Biometrics--useful for consumer transactions?
Paul McLellan has a post on EDN.com about the application of biometrics for security purposes. He points out that security is hard, even within large organizations that can dictate security policies. He cites the frequent reports of stolen credit-card databases. And when it comes to authenticating individual consumers in a retail setting, over the phone, or via the Internet, biometrics doesn’t seem to have much to offer.My only experience with biometrics is with a prototype passenger-screening system operated by the TSA at Logan Airport. It involved a smart card and a retinal scan. All I can say is that I never had a false negative. The system always let me through. (After the trial period ended, I made what turned out to be the wise choice not to enroll in a paid preferred-passenger scheme.)
McLellan points out that one of the most effective ways credit-card companies have of fighting fraud is behavioral-they have developed fairly effective algorithms that can prevent payment for fraudulent purchases while continuing to honor legitimate ones until they can issue new cards. That happened to me; when my card was compromised, the company honored my legitimate purchases while blocking payments for children’s clothing to be shipped to Eastern Europe. Unfortunately, my credit-card company chose a very low-tech way of signaling me that my card was compromised-a snail-mail letter that I mistook for another credit-card solicitation. It wasn’t until the company failed to honor a monthly charge from my ISP that I found out what had happened.
One thing I can’t understand is the companies’ reliance on three- or four-digit security codes for authentication. They are printed right on the card and can be readily memorized or copied down by any waiter or cashier to whom you give the card. The wireless terminals that restaurants are increasingly using offer some protection in that you don’t ever surrender your card.
So, does biometrics offer any reasonable alternative for consumer credit-card transactions? Some laptops come with fingerprint readers–could that be adapted to authenticate Internet transactions? What about point-of-sale in retail outlets? A fingerprint scanner might not be too obtrusive in a checkout line, but having a waiter approach a table with a retinal scanner after clearing the desert dishes would be a bit off-putting.
Follow me on Twitter: www.twitter.com/Rick_editor
anastasia commented:
perhaps finger print scanners or biometrics in general, isn't necessarily to protect consumers as much as it is to protect businesses. If a consumer fraudulently uses a credit card, how is the person doing the transaction supposed to know? Maybe fraud would decrease dramatically if a pin were required with every transaction. The downside is this does take a few extra seconds, which many consumers are opposed to (a few extra seconds to protect your identity?).
However, a finger print scanner can help prevent an employee from fraudulently using the consumer's information by making them explicitly accountable for any transactions made on the POS system.
So, biometrics are a great way to prevent employees from committing fraud against the consumer or the company.
