My latest technological criticism is PINs and biometrics. The criticism comes after reading an article about Japan’s efforts to develop identity technology software that relies on biometrics. The leading image of a person using their fingerprint to access an ATM piqued my interest.
The plastic that we have in our wallets, or tied to our phones, is now the dominant method of paying for things. It is also becoming increasingly more common to use our body parts to access data. Passwords are potentially the worst way of securing a device, same as PINs on an ATM. It ranks up there next to answering security questions if you forget your password.
I made the comment that fingerprints are more secure than a PIN, and one person challenged the idea asking how fingerprints are more secure given that we leave imprints on everything.
He’s correct in that we leave our fingerprints everywhere. Anything we touch acquires our fingerprint; it’s the main reason law enforcement wears gloves when conducting searches. When I applied for each of the gun permits I have, I had to submit fingerprints for background checks. When a crime scene is processed, they’re looking for fingerprints. As human beings our biological footprint is just as expansive as our digital footprint (social media, purchases, and even where our devices go with us).
Then, the question becomes: If our biological footprint is so expansive, how is that more secure than a PIN?
The easy answer: Since your biology is a part of you, it’s more difficult to duplicate for the sake of malicious access. Apps can be created to circumvent PINs.
When you drive up to an ATM and insert your card, it just asks you for your PIN. The ATM has no way of verifying that you are the authorized cardholder aside of you entering the correct PIN. While there are plenty of legitimate reasons for someone to use a card that doesn’t belong to them, malicious activity with stolen cards also happen on a regular basis.
When the average consumer calls into a call center to conduct activity on their account, they’re asked to verify their name, address, and in some cases, a PIN they’ve chosen. That PIN is the only form of security between the outside world and their account. Same with the ATM; I can give anyone my card and ask them to withdraw money for me, and as long as they have my PIN, it’s easy.
Suppose that instead of inserting your ATM card to get cash, you simply touch a fingerprint reader? Instead of making a series of selections in touching a screen, you use your voice to tell the ATM to withdraw forty dollars from your savings. For those that wish to deposit checks, a separate camera takes a picture of the front and back, and treats it like a mobile upload.
Many ATMs offer the option of changing your PIN at the terminal – a service that’s best offered by a customer service person at the bank. Some allow you to transfer money between accounts – something that is best done online.
How can biometrics help with security? Imagine you’re being held up at gunpoint – the robber brings you to an ATM, and makes you withdraw all of your cash. Sure, your fingerprint will get you in, but when you tell the ATM that you want to withdraw a larger sum of money, both the tone of your voice, and the request for an abnormal amount of cash could cause the ATM to decline the transaction. If you’re lucky, maybe this ATM transmits a picture of the robber and sends it to police to investigate.
Suppose you call into a call center and you’re greeted by the auto-attendant that utilizes voice prompts and a series of questions to match your voice to your account. It succeeds and eventually transfers you into the call center. Before the agent connects the call, they are presented with a sample of your voice. Once they’ve acknowledged it, the call is connected; if the caller sounds like the sample, you have the right person. Where this might have some issues are if the account is for someone who cannot manage their own, and you are the person authorized to speak for them.
As I mentioned earlier, the elements that make up your biometric information are much tougher to reproduce than hacking a PIN. No two people have the same fingerprint, vocal patterns, facial features, or the same two eyes. While it’s possible to be in an accident that makes your fingerprints hard to read, you can change your accent or other vocal features, and you can have surgery to change the makeup of your face, a PIN is a binary item that can be entered regardless of who and what you are.
One might ask: If you eliminate PINs, how would you pay for goods at point of sale?
Answer: Add your credit and debit cards to your smartphone (Apple/Android/Windows Pay). When you get to the terminal, hold your phone near the terminal and the phone should pull up the credit card. Your thumbprint processes the transaction. There are many businesses that are not yet onboard with NFC payments, but with enough encouragement, more will jump on.
Japan is making a move in the right direction, and I hope to see the United States exceed what they’re doing.