Biometrics is Dead, Long Live Mobile!

In my continuing crusade against greedy and self-serving biometrics vendors – which is absolutely NOT all of them – I figured I would give them a little taste of their own medicine with a ridiculous assertion in the title.

Of course biometrics isn’t dead [I believe it’s still in its infancy] and of course it will only continue to grow in distribution and influence. Its adoption will sky-rocket as mobile devices take over the world and IoT makes thinking for yourself redundant, and I for one am more than happy for it to spend time more in the sun.

What I cannot / will not accept from biometrics:

  1. Its growth at the expense of ANY other form of authentication (without appropriate justification),
    o
  2. Its false and irresponsible claims to its security, and;
    o
  3. Its blatant disregard for its ultimate benefactor; the mobile phone

Put to one side for a minute that not ONE legislation / regulation in payments actually requires biometrics (where “strong authentication” is primarily defined as 2-factor), and focus for a second on how biometrics has even made it as far as it has. Simply put, without the mobile phone, there would BE no biometrics in the mainstream.

It’s not like we would all carry around a separate device to perform biometric authentication, would we? No, we wouldn’t, so it’s only because biometrics is so readily available that we even consider it an alternative to passwords. That’s right, an ALTERNATIVE, and for the foreseeable future, one completely driven by consumer preference. No financial institution in their right mind will make biometrics mandatory, probably ever. I certainly wouldn’t.

So if the mobile phone is so all-powerful, why aren’t they attacking passwords? Simple, a) they have no need to, they are the dominant factor, and b) they are smart enough to realise that without the OTHER two factors they are not providing the best solutions possible.

In other words, they get it.

Rather a bleak picture, isn’t it? 1) not required for regulatory compliance, 2) will never be mandatory, only a consumer preference, 3) will never be suitable for some forms of authentication due to false ‘positives’, and; 4) it completely reliant on something else for its distribution. But even with all of this against it, I will embrace biometrics, in all its forms, if it provides me the convenience I crave, with ENOUGH security to transfer the risk to someone else (my bank for example).

And that’s really what it all boils down to; risk. A simple word but one completely misunderstood, and usually handled poorly. Bottom line; if the effort to steal something is greater than its value, it’s safe …enough. That’s all biometrics and passwords provide; security enough, and the amount of security you have to provide for a transaction is directly proportional to the value of the transaction.

For example, why would you use Apple Pay when it requires authentication that the contactless card does not? Is it more convenient? No. Does it provide more value-add services? No. Does it have anywhere near the distribution of plastic? No. Do YOU have to care about the security of contactless? No, you don’t.

Biometrics is, and will always be only a player in the game. While mobile holds most of the cards, any form of biometrics will be beholden to it, so they should play nice.

On Disabilities In Payments

Have you ever wondered what it would be like to go through life blind? Or with a learning disability? Or perhaps what it will be like when you’re older and your mental acuity is not what it once was?

What must it be like to be almost totally reliant on loved ones, or worse, the honesty and goodwill of complete strangers?

I readily admit, these are not thoughts that I have very often, as any disabilities I have relate to my sparkling personality. However, I am now in a position to HAVE to think about it and it’s more than a little humbling to see what those with physical or mental challenges have to go through.

For the purposes of this blog, I will restrict myself to issues related to non-cash payments, as that is my skill-set, the limit of knowledge on the subject of disabilities, and there is more than enough material to fill several blogs, lets alone this one.

The issues faced today centre on the fact that the only ubiquitous form of non-cash payment is the branded credit / debit card (Visa, Mastercard et al), and both the cards themselves and the infrastructure necessary to accept them is geared almost entirely to those without any sort of disability. In fact, even if you wanted to make changes to the infrastructure, the effort would be entirely prohibitive given both the limited return on investment and the absence of any legislation.

For example, according to Action for the Blind there are approximately 360,000 in the UK with ‘sight loss’ (total population ~64M), yet the number of people who can actually read braille is under 20,000. So even card terminals with braille overlays are more for marketing / image purposes than actually providing a means for expanding independence. Terminal manufacturers don’t have to spend more, so why would they?

According to Dr. John Gill, one of the UK’s leading experts in the field of disabilities, challenges for the disabled related to non-cash payments go way beyond issues with sight. The elderly, for example, not only begin to have challenges with vision, but their declining ability to handle abstract concepts, hand tremors and even an aversion to / fear of new technology means that payment innovations will be largely avoided by this group. Especially if their individual needs are not built in from the beginning.

I have posited in previous blogs that mobile devices are far better placed to enable cashless payment for those with disabilities, but it’s clear that this will only be the case if considerable thought is put into the challenges from the outset. ‘Consistency of Interface’ (Dr. Gill’s primary interest), simplification of available technologies, and setting of individual preferences across all payment front-ends will all be required before adoption of mobile technologies is available to everyone.

Well, almost everyone.

Too many technologies aimed at disabilities are nothing more than smoke-and-mirrors, and any effort on the part of manufacturers is aimed at demonstrating that they are good citizens. And while there can and will never be 100% adoption of mobile technology, it represents a significant advance over current systems which are now in their 6th decade of use.

Payment systems for those with disabilities must be able to address the following or they will simply not be used:

  1. Consistency of Interface – Terminal manufactures have some standards they need to apply to their devices, but constancy of interface is not one of them. Even as a sighted person, I sometimes have an issue with where to put my card, where the OK button is, how to apply tip (or not) and so on. However, I CAN read the total, what are the options for those who can’t?
    o
  2. Swiss Army Knife Approach – I love technology and innovation, yet even I use a fraction of the abilities of my phone. The elderly not only use even less, they want to SEE less available. The drive is for more and more functionality, but no-where is there an option for less, and until there is, adoption in the elderly will be limited.
    o
  3. Non Reliance on Biometrics – You just have to look at payment innovation and see that biometrics will be a major factor. This ridiculous concept from MasterCard for example; MasterCard, Zwipe announce fingerprint-sensor card. But what about those with deformities, injuries, mobility issues? Apparently people who work with concrete or pineapples have fingerprint issues, as do those on various forms of chemotherapy. Who knew?
    o
  4. Size of Keypad – Something as simple as this can result in the avoidance of non-cash payments. Combine a small PIN pad with low contrast fonts and you have just lost a payment.
    o
  5. Learning Disorders / Mental Acuity Challenges – How do current payment technologies handle dyslexia? Or short-term memory loss? Or the onset of dementia? The use of the PIN is about as ubiquitous as the cards they authenticate, yet even this is out of reach for some. But who says the ‘PIN’ has to be numbers, can’t it just as easily be a picture of loved ones, or some other individual preference?

Clearly I am only scratching the surface here, and while there is no solution that will ever make everyone happy, there is a LOT more that can be done to make life easier for those with disabilities. Mobile devices are not perfect, but they represent a  considerable advantage over current payment technologies in terms of adapting preferences to an individual.

All we need is the attention this deserves.

 

[Note: A very special thank you to Dr. John Gill who was very generous with his time and his guidance. Please see http://www.johngilltech.com for more on this subject.]

Software PIN, the Rosetta Stone of Future Payments

For those who don’t know what the Rosetta Stone is, it’s a tablet found in 1799 that greatly assisted the translation of ancient Egyptian Hieroglyphs to every modern language (subsequently).

So why do I use this as an analogy for non-cash payments?

Hieroglyphs​ had puzzled scholars for centuries until the Rosetta Stone unlocked them enough for the translation to move forward to completion. Having a software PIN will effect the exact same unlocking of the transition of non-cash payments from plastic to mobile. We have had credit cards for 60+ years, with nothing in that time anywhere near ubiquitous enough to disrupt them​, now ​we do. And while mobile devices are in no way perfect, and in many ways even less secure than a credit card, ​they ​​are​ already far more prevalent​. ​Despite all ​of mobiles’​ flaws, they ​are being used ​today as a payment medium​, a trend that will continue until plastic is replaced completely (at least in its current form).​

Th​ere are too many reasons​ for the continuity​ to go into​ here​ (sheer functionality being the top one), but it has been slow because until now every mobile payment innovation was just a little too much for people to accept, just a smidge too radical to gain the necessary momentum.

This is probably because none of those innovations kept the most widely used of the authentication mechanisms in the world; the PIN. The enormously complex and expensive chip & PIN (EMV) used for credit cards is accepted globally (if they can afford it), but up till now there has been no way to effect an acceptable level of security on a device that is never going to be as secure a system built for purpose.

But ‘as secure’ is not the point, ‘secure enough’ is. You’re not fighting for perfection and zero loss through theft, you’re fighting for making it too difficult for thieves to bother. This can only be effected by layers of security, the so-called defence-in-depth. EMV put all of its security controls into a single factor (they had no choice), but mobile devices have access to numerous – and ever expanding – options:

  1. Geolocation/Geofencing: Whatever you want to call it, and whatever buzz phrases vendors will come up with next, they all mean the same thing; are you where you should be? Should you be paying for something in Glasgow if you live in London? Maybe, but when you set the areas from which payments can be made, you are removing the majority of the bad guys’ ability to process a fraudulent transaction.
    Yes, there can be privacy issues, but most vendors have dealt with that now.
    o
  2. Device Authentication: Every mobile phone has a serial number, IMEI number, and other built in identifiers. If your device is registered it’s very difficult to use another device to get in the middle. Not impossible, just difficult.
    o
  3. Application Signing and Authentication: Minimal security in and of itself, but is another security layer which ensures as much as possible that only known good apps are used. Apple and Google have their own ways of doing this for downloads, neither of which is adequate. Ongoing application verification can be relatively useful though.
    o
  4. App Blacklisting / Malware Detection: Very early days yet for mobile devices, but in the same way that operating systems anti-virus vendors have made untold fortunes regurgitating known bad things into signatures, mobile devices will have the ability to blacklist apps that should never be running on devices secure enough to authenticate payments.  OS hardening guides (SELinux for example) and version control (Android must be at v4.2 and above for example) are fundamental baselines.
    o
  5. PIN Image ‘Watermarking’: Most internet banking sites now have a facility whereby you can upload a personal image to ensure that your open communication is actually with your bank and not redirected to a bad guy. Mobile  devices make this factor possible and can even be configured into the PIN pad image.
    o
  6. Encryption (Packet and Transport Layer): Obvious stuff, and relatively trivial to circumvent when you have access to the base operating system kernel (where all jailbreaks take place), but still a very valid concept, especially when you consider the very clever technology surrounding things like Secure Remote Password protocol (SRP).

​Even today there are more options than this, and even implementing all of them at once is seamless to the end user once they have registered their device​. Any one of these by itself is clearly inadequate, but can you really see a bad guy sitting in Starbucks cracking ALL of these in the few moment it takes you to pay for your coffee?

By their nature, mobile devices will always be insecure and limited (bloated OSs, battery life, delicacy, theft and so on) and cannot be seen as a long term solution in payments the way the credit cards were, but I don’t think anyone can deny that they will replace plastic. Mobile devices will take payments to places credit cards can never reach, and the functionality and distribution of payment innovation through mobile devices will grow exponentially over the next 5 – 10 years, it just needs something to help everyone make that transition;

The software PIN.