Credit card biometrics: The future of data security
Futuristic ID sensors march from the movies to the marketplace
If consumers get their way, credit cards with biometric security features will no longer be the stuff of spy movies, but a mainstream alternative to those that rely on sloppy signatures and forgotten passwords.
Biometric technology -- the use of a person's unique physical features such as fingerprints, facial image, and speech patterns to verify individual identities -- has been around for decades. But thanks to rampant credit card fraud and plummeting technology costs, crime-fighting tools such as fingerprint recognition, electronic-signature verification and voice recognition are making headway as safe and convenient ways for consumers to make credit card purchases.
"Biometrics is now being used in a number of ways to enhance the customer's shopping experience, as well as security," says Frank Riso, director of retail solutions at communications giant Motorola, whose fingerprint and database software is used in law enforcement.
That's good news to consumers. A December 2008 study by technology services giant Unisys reveals that more than 70 percent of respondents will trust banks and government agencies to ask them for biometric data for identity verification. What's more, fingerprints nearly tied personal passwords as the primary preferred authentication method, 73 percent to 72 percent, respectively.
With fingerprint technology, people don't have to fish through their wallet or purse to try to find their credit cards.
But while fingerprints and pen strokes bind a credit card to a cardholder, not all biometric technologies are created equal. Some promise to revolutionize the way people shop and make credit card purchases; others risk falling by the wayside.Technology at your fingertips
Leading the biometric pack today is fingerprint-recognition technology. "In the U.S., the first and greatest push" for biometric credit card security is around fingerprint recognition at the point of sale, says Ed Kountz, a Forrester Research senior analyst. By enabling retailers to confirm that a customer is the authorized user of a credit card with the press of a finger, fingerprint authentication delivers a speedy, accurate and reliable means for completing credit card purchases.
"With fingerprint technology, people don't have to fish through their wallet or purse to try to find their credit cards to make a payment," says Riso.
The technology has already gained traction in Japan with the widespread roll-out of a smart phone built by Fujitsu for mobile operator NTT DoCoMo. The device serves as a mobile wallet application, enabling consumers to make debit card and credit card-based withdrawals and transactions authorized by fingerprint. The handset can also be locked using the fingerprint sensor to prevent unauthorized access.
Plenty of efforts have been made to bring fingerprint-recognition technology to America -- with limited success. Bank of America, Pay By Touch and Indivos (now Soidus) are among those that tried and failed. But a new batch of players are cropping up, each armed with a biometric device. Massachusetts's iCache, for example, has created a mini storage device that holds all of a consumer's credit card information. Users register their credit cards to an online account and activate the handheld device with a fingerprint on its biometric strip. SmartMetric, a New York-based manufacturer, offers a pint-sized biometric card that can store personal information including credit card numbers.
We've already made the critical move from signing a piece of paper to signing electronically... the next step is to add verification.
|-- Ed Kountz
analyst, Forrester Research
With no shortage of devices on the market, Kountz says the next step is for financial institutions and national retailers to offer "broad industry buy-in" to render fingerprints a key component of credit card security.Using your John Hancock for verification
A handwritten signature is one of the most widely used and accepted forms of authorization. Hoping to capitalize on a consumer's John Hancock is electronic signature verification technology. Signature verification works by analyzing the shape, speed, stroke order, timing and pen pressure of a signature. These characteristics form a biometric footprint that is unique to every individual.
A less intrusive alternative to fingerprint recognition, and one without CSI-type connotations, electronic verification technology holds promise. In fact, a report by research firm Frost & Sullivan reveals that signature verification revenues are expected to expand to $123.3 million this year.
Eager to grab a slice of this burgeoning market are vendors including San Francisco's Cyber SIGN and Germany's SOFTPRO Group. Cyber SIGN, for example, lets cardholders insert a card into a reader and provide a sample signature using an electronic ink pen. A built-in verification application determines if the signature matches the one stored on the card.
|Biometrics not completely foolproof|
Just as there are research companies devoted to developing theft-proof technology, there are companies whose job it is to prove them wrong.
Several years ago, the Discovery Channel's MythBusters, among other scientists and researchers, unveiled ways to fool fingerprint scanners, hand geometry scanners and facial recognition technology. Biometrics is based upon the assumption that every person has unique characteristics that cannot be reproduced, but given technology's ability to duplicate an image, a fingerprint or a handprint, it can be fallible.
What security experts say offers the most protection is actually a combination of biometrics and that old standby: a secret password that only the user knows.
Still, these vendors have their work cut out for them. After all, electronic signature verification can deliver false readings and requires users to sign several times on a tablet to create a stored signature. Nevertheless, Kountz believes electronic signature verification for credit card authorization purposes may be just around the corner.
"We've already made the critical move from signing a piece of paper to signing electronically," he says. "Now that retailers are capturing that signature, the next step is to add verification."Loud and clear
Credit card fraudsters won't be able to talk their way into getting online retailers to send them products if voice-recognition applications catch on. The technology typically involves prompting a caller to repeat a phrase or password over the phone, which a system compares against pre-recordings of the caller's voice. And unlike fingerprints and electronic signatures, voice recognition doesn't require costly equipment installations.
Players such as Beepcard, Victrio and Unisys all offer varying incarnations of voice recognition solutions. But it's VoicePay, located in the United Kingdom, that is creating the most buzz. A VoicePay account lets users purchase products online or from their cell phone using their voice to authenticate the transaction. Funds are deducted from stored credit and debit card information.
For now, voice recognition technology remains limited to call center applications. Another drawback is what happens if someone hacks into a voice verification system. "I wouldn't want to have to verify a credit card transaction in my Donald Duck voice because somebody lost my normal one," says Jon Callus, chief technical officer at the PGP Corporation in Palo Alto, Calif., which develops encryption software used mainly for e-mail.
Not that biometrics is going to the birds. Rather, if today's tech giants, financial institutions and retailers work together, biometric-based credit card security could soon become a mainstream reality.
- Video: How to set up your mobile wallet – Follow these steps to learn how to add your favorite credit cards to the mobile wallet on your smartphone ...
- Headed abroad? Which US issuers offer chip-and-PIN cards – Chip-and-signature cards may leave you in the dust at kiosks and terminals abroad, so arm yourself with a true chip-and-PIN card from one of these issuers ...
- EMV cards' common errors: A guide for confused cardholders – Does your EMV chip card not work when you dip? Do you have to hold it in the payment terminal's slot? We asked experts about these common chip card errors. Here are their answers ...