Biometrics – You can’t change them if they’re stolen

There has been a lot of discussion about “improving” security of financial and other transactions by moving to a bio-metric solution. The logic is that if you authenticate a transaction with a fingerprint, stored camera image of your face, a voice print or other means, then you will have a higher level of security than having a card, which can be stolen or copied, and a PIN which can be compromised if discovered.

This sounds OK on the surface but it has a major flaw. If a card is stolen or a PIN is discovered then the card can be replaced and the PIN changed. This can result is a short-term inconvenience but the security breech can be recovered from. However, currently some bio-metric authentication methods can be compromised and if so, the fingerprint, voice print or facial image cannot be changed to remedy the situation. Once your bio-metric signature is stolen, the thief has it forever.

An alternative simple solution for improved security, that is common in some parts of Europe, is for the bank to send an SMS for all transactions. For this to be compromised, a person would need to have the card, PIN, mobile phone and mobile phone access code to carry out a fraudulent transaction in a face to face situation. For internet transactions, they would need to know the card details and CVV. This SMS solution offers a very high level of security and in the unlikely situation where it is compromised, the security breech can be quickly remedied.

As an added precaution, I recommend removing the CVV from all cards. The banks don’t like you doing this but the CVV is effectively a PIN for internet transactions. The CVV is needed for internet transactions, so if your card including the CVV is copied, it can be used for online purchases. It’s no different from having your PIN written on your card. Removing the CVV will not affect any legitimate face to face transaction as it is not needed in this instance.

Another measure to increase card security is not to sign the card but to write “Ask for ID” in the signature space on the card. Although signatures are being phased out, it is still useful.

Bio-metrics have their place, in electronic access control systems for example, but they are a bad idea for use in financial transactions. You can’t cancel your fingerprints and order new ones.

mm

Author: Simon Walker

Simon established Connley Walker Pty Ltd in 1996. He is a Fellow of Engineers Australia, a Registered Building Practitioner, a Member to the Australian Institute of Project Management, a Registered International Professional Engineer, a Registered APEC Engineer and an SCEC Endorsed Security Zone Consultant. He is the author of the books Operational risk management: Controlling opportunities and threats, 2001 ISBN 0957907400 and Hospital and Health Care Security in Australia, 2009 ISBN 978-0-9579074-1-6.