The risk of biometric payments: fingerprints cannot be easily changed

Fingerprint payment? Somewhere it’s already a reality

In some parts of the world, it’s possible to get on a plane, pay for a coffee and log into financial accounts using a face scan or thumbprint.

Both Apple Pay and Google Pay support biometric payments, and Amazon is also getting into the game. In September, Amazon unveiled Amazon One, a new biometric payment technology that allows customers to pay in stores by placing their palm against a scanning device. The technology will initially only be available in Amazon Go stores, but there are plans to expand it to Whole Foods’ subsidiary and eventually to other retail outlets.

There is no doubt about the convenience of this technology. No more searching for your wallet or trying to get rid of change in your pockets. In addition, the permanence and uniqueness of our fingerprints and retinas theoretically makes fraudulent transactions more difficult.

However, as algorithms collect more and more identifying information about us, inevitable privacy trade-off questions begin to arise.

What happens if our biometric data is compromised?

In the event of a standard cyber-attack or large-scale data leak , changing our passwords and other login credentials can help limit the exposure of confidential information. Although hackers may have gained access to our accounts, future breaches can be prevented by changing our login credentials.

In the case of biometrics, however, it’s not so simple. Our thumbprints and faceprints are permanent and we cannot simply replace them with a new identity. There are currently high risks associated with the theft or misuse of biometrics – it is only a matter of time before crime increases with the growing use of biometrics.

However, alarming examples from some parts of the world give us an idea of the possible future. India’s central database Aadhar, which catalogues biometric identification data such as fingerprints, was hit by a massive data leak in 2019. A similar attack targeted Pakistan’s Nadra central database, which also contains citizens’ biometric data. However, databases such as Aadhar and Nadra do not yet store payment information specifically related to biometric data.

Although leakage of any data can have disastrous consequences for individuals, it is much more complicated when permanent identification data is linked to payment information. When a palm is scanned by a biometric device, algorithms essentially verify unique identifiers and link them to pre-populated payment information. As these databases grow, they begin to attract the attention of hackers.

Regulation could be the key

In February 2020, the EU introduced sweeping regulations on facial recognition and artificial intelligence to create a single market for data across Europe. Coupled with data protection regulations under the GDPR, it is possible that Europe will require companies working with biometric payments to adhere to uniform standards and processes. This is not good news for companies like Amazon or Facebook, who would inevitably seek to protect their intellectual property and thwart attempts to incorporate a standardised framework.

Given how sensitive biometric data is, and given that we know that large technology companies do not always protect users’ privacy well, can we really trust them with even more private data? Currently, no one outside these companies has a clear idea of the security and privacy protocols that are part of their database management. However, if there were a regulation that described in a clear and standardised way how companies should approach the management of biometric payments, this could go a long way to protecting against misuse.

Untraceable biometric data

Another solution may be ‘untraceable biometrics’. These are secure technologies that allow biometric information to be processed without the data actually being linked to a single identifiable person. The technology works by converting the biometric data into an unrelated data string or key, so that the biometric data becomes more like a kind of identity decoder, but the fingerprint, face or retina cannot be recovered once the data has been leaked.

Such technologies already exist, such as NEXUS, which is a biometric-based system that speeds up border crossings between Canada and the United States. However, they are usually too restrictive for businesses due to the complexity of the algorithms and the hardware required. If businesses can take advantage of a cheaper option, there is nothing stopping them. Without legislation mandating their use, it stands to reason that no large company will have an incentive to go further than the introduction of untraceable biometrics.

As ordinary consumers, we must realise that any new technology that offers convenience inevitably comes with a trade-off in terms of privacy. Biometric payments are tempting, but until we are sure of the security, it is better to wait to use this technology for the time being.

Related Articles

Back to top button