Biometric - 'Dynamic' Identification methods needed

Top cop raises smartphone payment security fears

Date
March 30, 2015 - 10:00AM

Banks, tech firms and financial payments providers are putting consumers at a heightened risk of identity theft with new tap-and-go payments services, in spite of upgrades to security on mobile devices, police and security experts have warned.

Queensland Police's head of fraud and cybercrime, detective superintendent Brian Hay, said that while he welcomed stronger security being introduced by banks, device makers and payments companies to combat fraud, a lot more needed to be done to address the threats associated with increasing financial data on mobile devices.....


More fraud with Apple Pay

However, Apple Pay, introduced into the US in October 2014 on the new iPhone 6, uses tokenisation, yet has been recording higher rates of fraud than normal credit cards. According to reports, the weak link is not the phones but banks there accepting national security numbers to identify applicants before granting them a credit facility......

Biometric security measures

Various forms of biometrics are now finally coming into mass use with the introduction of fingerprint authentication on many smartphones. Several government departments as well as countries are also using these methods to identify people, particularly developing countries where there are often very few identity documents or even bank accounts.
But in reality, Mr Hay said all forms of biometrics can be circumvented, especially where there is no central, secure record of such information. He argued they have to be used in conjunction with other forms of ID to really identify someone.

On its own, for instance, he said fingerprinting is probably one of the least reliable because it is a "static" identifier that can be easily copied.

"Everything is going to be on the phone – your financing, your credit cards, currency apps, it is all going to be there," he said. "That's one of the things you have to worry about with digital device fingerprinting. Fingerprint to me is static," Mr Hay said.

He said identification methods have to be *"dynamic" meaning they have something new that is known to the person or is a personal nuance of that person.


(*One Time Wbt Cornea PIN sounds dynamic *)


It could be two forms of ID, like a fingerprint and a voice command. Tokenisation equivalents for biometrics are also being developed, with a distortion of the fingerprint or voice ID used instead of the actual print or voice. This makes it harder to steal the original voice or fingerprint and use them to take over a person's identity online.

"We will migrate to a tripartite approach," he predicts. "We will have a couple of different forms of biometric that are dynamic, not static, such as voice and a one-time use code as opposed to just a fingerprint."

The big problem with extra steps to authenticate people is that it costs money and it costs time when a payment is something people want to make as quickly as possible. Any extra security, particularly when people are now used to waving their cards or phones, risks customers deciding it is too slow to bother with.....

http://hotcopper.com.au/discussions/5/create-thread?code=NXR (ASX)