Credit card security courtesy of your body

used with the permission of
by Anne Field

Increasingly, banks and credit card companies are trying out biometrics to authenticate a cardholder’s identity.

Online credit card fraud is soaring. And, it’s still pretty darn prevalent in the offline world. In fact, global credit card fraud will exceed $35.54 billion in 2020, up from $16.3 billion in 2014, according to The Nilson Report.

Increasingly, one answer that banks and credit card companies are testing is the use of biometrics to authenticate a cardholder’s identity, thereby making it more difficult for thieves to steal an individual’s information. That means using technology which embeds physical characteristics of an individual, from a fingerprint to heart rhythms, into an ID system to authenticate the person’s identity.

“Biometrics is a key piece of security for making credit card payments safe,” says Amy Zirkle, vice president of industry affairs at the Electronic Transactions Association. “It captures the uniqueness of an individual.”

In some cases, companies are developing biometrics for use in mobile payments. In others, they’re bringing biometrics to the card itself, for making in-store purchases. In any case, no biometric data is transmitted to a merchant’s site, according to Randy Vanderhoof, executive director of the Secure Technology Alliance. For example, if you’re paying with a smartphone, the authentication happens on the device itself. “Once the authorization is completed, that payment data is transmitted through the network to the retail point of sale (POS) or online ecommerce site,” he says.

All about fingerprints

The most widely used biometric technology, for now, relies on fingerprints. Apple iPhone’s fingerprint authentication for unlocking phones paved the way. “Consumers are most familiar with it by virtue of using their mobile devices,” says Vanderhoof. Then, the company created more momentum by introducing fingerprint authentication for Apple Pay in 2014, requiring that users place their fingerprint on their devices sensor to verify their identity.

Recently, such financial institutions as Bank of America and American Express have introduced apps allowing users to pay for a purchase over a mobile device using fingerprint-based based technology for authorizing their identity.

And in April, Mastercard announced a biometric card that includes a small fingerprint reader to verify a cardholder’s identity for in-store purchases. Users insert the card into a payment terminal and then place a finger on the reader. The POS machine then verifies the cardholder’s identity and okays the payment. (The card can harvest power from existing terminals, so there’s no need for a battery). More tests are planned for later this year in Europe and Asia Pacific, and in the U.S. next year.

Of course, at the moment, that technology works for shoppers who have their card with them. In cases where you’re paying online—”card not present” is the term—there are other solutions. For example, security company Zwipe is working with partners to develop a fingerprint authentication process done through a reader that comes with the user’s card. “Instead of having to fill out a form online, you’d put the card into the reader, press your finger on the card and process the transaction,” says Ado Fazlic, a spokesperson for Zwipe. The company already has a platform that integrates fingerprint authentication into credit cards.

Voice and facial recognition

Companies like Mastercard are also testing voice and facial recognition for verifying a cardholder’s identity. You’d use your smart phone camera or microphone to take a picture or capture your voice and then that information would be used to authenticate your identity when making a purchase. The system does what Zirkle calls a “liveliness check”, a process that takes less than a second and ensures you’ve snapped a picture of yourself and not a photo of someone else’s image. “It’s a simple use of a selfie to authenticate your purchase,” she says.

More cutting edge

In the early stages are attempts to use iris scanning and heart rhythms for authentication. That can include wristbands carrying a recording of a person’s unique heartbeat pattern, or technology relying on the characteristics of a user’s eye. The latter is already used by the Samsung 8 for unlocking the phone, according to Zirkle.

Even more cutting edge is “behavioral biometrics”. For example tech startup BioCatch is working with Experian to detect fraudsters applying for credit cards online. The software analyzes the way users interact with devices and websites, looking at such factors as how quickly they type or move between questions, and use that information to determine whether users are legit.

Then there’s social biometrics. Security technology company Socure, for example, has a system that matches facial biometrics to public online information, producing a biometric profile which generates a score determining the authenticity of a user’s identity. “The system would make sure there are no red flags about the transaction,” says Zirkle.