How Secure are Biometric Payments?

There’s been a lot of buzz around the payments industry lately with news about MasterCard testing “selfie pay” and banks like Wells Fargo experimenting with eyeball scanning software.

Surveys show that people like these approaches because they are more convenient that using passwords but it does raise questions around how secure they really are.

        MasterCard Makes Selfie Pay a Reality

        Wells Fargo to Verify Customers through Eye Prints

Can biometrics apps be fooled?

I’ve seen the movie Avatar and I can tell you that computer generated images can be pretty darn realistic.  It’s not that difficult to start with a still image from a Facebook post and animate it enough to fool a biometrics app.

It might be more difficult to get an image of someone’s eyes, but is it really that hard?  How many close up selfies get posted every year?

There have also been several large data breaches that contained fingerprint information, so even that data might not be safe.

 Severe Weaknesses in Android Handsets could Leak Fingerprints

OPM now Says more than Five Million Fingerprints Compromised

Once your data is stolen you are out of luck since there is no way to change your personal data.

Even if your data is not stolen, recent research has shown that fingerprint sensors can be compromised with “master prints” containing common fingerprint features.

Fingerprint Sensor not as Secure as you Think

Biometric enrollment fraud

The dirty little secret of biometrics is that enrollment is the weakest link and in some cases makes fraud easier to commit than non-biometric systems.

Imagine that your bank is rolling out voice identification to verify your identity, but for it to work, they need several samples of your voice recorded in their system.

If a thief is the first one to call up and record their voiceprint, then they can bypass the new security measure that is meant to be safer.

Time will tell if biometrics emerge as a reliable form of security or if they will be as easily defeated as the username/passwords they are meant to replace.