The big-money will be in wing-wang scanners. Gratification from the purchase suitably augemented.
By 2019, vendors will have sucked out your ID along with your cash 5 billion times
Research house Juniper has stared into its crystal ball and discovered that the number of biometrically authenticated payment transactions will reach nearly five billion by 2019, up from a mere 130 million currently. Apple Pay and Samsung are the only providers that currently use fingerprint scanners for authentication, with …
COMMENTS
-
Tuesday 27th October 2015 14:53 GMT Anonymous Coward
What about security of voice biometrics?
I think that voice biometrics have the advantage that they are more difficult to break than e.g. fingerprint (or presumably iris) spoofing. Yes there are voice replay attacks (recording and re-playing someone else's voice), but I believe that is more easily detectable/preventable, and I could still re-enlist my voice in the system (i.e. my voice isn't permanently compromised - unless speech synthesis becomes amazingly sophisticated). Any thoughts from biometric experts on here?
-
Tuesday 27th October 2015 16:25 GMT Roland6
Re: What about security of voice biometrics?
From work I did on natural language processing, I suggest that "voice recognition" is subject to the same problems are other biometrics. However, "continuous speech recognition" where you are sampling and analysing a conversation are much more secure and reliable means of identification. It is a bit like footprints - it is easy to replicate a single footprint, but try and replicate someone's walk and you'll see the differences.
-
Wednesday 28th October 2015 11:02 GMT h4rm0ny
Re: What about security of voice biometrics?
However, getting samples of people's voices should be a lot easier than getting their passwords (excepting TalkTalk customers, obviously). Just get someone talking online or on the phone for a few minutes and you have a decent sample. Reproducing someone's voice to a degree sufficient to fool an ID system may simply not be done yet because there's no need. But I reckon you could extrapolate the necessary indicators from a few minutes talking once we really apply ourselves. You'll have the pitch, tremulousnouss (word?) and be able to take a good stab at accent.
Remember voice analysis to id someone is just the other half of the coin to reproduce those qualities in a voice used to id someone. It's the same technology, just run backwards.
Biometrics are only secure so long as the "private key" is secure. And people think the private key of biometric security is the thing itself but it's not, it's the digital representation of that thing.
-
-
-
Tuesday 27th October 2015 15:04 GMT Jusme
No thanks...
Three problems with biometrics.
1) The human body isn't suited to being machine-readable. This means either the match is fussy (got a cold? No cookies for you today) or lax (1-in-100-or-less false positives). Most systems tend to the latter, else they're deemed to "not work".
2) You only have one identity. Different finger for each website is a bit limiting, and once you've given your DNA sample to $badBoys (via cutekittens.org) they can impersonate you anywhere, forever.
3) You can't change your biometric identity. Once it's compromised - tough.
Proper 2-factor authentication is the way to go (i.e. something you have and something you know, not something you know and something else you know asked in a really awkward way, as some sites seem to think...)
-
Tuesday 27th October 2015 15:31 GMT Anonymous Coward
Re: No thanks...
But what happens when you have nothing and know very little due to a terrible memory? That's the problem with passwords right now (people can't remember them), yet no one's been able to provide a suitable alternative, particularly for those who don't regularly travel with phones (court employees, perhaps; most courts ban electronics due to multiple security concerns) or, like I said, have terrible memories.
-
-
-
Wednesday 28th October 2015 20:43 GMT Charles 9
Re: No thanks...
You know, that xkcd comic fails to consider two types of people: masochists and true weaklings. Masochists would see the wrench and go, "Yeah! Hit me more!" while true weaklings wouldn't give up the code; they'd give up their consciousness at the sight of the wrench. Either way, you're more likely to kill them than get the codes from them.
-
-
Tuesday 27th October 2015 17:45 GMT Anonymous Coward
Re: No thanks...
"Something I have... a wedge of high security paper/cotton printed vouchers each with a unique serial number and anti-forgery devices embedded.
Something I know... which pocket I keep them in."
Sounds like something potentially problematic during a heavy rain (a passing car can splash you or you can slip and fall into a puddle).
-
Wednesday 28th October 2015 10:24 GMT hoola
Re: No thanks...
At least you can dry those out and they do not require power. if your phone gets wet, dropped, trodden on or the battery goes flat you are stuffed.
The trouble is that in in the UK, schools are pushing biometrics for the critical job of paying for meals etc. The punch line on this is "the system does not store your fingerprint, it turns it into a number and is totally secure". When I asked where the data was held nobody knows. Then company that hawks the system to many schools has no clue and states that the data is encrypted, therefore it is completely safe. Currently you can opt out but this is never mentioned in any of the induction meetings and most parents appear to not care.
The pupils complain that it is slower then the old NFC cards and at least it they are wearing one, it has a photo on it.
-
Wednesday 28th October 2015 20:46 GMT Charles 9
Re: No thanks...
"The trouble is that in in the UK, schools are pushing biometrics for the critical job of paying for meals etc."
Just wondering. Was there a high incidence of lost or stolen cards in the past? That may have been a reason to push for a method of authentication much harder to lose (it would have to take a serious accident to lose one's finger or have one's fingerprint permanently marred).
-
-
-
Tuesday 27th October 2015 16:34 GMT Roland6
Re: No thanks...
>But what happens when you have nothing and know very little due to a terrible memory?
Well the real issue is just how bad your memory is; I suggest that if you are capable of independent living - something that can apply to dementia suffers, there are things that you do remember, the issue is plugging into them and using them as forms of two factor authentication. For example, one of my bank cards now asks me 'random' multi-choice questions based on information they hold and have gathered over the years as part of their payment authentication and authorisation process.
-
Tuesday 27th October 2015 16:55 GMT Dave 126
Re: No thanks...
>those who don't regularly travel with phones (court employees, perhaps; most courts ban electronics due to multiple security concerns) or, like I said, have terrible memories.
I doubt courts have an issue with RSA hardware tokens.
https://en.wikipedia.org/wiki/RSA_SecurID
-
-
Tuesday 27th October 2015 23:02 GMT Roland6
Re: No thanks...
>"And for those practically helpless yet adamant they can live independently"
Well as I said, the problem is linking into what they do remember...
However, as you indicate people can be their own worst enemy and so insist on using a password when, in fact, they should be letting the bank ask them questions to which they will know the answer. But yes I do know people who even forget the names of their own children and refer to them as numbers 1, 2, 3 and 4, yet can remember the names of neighbours, friends and relatives!
-
-
-
-
-
Tuesday 27th October 2015 15:38 GMT Richard Jones 1
Safety Check
No movable pocket minicomputer; Check
No obsession with over priced toys: Check
No interest in gimmicks: Check
Existing perfectly serviceable payment systems: Check
Some potentially crap potential service suppliers; Check but NOT wanted.
Sort out the present problems, do not build a whole hill of new unknown issues to climb over and sort out.
-
Tuesday 27th October 2015 15:53 GMT MacGyver
So...
Why not require that each service NOT be able to hold your biometric data and rather a sort of hash that their specific billing program generates. That way if I use my thumb to buy a coke with a Chase bank app, the app generates a hash based upon the biometric that it read, and sends that hash to the bank to be checked against their stored hash. Make it the law that each payment app behave this way and not simply archive a fingerprint, and that no company can share their hash generating algorithms with another biometric validating app (so that they aren't being lazy and just using one hash generating algorithm per person thereby making that one hash our defacto identity everywhere). If they all have a different hash, and their app is doing the generation, and they all can't share, then no one has any of our real biometrics stored. In the event of a "data breach" they simply update their program to create and use a new hash, the data that was stolen is now worthless.
Maybe I'm not thinking it through all the way, why wouldn't this solve the problem?
-
-
Tuesday 27th October 2015 17:36 GMT Anonymous Coward
Re: So...
There are ways to prevent that, assuming we're only talking phone scanners and not POS scanners etc. but biometrics as 1FA are a really bad idea.
They're acceptable for things like registration and cashless catering, where the whole process is on a LAN, only a hash is stored, and the scanner calculates and sends only a hash to the backend authentication system, but a POS scanner in a supermarket won't have the grunt to calculate the hash in the short period it'd have to, unless they're building them out of decent hardware (hint: they won't).
Biometrics as 2FA would make more sense.
-
-
Tuesday 27th October 2015 16:45 GMT Ugotta B. Kiddingme
extending to medical services as well
My doctor's office here in southern US has recently installed palm scanners for use at check-in as a means to "speed the check-in process." I politely declined and handed over my medical insurance card like I always have. The lady looked at me with incredulity and inquired why I wouldn't want a faster check-in. I smiled and told her that if she had merely processed my insurance card rather than question me, check-in would already be complete and take no more time than their "new" method. She shrugged and did it "the old way" and I took my seat in the waiting area for my appointment.
I didn't bother to waste anyone's time explaining why this process was flawed and risky. I did explain to the doctor that I will simply continue as I always have, using identification and insurance cards and, should they make using the scanners compulsory, I and my family will take our medical business elsewhere.
-
-
Tuesday 27th October 2015 18:14 GMT Mark 85
Re: extending to medical services as well
For the medical establishment to enforce this is just plain stupid. It presumes that you have hands and that said hands haven't been damaged (cut, burned, etc.) since the first time you scanned them for reference. So smack your hand with a hammer and you probably won't be able to get medical attention.
-
-
-
-
-
Tuesday 27th October 2015 18:16 GMT Anonymous Coward
Insofar as it is possible, then yes. I can certainly do without trinkets. Of course the real test would be when it's something that I need -as opposed to want- with no alternative supply.
Not especially concerned by the required by law part...if such a howlingly flawed and self-serving law were passed; I would feel no especial compulsion to obey it.
-
Tuesday 27th October 2015 22:00 GMT Captain DaFt
"Would you be willing to go without if it's bio or bust (as in ALL the vendors do it, especially if required by law)?"
As far as non-essential uses go, comply fully.
As far as essential uses go, comply only if there wasn't a work-around.
Why? Because it would insure that within two years using biometrics for security would be banned as unsafe, since so many baddies would be spoofing it as to render it useless.
-
-
-
Tuesday 27th October 2015 19:30 GMT Flashfox
Are biometrics safe?
Although biometrics are a safe way to provide identity, there is a dark side as noted in other posts. Once the device stores your biometric data it can be hacked even if encrypted. I am certain that some will find ways to be able to use the stolen biometric info to impersonate you.
Are we heading towards the "unique chip implant" where this data is not on the device but in the implant? It would be secure as the data can include your unique DNA and/or other physiological items which would be combined to make up the unique "MyID".
Anyone for "666"? :-)
-
Tuesday 27th October 2015 19:54 GMT GW7
Re: Are biometrics safe?
Somebody's been watching too many Bond movies if they think biometrics are safe or reliable. Using the same fingerprint to access multiple services (banks, medical etc.) is about as secure as using the same password for them all, and not being able to change any of them ever. If this ill conceived technology becomes mainstream, I shall be abrading my fingerprints on a sanding machine to ensure a more reliable and secure method of authentication has to be used. Not sure what to do about the eyes though.
-
Wednesday 28th October 2015 09:58 GMT Anonymous Coward
Re: Are biometrics safe?
Not sure what to do about the eyes though.
The same sanding machine will work, I would guess.
I can't see competitive markets wanting to play with biometrics. Imagine if Talk Talk had lost the biometric data of their customers. Even payment processors like Visa have kept away from effective but challenging security (hence the survival of the laughable and unwanted "Verified by Visa"), so I can't see them wanting to be responsible for biometric data. And it is people like the payments processors that have most to lose from the irretrievable and permanent nature of a biometric data breach.
The other thing to consider is that currently pathetic data protection laws will change (whether EU driven or outside of the EU), and as part of that penalties will become a lot harsher, and the requirements far more stringent. In that respect the Talk Talk breach is a good thing, that has concentrated minds in a way that (eg) the Carphone Warehouse breach a couple of months back did not. With much more serious penalties (and I suspect the prospect of corporate liability for subsequent losses and restitution), who would want to be sitting on a stash of biometric data? I can see fingerprint scanners disappearing from phones in short order.
-
-
-
Tuesday 27th October 2015 22:10 GMT Anonymous Coward
Only reason I might start using Apple Pay
Is because paying by card in the US with the chipped cards is a big slow hassle! It used to be you could just swipe your card, and optionally sign if the purchase was over a certain limit ($50 in many places) so it was as fast as could be. I always said there was no reason to want to pay via NFC because it wouldn't make things any faster so what's the point (this was back when Android phones had NFC payments that didn't use EMV but rather passed your actual credit card number so they offered zero added security)
With the chip readers in the US you have to swipe your card, wait for it to tell you to insert your card instead (you can't just insert it first, I have no idea why) then insert your card and wait 10-15 seconds while it does who knows what until it tells you it is OK to remove your card.
Fortunately places around where I live are just starting to upgrade their readers, and those I frequent haven't yet. So I haven't taken the time to get set up for Apple Pay yet, but when I do I'm going to try it just to see if this speeds things up, which I imagine it will. I can't understand how they could have made the new process so slow - was there no user acceptance testing?
-
Tuesday 27th October 2015 23:09 GMT Roland6
Re: Only reason I might start using Apple Pay
I doubt Apple Pay will actually be any quicker as instead of waiting for it to tell you to insert your card, you will be waiting for it to tell you to place your phone over the pad, then wait a further 10-15 seconds whilst they negotiate the transaction...
-
Wednesday 28th October 2015 01:02 GMT GW7
Re: Only reason I might start using Apple Pay
"I can't understand how they could have made the new process so slow - was there no user acceptance testing?"
I guess there was much user acceptance testing by the users who commissioned NFC payment systems - the banks.
I wouldn't trust any form of electromagnetic payments as far as I could spit. Many phones now have NFC and chances are an exploit will be found that will enable your NFC credit cards to be syphoned by anyone with a malicious app who can get physically close enough. Someone will work out how. When that happens, carrying a wallet full of cash down a dimly lit street at 3am will be safer, as long as you are prepared to drop it if threatened. In any case, what does a person do when a knife is held to their throat for their apple/google wallet? "We're taking your phone + fingers/eyes so we can get your cash"? No thank you.
-
-
Wednesday 28th October 2015 07:13 GMT Pascal Monett
Biometric payment systems, pah !
My fingerprints are like my privacy : I have nothing to hide and it's nobody's business but mine.
My biometrics on a smartphone ? Those things are already a prime target for malware and now you want to add more interest to the things ?
No thanks, I'll stick to VISA and cash. Pin and chip is way better than fingerprints : if your card is compromised, just ask for another one.
-
Wednesday 28th October 2015 14:49 GMT DryBones
Hmm
Seems kind of sensational. From what I understand, the biometric info is digitized, encrypted and stored on the device, maybe a copy sent to the OS masters for cloud storage. Authentication is done on the device and what's shared out is a unique transaction verifier.
So, vendors sucking out your biometric ID? Only if the implementation is utter pants.
-
Thursday 29th October 2015 04:03 GMT Jin
Unless used very wisely, biometrics could end up pleasing criminals.
Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.
In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at
http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802
-
Thursday 29th October 2015 11:29 GMT Anonymous Coward
Re: Unless used very wisely, biometrics could end up pleasing criminals.
So what happens when the situation is TOO tough because people have bad memories, but the highest level of security people are comfortable with is too low for security-conscious head honchos to be comfortable with? How do you run a business where regulation requires the use of passwords or key cards but even your best employees are too prone to forgetting their credentials?
-