About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« The future of the future of cash | Main | Contactless trajectory »

BarCampBank biometrics

By Dave Birch posted Jul 7 2008 at 1:02 PM

[Dave Birch] I'd never been to a BankCarCamp before so I wasn't sure what to expect at the BarCampBank London last week. I needn't have worried: as well as Forum friends such as Chris Skinner, Stephen Mason and James Gardner, there were both old pals and new acquaintances. The discussions were open and fluid and the combination of views did its job in generating new thinking. I was only sorry that I had to leave at lunch time to get over to OpenTech. One of the groups that I took part in was looking at the use of biometrics at retail POS and I tried to write up some notes to report on the key issues, as I thought blog readers would find them interesting. The discussion ranged over three fairly distinct areas: the drivers for biometrics at POS, the technologies and the business case. So far as the drivers go, the CHYP position has been reported before:

Biometrics work well in controlled environments such as ATMs, it's true. But it's not clear -- despite a number of roll-outs -- whether they offer a realistic alternative to cards at POS because, as we have consistently advised our clients, biometrics at POS are driven by convenience, not by security.

[From Digital Money Forum: Fingering suspects]

I think it's fair to say that most people felt the same way, although there was some discussion on whether POS fraud is high enough to demand more security but the consensus was that it was not. As for the issue of technology, framed by the debate about convenience, it was not clear to me that the example often used, the fingerprint, has much role to play going forward. It doesn't provide a particularly good trade-off between convenience and security, for one thing, and to many people it has connotations of criminality. Nevertheless, the technology is moving along and standardisation will help it:

“I think that ISO 19092:2008 will certainly be the kick start that biometric security needs, as it will provide the financial industry with some fantastic guidelines to enable them to implement both the architectural and policy/procedural changes required,” says Jason Pearce, director of sales engineering in Asia-Pacific for RSA, the security division of EMC.

[From Vendor Articles: 4/7/2008 Biometrics usage to pick up with new ISO standard?]

There are plenty of other biometrics to choose from, but surely we will end up using voice, for the straightforward reason that it can function in both local and remote environment, unlike biometrics such as fingerprints (because a remote service provider couldn't tell if you were really putting your finger on the reader or replaying someone else's. But for the purposes of the discussion, we can assume that the technology is there (provided it's main purpose is convenience rather than security). A couple of people mentioned the combination of biometrics and mobile phones as being a promising avenue for exploration and I must agree. The mobile phone is clearly going to be the key device in the consumer space, so for biometrics to go with the grain they have to embrace the mobile from the start.

The business case discussion naturally focused on fraud and the relationship between biometrics and other technologies (eg, contactless) at point of sale. I can't say that this part of the discussion came to any particular conclusions (if it did, they're not in my notes) but the fact is that the chip and PIN migration has led to substantial reductions in POS fraud (and substantial increases in CNP fraud) so there's no desperate need for another technology at POS, especially when the retailers and banks are already engaged in rolling out contactless.

I think the key takeaway for me -- other than the T-shirt (below) -- was a reinforcement of the view that biometrics in this space are primarily about convenience and therefore any investments would need to be centred on making the customer experience simpler, easier and quicker rather than adding a layer of security / complexity to the transactions. A clear piece of evidence for this view is that biometrics don't, in fact, add a layer of security anyway so there's no point putting that on the critical path. Look at what's been going on in the Netherlands recently...

Within weeks after its introduction, a security researcher has cracked the Tip2Pay fingerprint payment system for Dutch supermarket chain Albert Heijn. The researcher succeeded at paying for groceries by using a copied fingerprint.

[From Computerworld - Researcher cracks fingerprint payment system]

It's hardly a new vulnerability, but still of interest given the context. Anyway: if biometrics at POS are about convenience, if voice is the most convenient biometric and mobile phones the most convenient device, I think we can see the rudiments of the future POS landscape: for under £10 you wave your phone, for £10-£500 you put in a PIN and then wave your phone, for £500+ you say the amount, key in the PIN, then wave the phone. Sounds reasonable to me.

BankBarCamp Proof

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference BarCampBank biometrics:


The comments to this entry are closed.