You don’t have to wear a tinfoil hat, be a civil liberties activist, a pro-business lobbyist, or even an entrenched deep-state spook to recognize that security, convenience, and privacy are in a perpetual state of conflict. Often, the solution to a real (or imagined) security threat is, somewhat counter-intuitively, less privacy – or, more accurately, we are asked to trust various entities (the federal government, Google, AT&T, etc…) with more and more private data. Increasingly, it’s no longer simply our Social Security Number and mother’s maiden name, it’s the unique biological bits and pieces that make us us.
We unlock our phones and other devices with our fingerprint, even though this may be your phones biggest vulnerability. ERGO wants to use your ear, and Apple is doing what Microsoft has done with some of their Windows-based handsets and using your face to unlock your phone. If that isn’t enough, we “track” and store our health and location with any number of wearable devices and even “smart” mattress covers.
At virtually every major airport we are asked to step into a machine, that could easily be mistaken for a cloning device, and stand with our arms and legs outstretched, allowing a TSA Security Theater Expert agent to snap an impossibly creepy, if not compromising, picture of you.
In June, the South Wales Police will be scanning the faces of an estimated 170,000 Champions League Football fans in and around Principality Stadium. According to Vice, the images will then be compared, in real time, to a database of 500,000 images, alerting the police to any potential “person of interest”.
Over 2 million people, myself included, have given the privately held genomics company, 23andMe, access to their DNA.
So, it should come as no surprise that biometrics will soon be a common security feature on your credit/debit cards. Mastercard recently unveiled the “next generation biometric card” which combines current chip technology with your fingerprint:
How It Works
A cardholder enrolls their card by simply registering with their financial institution. Upon registration, their fingerprint is converted into an encrypted digital template that is stored on the card. The card is now ready to be used at any EMV card terminal globally.
When shopping and paying in-store, the biometric card works like any other chip card. The cardholder simply dips the card into a retailer’s terminal while placing their finger on the embedded sensor. The fingerprint is verified against the template and – if the biometrics match – the cardholder is successfully authenticated and the transaction can then be approved with the card never leaving the consumer’s hand.
Authenticating a payment transaction biometrically – in this instance via a fingerprint – confirms in a very unique way that the person using the card is the genuine cardholder.
Merchants can easily maximize the shopping experience delivered to their customers, as the card works with existing EMV card terminal infrastructure and does not require any new hardware or software upgrades.
For issuers, the technology helps detect and prevent fraud, increase approval rates, reduce operational costs and foster customer loyalty. Additionally, a future version of the card will feature contactless technology, adding to the simplicity and convenience at checkout.
In addition to incorporating your fingerprint, Mastercard has also partnered with biometrics company Nymi to test the viability of using your heartbeat as a form of authentication – a “solution” that makes me feel uncomfortable on a visceral level, though I don’t think I can explain why.
To be clear, this technology is a big step forward in protecting consumers and retailers at the point of sale and my intention is not to stoke unwarranted, ludditical fears of burgeoning technologies. I love technological advancements risk and all. I’m a frequent “early adopter”, every room of my house is “connected” to various smart devices, my security cameras know when I leave the house and Alexa has enabled me to be lazier than usual. I understand and accept that there is a real risk to linking my home to the “Internet of Things”, but as far as I can tell, very few new technologies pose such a uniquely personal risk.
“Biometrics are tricky […] They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.”
And while the exploit highlighted by The Verge to “hack” your fingerprint is fairly primitive, there is no reason to think more sophisticated tricks won’t be developed. Add to that the near-weekly news of data breaches and leaks, what confidence can you, as a consumer, have that your biometric data is any more secure than the petabytes of data leaked and/or stolen over the last few years.
The ability to securely process transactions and protect consumers from fraud and theft should hold the highest priority for every company tasked with handling sensitive data, but we need to make sure we are properly accounting for the risks, and based on the reporting coming from media outlets like The Verge, Wired, Vice, and organizations like the Electronic Frontier Foundation, the risks associated with incorporating biometric data appears to be quite high.
The average consumer can recover from a compromised password, PIN, or stolen personal photos. You come up with a new password. You set up a new PIN. You… well… I’m not sure what you do about the photos thing. My point is, how consumers recover from compromised biometric data is unclear, which means the folks clamoring to incorporate this new technology need to clearly understand the risks, develop consumer-friendly best practices and establish a protocol that properly addresses the breaches that will occur before the bad guys find a way to turn your biometric data into a valuable black market commodity.
Like what you’ve just read? Why not subscribe to the Blue Dog Blog?