfully, the tools to solve these problems are quite literally at our fingertips. Applying a biometrics factor to existing authentication transactions ensures the actual individual intended to receive the goods or services is physically part of the authentication process, which eliminates a gross majority of the fraud that is the dark underbelly of our critical payments and healthcare systems. The use of biometrics for mobile security, however, is not foolproof. In December 2014, at the 31st Annual Chaos Computer Club conference in Hamburg, Germany, a hacker named Jan “Starbug” Krissler showed flaws in using biometric technology for passwords, such as the fingerprint sensor found on an iPhone 6. Krissler showed that hackers can take photos of people’s hands and merge them together to recreate a detailed image of a person’s fingerprint, which can be used to form a 3-D “dummy” finger. Krissler then demonstrated how that “dummy” print successfully unlocked an iPhone 6. He also showed how he was able to replicate the fingerprint of German Defense Minister Ursula von der Leyen using multiple photos of her hands taken from three meters away during a press conference. Krissler ran the photos through a software call VeriFinger, which formed her full fingerprint, which
hackers could hypothetically use to break into her phone and various other devices. An example of potentially disastrous biometric hacking happened in 2015, when the Obama administration revealed that over 21.5 million people were exposed to a massive security hack, resulting in personal information (such as social security numbers) being stolen. Of the 21.5 million exposed, 5.6 million federal employee’s fingerprints were stolen. This could be extremely dangerous, as the hackers now potentially have access to data previously only accessible by those with biometric security clearance. Although one layer of biometrics is not free from hacking, there are ways to make it more secure. While passwords are one layer of security, biometric measures, such as fingerprint or iris sensors, are by far the best ways to deter hackers. Companies are dedicated to adding multiple layers of biometrics to increase security – an example would be requiring a fingerprint scan on top of a password to access a mobile phone. When these different security measures are present, it makes mobile phones much more difficult to bypass. Biometrics are the catalyst in the future of secure payments but the system of payments behind them, the backend processing and the standards that will emerge victorious will be the real drama with a profound and pervasive impact to culture. The value of transactions biometrics authenticated and tokenized, and the disruptions to existing markets will ensure the battle is hard fought – like many battles, the unexpected may determine a final outcome. The way we will pay for goods and services both in person and remotely will be vastly different in 10 years than today - in 20 years’ time, cash will be obsolete. The one thing that will remain the same, however, is that the use of biometrics will greatly improve all aspects of security.