Editorial Policy

Is Paying by Fingerprint in the Future?

Marcia Frellick

November 8, 2012

At some point in the not-too-distant future  credit card users may be asked by some banks and merchants to prove their identity with a fingerprint or by the sound of their voice.

It’s called biometric authentication — proving you are who you say you are with a scan of your fingerprint, facial features or voice.

Biometrics gaining traction
Experts’ timetables differ on when biometric authentication will become widespread, but three things are happening to bring it closer to reality:

The movement toward EMV chip cards: EMV stands for Europay MasterCard Visa. These chip-and-PIN cards have long been used outside the U.S. and are now coming here, thanks to the card networks providing incentives to merchants who convert and major banks, including Bank of America, Chase, Citi, U.S. Bank and Wells Fargo, rolling out cards with the technology.

The chip has more capacity than a magnetic stripe for storing the biometric data that match with a body scan, says Terry Hartmann, vice president of global security solutions for information technology company Unisys. He says he expects chip cards to be more widely available by the end of 2013, which will hasten the coming of biometrics.

Consumer acceptance: There’s growing enthusiasm for this kind of authentication as fears grow over fraud and identity theft. Submitting to a fingerprint scan is increasingly seen as a small price to pay to protect your data.

Javelin Strategy and Research recently conducted a survey to gauge acceptability and preferences in biometrics.

“When we spoke to consumers this past year, we found that seven in 10 consumers would be open to use of biometrics and out of that group we found that the greatest preference was for fingerprints,” says Alphonse Pascual, security analyst at Javelin. “About half preferred that over the other solutions,”

Spread of biometric scans in other industries: Anyone who has recently visited Universal Studios and Disney World knows that both require a fingerprint scan to help prevent ticket scalping.

Even school lunch lines are making use of the technology to save time. This year, schools in Maryland and Louisiana started scanning kids’ palms instead of waiting for kids to fumble for change.

“Adoption is slow and here’s the main reason: It’s expensive.” — John Sileo, online security expert

Facial recognition is already in place in airports, such as Gatwick in London, to prevent fliers from swapping boarding passes after going through security.

Getting a slow start for credit card payments
Just don’t look for this technology to be everywhere you use your credit card anytime soon.

“Adoption is slow and here’s the main reason: It’s expensive,” says John Sileo, online security expert and founder of Sileo.com. Biometric scans require new readers, in addition to card readers, he says.

“Everything in biometrics has been slowed down in my view because of the ubiquity of smartphones,” Sileo says. Now that smartphones can help prove identity, they have stolen some of the thunder from biometrics.

For instance, you can walk into a Starbucks and use your phone to scan a barcode to pay for your espresso. Also, Starbucks’ deal with Square this year means your picture and payment information can be stored so that it pops up on the register screen when you walk through the door with your smartphone.

Not foolproof for safety
With biometrics, there’s often the assumption that biometric data is much more sound than other data.

But that’s not necessarily the case, Sileo says. When you scan a finger, palm or iris, the information is stored as a string of characters in a database, just like your name or Social Security number. That data, like any other data, can be compromised.

Say you’ve got a person in charge of the database who wants to associate his name with your fingerprint because you have a cleaner record. He could capture the digitized numbers that represent your fingerprint and attach his own name to the numbers, or even do the reverse — attach your name to his fingerprint. Conceivably, a thief could send your fingerprint information electronically to your bank to confirm that, yes, you want to clean out your account from an ATM overseas.

Still, biometric data is slightly more secure because there’s no way a thief can get your actual fingerprint. In other words, you can take a credit card or passport out of someone’s wallet, but you can’t remove a fingerprint — you can only steal the information digitally, and you’d have to be pretty savvy to know how to steal it from a database.

Eye scans come with problems as well. With super high-resolution pictures, even the quality available on iPhones, scanners may not be able to tell the difference between a picture of someone’s iris from the real thing, studies have shown.

To fix that problem, companies are working on improving facial recognition technology, Pascual says. They’re working on systems that show a range of human motion, so if the scanner doesn’t see any movement — say, from a breath, a blink or a twitch — it won’t authenticate you.

“They’re also looking at integrating facial with voice, so they’ll ask you to look at something and say something at the same time, to make sure it’s not a video recording,” he says.

Who will be first?
Analysts are speculating on where you will first see wide adoption of biometrics.

“Banking will beat the credit card industry to biometric solutions.” — Alphonse Pascual, security analyst at Javelin

Javelin’s study predicts that financial institutions will begin using biometric technology in 2013 to authenticate internet banking customers.

“Banking will beat the credit card industry to biometric solutions,” Pascual predicts, because banks are under heavy pressure from regulators to reduce fraud in an aggressive timetable. They have to find a way to do it that doesn’t make customers uncomfortable, but Pascual predicts banks will be first and merchants will follow.

Sileo sees slower adoption. The kind of technology Starbucks uses to authenticate your information when you wave your phone is newer than biometrics, yet it’s gaining ground more quickly than biometrics, he says.

When it comes to which player will actually be able to ensure the security of your information when you make a purchase, it’s anybody’s guess.

“We don’t know if it’s going to be the banks or the credit card companies. It’s starting to look like it might be the smartphone companies,” Sileo says. “It’s a great idea in theory, but there’s an awful lot of vetting that has to happen before banks get on board,” Sileo says.

Timetable for adoption
As far as which form of biometrics will come first, Sileo says he thinks fingerprints will come first because people are familiar with them as an identifier and many people have been asked to produce one — on a passport, in a hospital, as a security measure at a child’s school.

However, “I think voice recognition shows a lot of promise,” Sileo says.

Pascual agrees. Voice recognition and facial scans, he says, will be the first biometric methods used for online and mobile purchases. That’s partly because laptops and cellphones already come with cameras so the technology can be more readily adapted.

As for point of sale, “Within stores, the easiest form would be fingerprint — without question,” Pascual says. “Outside the U.S. you may find a palm scanner on an ATM. But it’s a large piece of equipment and you’re not going to find that on the checkout counter at Macy’s.”

Merchants want something small and inexpensive that they can use in large numbers, he says.

Much will depend on whether EMV is effective in decreasing fraud, Pascual says, and that will be easier to tell after 2015, the target date for EMV implementation. If thieves get good at hacking into data with EMV by then, that will speed the need to try biometric authentication, he says.