Authentication , Biometrics , Technology
Experts Warn No Biometrics Authentication Solution is Fool-ProofTo boost security and eliminate the need for passwords, MasterCard plans to roll out later this year a facial biometrics app for authentication of online purchases. But some security and financial fraud experts warn that biometrics technology is not fool-proof and should only be deployed as part of a layered authentication approach.
See Also: 2015 Breach Preparedness and Response Study: The Results
"Biometric authentication is not a panacea, and won't solve all of our authentication and fraud problems," says Avivah Litan, a financial fraud expert and analyst with the consultancy Gartner. "For that, banks certainly need a layered approach. But we must not forget that biometric authentication is still a heck of a lot more secure than passwords are."
Consumers using the new app, called MasterCard Identity Check, are asked to verify their online purchase by taking a "selfie" with their smartphone, blinking during image capture to ensure the image is being taken in real time, the card brand explains.
MasterCard claims that a four-month pilot of the technology at First Tech Federal Credit Union, a California-based institution with $6.2 billion in assets, was successful based on its perceived ease of use and superiority to passwords. First Tech plans to launch a market-ready implementation of the Identity Check mobile app during the second half of 2016.
Amsterdam-based ABN AMRO Bank, with $452.6 billion in assets, also tested the technology. "Nine out of 10 participants indicate that they would like to replace their password with biometric identification," MasterCard says of the Dutch pilot. But it did not reveal whether the bank would be rolling out the new app.
First Tech and MasterCard did not respond to ISMG's request for further comment.
Biometrics' Security Concerns
Although biometrics can help improve the security of payment transactions, the greatest concern is where and how the information collected is stored, says Ben Desjardins, director of security solutions for online security firm Radware.
"It's important to keep in mind that, by and large, the biometric inputs ... are being turned into bits and bytes that a machine can read and decide whether or not to authenticate," he says. "Once captured and stored, they are at risk from the myriad threats targeting any other piece of data. ... The biggest risks around biometric identification are similar to other forms of authentication. Biometrics definitely create a greater barrier, in terms of use of the data, if captured; and ideally they should be used as part of a multifactor authentication system, so to some degree their use is about keeping ahead of the pack, in terms of being an easy target."
But David Lott, a payments risk expert at the Federal Reserve Bank of Atlanta, says stealing biometrics data is far from easy.
"In most authentication systems used for payments, an image of the physical element is captured but then converted through a highly complex algorithm to a template," Lott says. "So the cybercriminal would have to be able to gain knowledge of the algorithm, break the encryption, and even then the ability to actually reproduce the image with a level of accuracy that would defeat the system is questionable."
Lott also says vendors specializing in facial and iris recognition "are very well aware of the possible ways to compromise the system and have built in detection capabilities, particularly in the use of photographs and video. All authentication methodologies, including biometrics, can be defeated given time and money. That is one reason why the FFIEC [Federal Financial Institutions Examination Council], in their online banking guidelines, recommends multifactor authentication."
Growing Interest
While MasterCard has emerged as a global leader in boosting the use of biometrics for financial applications, a number of other payments and service providers around the world are deploying similar solutions - illustrating the growing interest in biometrics authentication, Lott says.
"There are plenty of other stakeholders," he says. "Hundreds of thousands of ATMs in Brazil, India and Japan have been using biometrics, either solely or in conjunction with other authentication techniques, for some time to authenticate the customer at their ATMs, as an example."
Shirley Inscoe, an analyst at the consultancy Aite, suggests that biometrics authentication should be paired with other methods.
"Requiring the user to blink, or verify there is a temperature with an applied fingerprint, is a liveness test that definitely limits risk," Inscoe says. "But if the biometric is also paired with device identification, this is as secure as you can get. Identifying a known device associated with a consumer, along with a biometric with liveness test is more secure than any payment mechanism consumers are using today. Passwords are totally insecure, and the faster they are eliminated, completely, the better off e-commerce will be."
Tom Wills, a payments expert and director of Ontrack Advisory, a consultancy focused on payments innovation, predicts that MasterCard "will almost certainly be including other controls along with the photo -for example, the mobile-device fingerprint, geolocation of the device, etc. MasterCard understands more than most the need to build security in layers, and the 'selfie' capture feature will be just one layer among several."