Biometrics and credit card security
Can biometrics be used to secure credit cards from fraud?
There are three basic facets of authentication
: what you have, what you
know and what you are. The simplest thing you have is a key. The simplest
thing you know is a PIN or password. Biometrics
are a way to have a machine
know what you are.
There are a wide variety of biometrics
, all of which are unrelated. Voice
recognition, fingerprints, face recognition, hand geometry, etc. The
technology for one of these has nothing to do with the technology for any
of the others.
Nonetheless, they all are alike in a number of ways. For example, all
biometrics are probabilistic matches. A biometric system says, "I think so"
or "I think not," rather than yes or no. You never say something the same
way twice. Your fingerprints aren't quite the same before doing dishes and
after them. Biometric systems always balance between "false negatives"
(incorrectly saying "I think no") and "false positives" (incorrectly saying
"I think so").
Biometrics are very good for some sorts of systems, closed systems that
have a specific thing they do that needs merely a yes/no statistical
answer. For example, opening a door. They are very bad for networked
systems because they are vulnerable to the biometric data being stolen, or
the yes/no being forged.
I don't think they're particularly useful for credit card fraud. If you buy
something in a store, there's already a biometric system in place -- your
signature. It's handled by a person, not by a computer, but a signature
check is a biometric system. It's hard to see how adding a computer would
make it more reliable. On a network, biometrics could easily weaken overall
security. If a hacker can steal your credit card number, they can steal
your thumbprint. And it's a lot easier to get a new credit card number than
a new thumb.
This was first published in September 2001