Biometrics and credit card security

Biometrics and credit card security

Can biometrics be used to secure credit cards from fraud?


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

There are three basic facets of authentication: what you have, what you know and what you are. The simplest thing you have is a key. The simplest thing you know is a PIN or password. Biometrics are a way to have a machine know what you are.

There are a wide variety of biometrics, all of which are unrelated. Voice recognition, fingerprints, face recognition, hand geometry, etc. The technology for one of these has nothing to do with the technology for any of the others.

Nonetheless, they all are alike in a number of ways. For example, all biometrics are probabilistic matches. A biometric system says, "I think so" or "I think not," rather than yes or no. You never say something the same way twice. Your fingerprints aren't quite the same before doing dishes and after them. Biometric systems always balance between "false negatives" (incorrectly saying "I think no") and "false positives" (incorrectly saying "I think so").

Biometrics are very good for some sorts of systems, closed systems that have a specific thing they do that needs merely a yes/no statistical answer. For example, opening a door. They are very bad for networked systems because they are vulnerable to the biometric data being stolen, or the yes/no being forged.

I don't think they're particularly useful for credit card fraud. If you buy something in a store, there's already a biometric system in place -- your signature. It's handled by a person, not by a computer, but a signature check is a biometric system. It's hard to see how adding a computer would make it more reliable. On a network, biometrics could easily weaken overall security. If a hacker can steal your credit card number, they can steal your thumbprint. And it's a lot easier to get a new credit card number than a new thumb.


This was first published in September 2001