biometric hand system

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

Biometrics may seem like a high concept to many people. Retina eye scanners and handprint door locks evoke images of Netflix sci-fi dramas, but biometric technology is taking place right now. From facial recognition airport security, the latest iPhone fingerprint sensor to desktop computer software, biometric authentication uses unique facial, retinal or fingerprint recognition to confirm a user's identity, and is being increasingly used to establish bank payments and online transactions.

From an online security perspective, the days of weak passwords such as “Password123” and “qwerty2018” are nearly over. Single-factor authentication is vulnerable to phishing attacks and malicious malware, even two factor SMS authentication is proving insecure. From this perspective, not only are traditional passwords obsolete and inefficient, but they also pose a huge cybersecurity risk.

The Decline of the Password

Weak online security has led to severe data breaches in the past few years. With hackers operating on the dark Web for serious money, card data theft is a commonplace occurrence. In 2013, retail giant Target Corporation was subject to a malware hack that compromised 40 million customer credit and debit cards. Hackers were able to gain access to Target's internal network by infiltrating a third-party contractor. The data breach ended up costing the corporation a reported $148 million, according to The New York Times.

Alas, they are not alone. Other retailers, such as eBay and TJ Max, had 145 million and 95 million, respectively, customer cards stolen by criminal gangs. Such a gross violation of customer security is unsustainable. While multi-factor authentication has led to some improvement, the current system is a burden for users.

The use of SMS verification codes as a security measure has recently been exposed as a mere stop-gap solution because of the ability of hackers to fraudulently take over phone numbers. Biometrics meanwhile is proving to be one of the best new technologies to combat fraud and identity theft.

Fingerprints are the most recognizable feature of biometrics. Its watershed moment came when Apple first included a fingerprint sensor on their iPhone in 2013. Then came the introduction of Face ID, a biometrical password that uses a 3D map of a person's face to access their iPhone device, instead of a fingerprint or alphanumeric keyword.

Biometrical data is making excellent progress across all major industries. Because of its security advantages, it is likely to replace traditional passwords within a generation if not before.

Next-Gen Security for Internet Users

With the advancement of finger, face and voice identification, biometrics will provide greater security for businesses and consumers. By eliminating traditional passwords in favor of fingerprints and facial recognition, it will help guard against both theft and fraud. It will also speed up the process of logging into accounts, purchasing products and verifying identity.

Illegal activities such as phishing and cloning cards are also likely to decrease under a biometric system as it's much harder to counterfeit someone's finger or face.

That doesn't mean there are no privacy or fraud implications with the new technology.

Biometric Compliance in the United States

U.S. companies are increasingly adopting biometric technologies to help monitor their employees' attendance and day-to-day building access. These obvious security benefits come with fresh legal scrutiny, so companies must learn about employees' biometric data privacy rights.

The State of Illinois passed the Biometric Information Privacy Act (BIPA) in 2008 to regulate the way companies collect, store and disclose biometric information. BIPA requires employers to obtain their staff's consent before collecting their data, and take strict measures to save and protect any biometric information they may receive. Employers in Illinois are now prohibited from disclosing their staff's biometric information — unless there are legal provisions to do so. They are also forbidden to sell, lease, trade or profit from an employee's biometric data. Comparable legislation is now pending in several other states, such as Washington and Texas.

With concerns about privacy increasing, BIPA-style legislation is likely to be adopted elsewhere as companies embrace biometric technology.

General Data Protection Regulation (GDPR)

In 2016, the EU adopted the General Data Protection Regulation (GDPR), which is considered one of its greatest legislative achievements. Until then, its legislature relied on existing data protection and privacy provisions and there were no specific guidelines regarding biometric privacy. With GDPR coming into force on May 25, 2018, there is now clear information applicable to all EU countries regarding the protection of personal and biometric data.

GDPR's primary purpose is to give EU citizens control over their data while simplifying the regulatory framework for companies. The new legislation explicitly states that biometric data is a “sensitive” category of personal information, warranting robust protection. Biometric is now a standalone category of sensitive personal data, and GDPR prohibits the processing of EU's citizen's data without the explicit consent of the user.

It's not only EU citizens who benefit from biometric data protection passwords; having less data on their books reduces the risk of non-compliance for companies and organizations.

Biometric Revolution in India

Biometrics is a global phenomenon and its biggest success story so far took place in India. The “Aadhaar Project” is the world's largest biometric identification system. Under the mass registration scheme, all Indian residents receive a 12-digit unique identification number based on their biographic and biometric data (a photograph, 10 fingerprints and two iris scans).

1.2 billion people now have an Aadhaar number and the Indian Finance Minister, Arun Jaitley, recently said that the Aadhaar project is providing every Indian with a government-approved identity and the ability to access public services more easily than ever before. Jaitley also claims the scheme reduces corruption and the cost of delivering public services.

However, while the collection of biometric data in such a vastly populated country as India is impressive, one must not forget the importance of secure storage. In the case of Aaadhar, centralized government databases will act as magnets for hackers because of the rich biometric data they contain. A breach of this data could be catastrophic for the individuals involved, which is why better database technology must be used in conjunction with biometric data collection.

Biometrics on the Blockchain

Vastly improved data storage technology comes in the shape of blockchain which, alongside biometrics, represents the future of identity and payments. Blockchain is a decentralized digital ledger, which is virtually impossible to hack and much more secure than the centralized databases that exist today.

Even more significantly, it means that individuals do not even have to share their data to transact. Tokens, references and or attestations that represent this data can be exchanged in order to verify an individual's identity and make simple e-commerce payments.

In practice, this is not only convenient for the consumer, it also helps the retailers they interact with. For example, one of the clauses in the EU's Second Payment Services Directive (PSD2), states that consumers will no longer be able to constantly make contactless payments without any other form of security check or identity verification. Banks and retailers fear this constant need to verify identities will harm the straightforward contactless experience to which consumers have become accustomed.

However, by using digital tokens that represent biometric verifications, the same quick and easy contactless experience can be maintained while also meeting PSD2 requirements.

Securing Your Biometric Identity

When it comes to identity management, biometric authentication has been part of the data protection system for decades. For example, if you lose your driver's license, you will not only have to complete another form and ratify it with your birth certificate, the authorities will also need facial recognition to match your photo in their database. Your facial ID and fingerprints are intrinsic physical proof of who you are.

It's understandable that individuals are wary of the increasing amount of data required, including personal biometrics, when you consider the obvious vulnerabilities of how this data is currently stored. However, what blockchain technology provides is the reassurance that this data is more secure from hackers' attacks and it is under an individual's full control.

By combining biometrics and the blockchain, a user's identity will stay inside a secure distributed ledger system, meaning they have complete control over it. In the financial sector, biometrics and blockchain technology will make it extremely difficult for fraudsters to counterfeit someone's identity due to a combination of decentralization and physical forensics.

Fighting Financial Fraud

A recent Nilson Report revealed that payment card fraud had reported $24.71 billion in losses in July 2018. Alarmingly for USA credit card issuers, 47% of these fraud losses took place in the United States. Dark Web criminals frequently target credit card payments, and Constantin von Altrock, IBM's Counter Fraud Management Director, recently said that payment fraud is a $20 billion-a-year issue.

Unlike traditional passwords, biometric sensors and blockchain technology make it far more difficult for criminals to hack our financial institutions. That will be a litmus test for biometric software in the future. As they scale out the security advantages and secure our data protection, a world without weak passwords and broken networks will finally be at our fingertips.

 

Alastair Johnson is the CEO of Nuggets, an e-commerce payments and ID platform.