Fighting Biometric Fraud on the Blockchain
The use of SMS verification codes as a security measure has recently been exposed as a mere stop-gap solution, but meanwhile biometrics is proving to be one of the best new technologies to combat fraud and identity theft.
October 26, 2018 at 09:30 AM
9 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Biometrics may seem like a high concept to many people. Retina eye scanners and handprint door locks evoke images of Netflix sci-fi dramas, but biometric technology is taking place right now. From facial recognition airport security, the latest iPhone fingerprint sensor to desktop computer software, biometric authentication uses unique facial, retinal or fingerprint recognition to confirm a user's identity, and is being increasingly used to establish bank payments and online transactions.
From an online security perspective, the days of weak passwords such as “Password123” and “qwerty2018” are nearly over. Single-factor authentication is vulnerable to phishing attacks and malicious malware, even two factor SMS authentication is proving insecure. From this perspective, not only are traditional passwords obsolete and inefficient, but they also pose a huge cybersecurity risk.
The Decline of the Password
Weak online security has led to severe data breaches in the past few years. With hackers operating on the dark Web for serious money, card data theft is a commonplace occurrence. In 2013, retail giant Target Corporation was subject to a malware hack that compromised 40 million customer credit and debit cards. Hackers were able to gain access to Target's internal network by infiltrating a third-party contractor. The data breach ended up costing the corporation a reported $148 million, according to The New York Times.
Alas, they are not alone. Other retailers, such as eBay and TJ Max, had 145 million and 95 million, respectively, customer cards stolen by criminal gangs. Such a gross violation of customer security is unsustainable. While multi-factor authentication has led to some improvement, the current system is a burden for users.
The use of SMS verification codes as a security measure has recently been exposed as a mere stop-gap solution because of the ability of hackers to fraudulently take over phone numbers. Biometrics meanwhile is proving to be one of the best new technologies to combat fraud and identity theft.
Fingerprints are the most recognizable feature of biometrics. Its watershed moment came when Apple first included a fingerprint sensor on their iPhone in 2013. Then came the introduction of Face ID, a biometrical password that uses a 3D map of a person's face to access their iPhone device, instead of a fingerprint or alphanumeric keyword.
Biometrical data is making excellent progress across all major industries. Because of its security advantages, it is likely to replace traditional passwords within a generation if not before.
Next-Gen Security for Internet Users
With the advancement of finger, face and voice identification, biometrics will provide greater security for businesses and consumers. By eliminating traditional passwords in favor of fingerprints and facial recognition, it will help guard against both theft and fraud. It will also speed up the process of logging into accounts, purchasing products and verifying identity.
Illegal activities such as phishing and cloning cards are also likely to decrease under a biometric system as it's much harder to counterfeit someone's finger or face.
That doesn't mean there are no privacy or fraud implications with the new technology.
Biometric Compliance in the United States
U.S. companies are increasingly adopting biometric technologies to help monitor their employees' attendance and day-to-day building access. These obvious security benefits come with fresh legal scrutiny, so companies must learn about employees' biometric data privacy rights.
The State of Illinois passed the Biometric Information Privacy Act (BIPA) in 2008 to regulate the way companies collect, store and disclose biometric information. BIPA requires employers to obtain their staff's consent before collecting their data, and take strict measures to save and protect any biometric information they may receive. Employers in Illinois are now prohibited from disclosing their staff's biometric information — unless there are legal provisions to do so. They are also forbidden to sell, lease, trade or profit from an employee's biometric data. Comparable legislation is now pending in several other states, such as Washington and Texas.
With concerns about privacy increasing, BIPA-style legislation is likely to be adopted elsewhere as companies embrace biometric technology.
General Data Protection Regulation (GDPR)
In 2016, the EU adopted the General Data Protection Regulation (GDPR), which is considered one of its greatest legislative achievements. Until then, its legislature relied on existing data protection and privacy provisions and there were no specific guidelines regarding biometric privacy. With GDPR coming into force on May 25, 2018, there is now clear information applicable to all EU countries regarding the protection of personal and biometric data.
GDPR's primary purpose is to give EU citizens control over their data while simplifying the regulatory framework for companies. The new legislation explicitly states that biometric data is a “sensitive” category of personal information, warranting robust protection. Biometric is now a standalone category of sensitive personal data, and GDPR prohibits the processing of EU's citizen's data without the explicit consent of the user.
It's not only EU citizens who benefit from biometric data protection passwords; having less data on their books reduces the risk of non-compliance for companies and organizations.
Biometric Revolution in India
Biometrics is a global phenomenon and its biggest success story so far took place in India. The “Aadhaar Project” is the world's largest biometric identification system. Under the mass registration scheme, all Indian residents receive a 12-digit unique identification number based on their biographic and biometric data (a photograph, 10 fingerprints and two iris scans).
1.2 billion people now have an Aadhaar number and the Indian Finance Minister, Arun Jaitley, recently said that the Aadhaar project is providing every Indian with a government-approved identity and the ability to access public services more easily than ever before. Jaitley also claims the scheme reduces corruption and the cost of delivering public services.
However, while the collection of biometric data in such a vastly populated country as India is impressive, one must not forget the importance of secure storage. In the case of Aaadhar, centralized government databases will act as magnets for hackers because of the rich biometric data they contain. A breach of this data could be catastrophic for the individuals involved, which is why better database technology must be used in conjunction with biometric data collection.
Biometrics on the Blockchain
Vastly improved data storage technology comes in the shape of blockchain which, alongside biometrics, represents the future of identity and payments. Blockchain is a decentralized digital ledger, which is virtually impossible to hack and much more secure than the centralized databases that exist today.
Even more significantly, it means that individuals do not even have to share their data to transact. Tokens, references and or attestations that represent this data can be exchanged in order to verify an individual's identity and make simple e-commerce payments.
In practice, this is not only convenient for the consumer, it also helps the retailers they interact with. For example, one of the clauses in the EU's Second Payment Services Directive (PSD2), states that consumers will no longer be able to constantly make contactless payments without any other form of security check or identity verification. Banks and retailers fear this constant need to verify identities will harm the straightforward contactless experience to which consumers have become accustomed.
However, by using digital tokens that represent biometric verifications, the same quick and easy contactless experience can be maintained while also meeting PSD2 requirements.
Securing Your Biometric Identity
When it comes to identity management, biometric authentication has been part of the data protection system for decades. For example, if you lose your driver's license, you will not only have to complete another form and ratify it with your birth certificate, the authorities will also need facial recognition to match your photo in their database. Your facial ID and fingerprints are intrinsic physical proof of who you are.
It's understandable that individuals are wary of the increasing amount of data required, including personal biometrics, when you consider the obvious vulnerabilities of how this data is currently stored. However, what blockchain technology provides is the reassurance that this data is more secure from hackers' attacks and it is under an individual's full control.
By combining biometrics and the blockchain, a user's identity will stay inside a secure distributed ledger system, meaning they have complete control over it. In the financial sector, biometrics and blockchain technology will make it extremely difficult for fraudsters to counterfeit someone's identity due to a combination of decentralization and physical forensics.
Fighting Financial Fraud
A recent Nilson Report revealed that payment card fraud had reported $24.71 billion in losses in July 2018. Alarmingly for USA credit card issuers, 47% of these fraud losses took place in the United States. Dark Web criminals frequently target credit card payments, and Constantin von Altrock, IBM's Counter Fraud Management Director, recently said that payment fraud is a $20 billion-a-year issue.
Unlike traditional passwords, biometric sensors and blockchain technology make it far more difficult for criminals to hack our financial institutions. That will be a litmus test for biometric software in the future. As they scale out the security advantages and secure our data protection, a world without weak passwords and broken networks will finally be at our fingertips.
Alastair Johnson is the CEO of Nuggets, an e-commerce payments and ID platform.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250