Banking Payments Security

Finger pay redux

Finger pay redux. Image: ktsdesign, Shutterstock.com
Written by Dave Birch

People are getting excited about finger scanners, but the technology has been around for ages, says Dave Birch, who wouldn’t pass up being chipped.

A few people forwarded a link from Time Out to me last week, calling attention to a new payment mechanism using a new biometric identification technology to effect retail payments in a new way:

The latest in contactless payment – called Fingopay – uses a bar-top scanner and allows customers to introduce their index finger when they’re ready to settle up. The unique patterns of the veins in each customer’s index finger – which need to be linked to their bank account in advance to make a payment possible – are electronically scanned on the spot in the aim of speeding up transactions at the bar.

I’m not sure if my repeated use of the adjective ‘new’ in the introductory paragraph was entirely appropriate, and I don’t want to be like all yeah whatever, but … the first time that the technology was mentioned on this blog was almost exactly a decade ago, when I was talking about mass market uses of biometrics and the particular case study of Japanese banking, and it wasn’t new then:

Another group that includes Sumitomo Mitsui Banking Corp, Mizuho Bank and Japan Post use a similar system, but it analyses fingertip vein patterns.

In addition to identifying customers at ATMs and Post Office counters, the technology that they’re referring to here – the Hitachi fingervein technology – has been used as an alternative to payment cards from its earliest incarnation:

Biometrics continue to advance in Japan with the news that Hitachi is teaming with Japanese issuer JCB to develop a biometric payment system based on its finger vein authentication technology that can be used as an alternative to cards and cash at the point of sale.

The technology has reappeared as a new solution to these same problems a great many times since then. It seems like every couple of years or so, some stories about this new technology and new way to pay reappear. For example

The BBC were kind enough to invite me on to their lunchtime You and Yours magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications.

No inroads into mass market

The truth is that this specific technology has been around for absolutely ages and the idea of using fingerprints as an alternative to payment cards at retail POS has been around for even longer. This from 2004:

The Piggly Wiggly grocery chain has announced it will begin offering a high-tech payment feature allowing customers in several stores to pay using their fingerprints.

You can’t help but wonder what’s different this time. Well, for one thing, we have PSD2. My memory of some earlier attempts may well be imperfect, but I have a vague recollection that these previous attempts at finger-based payments worked by tying the stored template to a card-on-file and then processing a card-not-present (CNP) transaction at POS (even though the cardholder was self-evidently present). Since the costs associated with CNP processing were much greater for the merchants, and the US was moving to no-signature stripe programs anyway because all of the terminals were online, the finger payments were slower and more expensive than stripe payments. Hence neither the merchants nor the consumers were greatly interested. Systems like this did make progress in closed environments (such as schools and prisons) but made no inroads into the mass market.

However, things are changing. We have strong customer authentication (SCA) and risk-based authentication at POS, we have interchange regulation and interchange plus acquiring in Europe and soon the retailers will be able to process payments themselves by obtaining payment institution (PI) licences and obtaining consumer consent for direct access to their bank accounts. Thus, putting your finger on a reader in store and having the retailer instruct an immediate instant payment transfer from your account to the retailer account looks like a more promising model this time around (but I have to say I’m sceptical about traction in a world where consumers have mobile phones with them all the time and can obtain internet connectivity even in Camden).

The decision to try out the new system in a pub, by the way, did bring on a wave of nostalgia. Here I am with my CHYP colleague Kate Hughes, my fellow Visa Business School instructor Joe Di Vanna, and my old friend Mark Burgess testing out some early contactless products in the bar at Robinson College, Cambridge. Joe claimed that he could do a cash transaction faster than contactless …

On a related topic, it’s important to note that while fingerprints are unique and all that, they’re not without issue. For one thing, you leave your fingerprints everywhere you go. For another, you don’t always have complete control over your fingers:

Wife exposed diplomat’s affair by using his thumb to unlock his iPhone while he was sleeping

This is why those of us who understand security use Wickr or Signal to communicate with confidantes and always set a passcode for the application! The point is that fingerprint security has failure modes and those could be exploited by any seven-year-old. Paging Groucho Marx: someone get me a seven-year-old:

7-year-old Harrison Green waited for his dad to fall asleep and then hovered his finger over the sensor, thus defeating his strong fingerprint encryption choice.

Chips with everything

Having had a look through the Fingopay website, I notice a clever use of this particular feature (that is, the ability to use the biometric identifier without the consent of the owner): “We have developed an “in-case-of-emergency” ICE system that can be used to assist in identifying you even if you are unconscious.”

This might be more of a use case in Camden on a Friday night than a new payment mechanism! I suggest they also try my alternative solution, which is to store a revocable token in tamper-resistant hardware and use the biometric for strong local authentication of that token. If people in Camden really don’t want to take even a card down the boozer, and are worried about waving a phone around because it’ll get half-inched at chucking-out time, well, our friends on the continent have a tried and tested alternative:

Everyone’s current favourite case study for this sort of thing is the Baja Beach nightclub in Barcelona, where patrons were offered the choice between a card and a chip and some of them chose the chip … The chips are the size of a grain of rice (1.2 millimetres wide and 12 millimetres long) and injected (by a “medically trained” person, according to the New Scientist) under the skin in the upper left arm.

One of my favourite conference jokes a decade ago (first used in a presentation to the International Association for Biometrics in September 2004) was that the chip is better than a card because you really can’t leave home without it. Now, to be honest, I’d prefer an implanted chip like that to biometric identification. Why? Well, the chip contains an ID number and no personally identifiable information (PII). If some unauthorised person scans the chip, all they get is an ID number. If I use an app on my phone to allow a particular retailer the ability to charge against that ID number at specific times, or only with strong authentication (e.g., a PIN or a fingerprint or whatever), that seems both convenient and secure.

If you’re too squeamish to have a chip implanted (I’m not – in fact I begged them to implant one onstage at a Consult Hyperion Forum, but they wouldn’t do it because the chips were not licensed for use on people in the UK), then there’s an alternative I can suggest. One of my favourite conference jokes right now is that you can always have a QR code tattooed on to some part of your body. Private key vs privates key (geddit?!). If you know a better PKI-related joke, I’m literally all ears.

READ NEXT: Paying with your finger – the ultimate convenience

– This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. Read more here. Image: ktsdesign, Shutterstock.com

About the author

Dave Birch

David GW Birch is director of Consult Hyperion, a secure electronic transactions consultancy, responsible for maintaining and projecting Consult Hyperion's thought leadership in this field. He is an internationally recognised thought leader in digital identity and digital money, and was named one of the global top 15 favourite sources of business information by Wired.

Leave a Comment