November 10, 2006
Contactless Credit Card Confusion: Biometric Authentication
The ability to skim information discreetly off of the RFID chip in contactless credit cards is causing a stink, thanks to a big NY Times article recently, and eliciting questions that either credit card companies either have ignored or never asked themselves during the design phase. One important issue is secure use, another is credit card selection when a consumer is carrying more than one contactless card.
Of course, there is a way that these cards could be made more secure, but it would require more technology and another generation of cards before they're widely available. Biometric techniques are already being used for access control and identity verification, such as in e-passports. Several forms are in use, including fingerprints, palm vein scans, retinal scans, and voice recordings. (DNA biometrics is infeasible, at least at present.) From a consumer perspective, most of these techniques are invasive, with maybe the exception of voice recordings.
People are used to recording their voice, so voice biometrics may be a method for solving both issues: secure use and card selection. During a transaction, the customer would be prompted to select the card they'd like to use and recite their name.
Problem is, this isn't a guaranteed solution, as there are technical issues that might hamper its use. For example, if you are in a very noisy shopping mall during Xmas holiday rush, voice authentication may not work unless your mouth is close to the merchant scanner's microphone - which leads to issues of hygiene. The other problem, and more serious, is what if someone uses a recording of someone's voice? Ambient background noise would be expected during a purchase (except online), but with cheap/ free audio editors, that's not difficult to add. And if there is no cashier to verify that a person using a card is actually speaking instead of replaying a recording, then security isstill an issue.
This is, of course, something that all voice biometrics systems will have to deal with, but biometrics tech is costly, and if a merchant is "forced" to use it, there's another source of inflation for our cost of living. But what really worries me, though, is whether these sorts of flaws will lead to the thinking that we "have to" use something more invasive such as retinal scans or palm vein scans just to buy our groceries. Because if cold, hard cash and notes are eliminated, that's the direction we'll have to head down to "protect" consumers from security issues of contactless credit cards. Even if it's as simple as the idea that your contactless credit card requires your fingerprint to be recorded.
--
Did you enjoy this post?
« Contactless Credit Card Confusion: Wrap That Rascal | Main | More European Consumer Trials Of RFID »
