Biometric security moves to counter cyber fraud

Printed, not booked. [Alan Levine/Flickr]

This article is part of our special report The demise of cash?.

SPECIAL REPORT: If consumers put safety and security of their payments as a key priority when shopping, it is with good reason.

A huge data breach at US retailer Home Depot set off a series of fraudulent transactions through financial institutions in September this year, leading to the draining of several customer bank accounts.

Criminals used stolen card information to buy prepaid cards, electronics and even food.

Home Depot has admitted that 56 million cards may have been exposed in a five-month attack on its payment terminals, leading to alerts to thousands of financial institutions, telling them to be on the lookout for fraudulent transactions.

Nor was this a first in the US, where fraud losses from existing bank accounts and credit-card accounts rose 45% last year to $16 billion, according to Javelin Strategy & Research, a consulting firm.

New milestones in biomoetric security

These developments show why the payment community has been taking measures to move evolve from the era of memorised passwords to personalised biometric security.

The launch of Apple Pay in September marked a major milestone, with the US tech giant offering to identify users not with passwords or PIN numbers, but thumbprints.

“They were successful in focusing on the benefits of security and privacy for the consumer. Too often, the security focus has been on how security protects the businesses behind the service,” according to Jeff Miles vice-president of mobile transactions with NXP, a US software firm.

Fingerprints are also the basis of the partnership announcement last month between MasterCard and Zwipe to launch the world’s first contactless payment card featuring an integrated biometric sensor. Activation by a fingerprint scan enables cardholders to make payment.

Nor are fingerprints the only biometric yardstick under development. This spring witnessed the trial of innovative Swedish hand scanning in Lund as an alternative payment method. While vein scanning technology existed previously, it has not been used as a form of payment before.

“Every individual’s vein pattern is completely unique, so there really is no way of committing fraud with this system,” said researcher Fredrik Leifland. “You always need your hand scanned for a payment to go through.”

The plan is to patent the system and expand it around the globe.

In Europe, focus on e-payments fraud

Europe’s fairly comprehensive adoption of Chip-and-PIN has slashed fraud where cards are used, but fraud continues unabated with online payments not involving cards, particularly affecting online transactions used in e-commerce.

European retailers need to pay as much attention as their US counterparts to securing electronic payments, the Payment Card Industry Security Standards Council (PCI SSC), said in a stark warning over cyber attack issued late last month.

This was one of the key messages at the recent annual meeting of the European PCI SSC in Berlin, Germany, which administers the industry’s data security standard.

“Cyber criminals only need to steal a few key pieces of information to enable them to carry out this kind of fraud, and they are proving to be successful at it in Europe,” Jeremy King, European director of the PCI SSC told the Council’s annual gathering in Berlin on 23 October.

“Lack of understanding about the importance of strong passwords on all transactions systems, point of sale devices, routers and firewalls is still a big problem in Europe,” he added.

“We see a lot of challenges as well as opportunities associated with mobile commerce, which will be another hot topic for the council in the coming year,” said King.

A digital wallet refers to an electronic device that allows an individual to make electronic commerce transactions.

This can include purchasing items on-line with a computer or using a smartphone to purchase something at a store. Such wallets are also increasingly used to authenticate holders’ credentials, to verify age for example.

Such digital wallets comprise systems (the electronic infrastructure) the application (the software that operates on top) and devices (the physical platform, such as a smartphone).

An individual’s bank account can also be linked to the digital wallet. The credentials can be passed through a retailer’s terminal wirelessly using near field communication (NFC).

Many are speculating that these smartphone “digital wallets” will eventually replace physical wallets. The system has already gained popularity in Japan, where digital wallets are known as Osaifu-Keitai are more widely used than elsewhere.


Subscribe to our newsletters