This is Why Liveness Detection Has to Play a Crucial Role in Biometric Authentication

Before the biometrics industry overheats. We need to have a reality check! Biometric authentication is all about the ease of convenience to consumers vs security. It can never be the “be all” to authentication methods. Far too much misinformation is out there in the public domain from many commentators who are in no way experts in this matter.

It’s all about “RISK”. Spoofing is possible, yes, as demonstrated by Starbug at the Biometrics conference in London recently but the answer for high risk transactions is liveness. Proving who you are in “real-time” with methods to counter spoofing and also detect unusual behaviour patterns too. Fraudsters will always try their luck. But if biometric data is stored and encrypted properly, then it is pretty useless data to any hacker. In addition, no industry should rely on just one form of biometric identifier. Depending on levels of risk, 2FA or a multi-modal approach is the desired method.

A recent article What Hackers Can do With Your Fingerprints says… fingerprint scans are being used to authenticate transactions on various payment platforms. Credit card fraud has been a persistent problem in recent years, particularly in the U.S. where the transition to EMV chip-enabled credit cards has only just begun. To try to address this issue (and stem their losses) many financial institutions, startups and bank partners have been experimenting with new ways to protect payments.

One security measure gaining some steam is the use of a digital fingerprints to authenticate transactions. Mobile payments platform Apple Pay and Samsung Pay, for example, use fingerprint scans, and MasterCard has been experimenting with using this particular biometric (and a few others) to protect credit cards.

But should you be worried about such a sensitive piece of biological info ending up the wrong hands? And what could happen if it did?

The Anatomy of Your Digital Fingerprint

The answer, it seems, is a bit tricky. For starters, the information being used to authenticate phones and cards isn’t yet as sensitive as you may think. Major biometric authenticators, like Apple Touch ID, currently don’t capture your full fingerprint. Instead, they scan small sections to create a mathematical representation of it.

This algorithm is what gets stored on your device or card. And, thanks to these and other security measures, “you can’t reverse-engineer a fingerprint by stealing the device,” Jason Oxman, CEO of the Electronic Transactions Association, said. (Whether you can hack into a device by reverse-engineering a fake fingerprint is a bit more up in the air, since it has, apparently, been done before.)

Right now, there’s not much someone could do, should they get a hold of these fingerprint algorithms since they’re not in widespread use (when it comes to authenticating financial accounts or otherwise.) But that’s not to say thieves won’t find a way to monetize the information in the future.

“We don’t know what can be done with it yet,” Eva Velasquez, CEO of the Identity Theft Resource Center, said. She correlates early use of the biometric to the initial introduction of Social Security numbers. Originally intended to identify a person for government benefits and taxation purposes, it was ultimately adopted by the financial services industry as a way to authenticate someone applying for a loan or bank account. As such, now, should someone get hold of your government-issued nine digits, they could easily take out a loan or apply for credit and run up debts in your name.

Right now fingerprints are used sparingly (largely by law enforcement or government agencies for crucial security purposes), but “we really have to proceed with caution when we think about that historic issue,” Velazquez said. If biometrics were ever used to verify a host of things from bank accounts to home security systems to travel verifications, there could be an equally long list of how you could be compromised.

Credit: Steve Cook, Director of Business Development at Facebanx