Almost daily I seem to be faced with "fingerprint this", "eyeball that" and "pheromone the other" as a means of adding "security" to the card transaction process (I wasn't serious about the pheromones). Wouldn't it be neat if you could look the ATM in the
eye and ask it for a tenner? I only have to lay my hands on the vein reading, hand shape detecting, fingerprint scanner and my palm is instantly crossed with silver (all right then, two twenty pound notes and a tenner but you get the point).
Could this all be a little bit silly? I'll say that it is. I have said many times before that most of the £500m fraud loss is a direct result of less than perfect card issuing strategies - which is being addressed right now! If the headline fraud is sitting
pretty at £500m, the underlying fraud, since most of the headline fraud is the result of mag stripe clones being used abroad, is much lower and more manageable. On the whole, chip and PIN works fine! Fraud is unwelcome, but not un-manageable, and over the
next few years I would expect fraud levels to fall as the proper security processes are put into place.
Probably the most important feature about the ubiquitous card and PIN and the supporting global infrastructure is not its strength as an authentication and authorisation system, but in the ability of the system to respond to compromise - relatively quickly,
easily and cost effectively. The use of cloned cards is reported to the issuing bank, the cards are stopped and replacement cards are issued - job done! The banks may even refund the lost cash, depending on the circumstances, and the bank!
For the values involved in normal credit / debit card transactions, this is easily good enough. If a card is compromised, replace the card. If a PIN is compromised (normally of no use unless the card has been compromised too) the card issuer's advice would
usually be to change the PIN.
In both of these circumstances, the strength of the system lies in the fact that compromise is easy to manage - because the security is based on replaceable information. But what if my transaction security is based on a scan of my retina? In this case
any compromise will present significant challenges, as the security revolves around non-replaceable information. If someone copies my card, I get a new card. If someone copies my eyeball - same thing? I think not! It's all very well presenting us with
the "more secure than chip and PIN" hype (whatever that means), but does it really need to be? What happens if my biometric is compromised?
We clearly have ourselves a technology solution looking for a problem, and we have hoards of consultants telling anybody that will listen what a wizard scheme biometrics really is. We also have ourselves a government that is listening to the consultants
telling them what a wizard scheme biometrics really is, and then telling us, in their own words, what a wizard scheme biometrics really is; and let's not forget that the consultants stand to make money a plenty from telling the government what a wizard scheme
biometrics really is!
I think biometrics, and the application of biometrics, is fascinating. The technologies are becoming more sophisticated by the day, and one day someone very clever will come up with a useful, interesting and acceptable large-scale use. I have only one
question, which, if you like, is biometric agnostic - it applies equally to fingerprints, eyeballs, and obviously pheromones too - what do you do if it goes wrong?