SoylentNews is people
SoylentNews
from the biometrics-are-the-"account"-not-the-"password" dept.
Visa's vision for the future of payments is password-free
Visa believes the payment industry can move away from passwords in the next five years thanks to advancements in authentication and anti-fraud technologies that are already making "static" cardholder verification (CVM) methods such as signature and PINs optional.
With the ability of financial institutions and merchants to share 10 times more data with each other than ever before, and the growing sophistication of artificial intelligence (AI) that is making fraud detection faster and more accurate, Visa head of product Axel Boye-Moller believes that as this ecosystem evolves to be more secure, and AI and biometrics capabilities further mature, there is a future where legacy verification methods are eventually eliminated.
"Over the last few years as mobile technology has evolved, we're seeing increasingly biometrics included in mobile hardware -- that's really starting to take off as more and more banks and other providers start rolling out mobile payment solutions," Boye-Moller told ZDNet.
"But there's still a lot of ground to cover. Passwords can be incredibly frustrating. You forget them and they can be stolen."
[...] Additionally, Boye-Moller said as more payments are conducted via a mobile device, it becomes "very fiddly" to enter a password on smaller devices.
Increasingly, he added, there has been an explosion in the amount of connected devices that are accompanied by more online accounts and subscription-based payment requirements.
"We think biometrics is absolutely a critical part of that solution -- both convenient and secure," he said.
"The way they rolled out [mobile payments] standards is that every single transaction that is done or adopted is biometrically authenticated with a fingerprint or facial recognition."
While he said biometrics is part of the solution of moving to a password-free world, he believes it requires many other layers on top of that to drive more secure and convenient solutions.
"We believe that if we continue to collaborate strongly across industry we can we can reduce the current fraud rates by half by 2025," Boye-Moller added.
(Score: 2) by sshelton76 on Tuesday July 16 2019, @07:32AM (6 children)
Biometrics are no good for this.
The reason they fail is because there are actually 2 parts to consider. Identifcation and authorization, or as many say, something you have and something you know.
The first step is identification and biometrics are "ok" at this but not great. For smaller groups such as tellers in a bank branch, or a group of office workers this works ok. But the more people you have in a biometric database, the more likely you are to have a false positive identification and this doesn't really start to show until you have thousands of people enrolled. It is a problem tied to the prosecutors fallacy https://en.wikipedia.org/wiki/Prosecutor%27s_fallacy [wikipedia.org] and it is intractable since it's just the way statistics work. This is true regardless of the particular biometric used, although if you combine 2 biometrics such as palm and iris scan you do reduce the likelyhood of a false positive, but you also increase the likelyhood of a false negative.
In truth you are much better off with a smartcard that has features to prevent cloning, since there are so many myriad ways to defeat each step of the biometric including just knocking the person out and holding them up to the scanners. Cards are lost infrequently and are a whole lot easier to change than palm prints if one happens to go missing.
However this part is ONLY the identification step.
The other step is authorization and this MUST be something you know. That is important because it proves consensus ad item, or mutual assent. Therefore it must come from your own mind as something only you know, even if it is only your signature.
Without these two steps or when trying to combine both steps you cannot be sure the person is who they claim to be or that they really are attempting to complete the transaction.
(Score: 2) by sshelton76 on Tuesday July 16 2019, @07:33AM
consensus ad idem, ugh I need to not post before coffee.
(Score: 0) by Anonymous Coward on Tuesday July 16 2019, @08:42AM
Something you have/are and something you do. Authorization is an action by the one that is identified.
What they want is replace the typing of a semi-secret with an action of stamping your finger. It's a compromise. But considering most people are fucking idiots especially with passwords, it's not much of a compromise and could actually be better than the status-quo. Remember, this is for the average Joe, not the elitist haxers of soylentnews.
(Score: 2) by JoeMerchant on Tuesday July 16 2019, @12:54PM (2 children)
The real question is: are these daily transactions for a $4 latte, or $250K wire transfers for a home purchase.
We bought a boat recently for a little over the $10K threshold - and you might not believe the hoops that were required to execute that transfer of funds. Even when you work with a dealer who is used to greasing the skids for you, it's a lot, but individual to individual was absolutely ridiculous - we basically had to have a 4 way conference between the banks and the account holders to get it done.
🌻🌻 [google.com]
(Score: 2) by Snow on Tuesday July 16 2019, @04:56PM (1 child)
Why?
I bought a 10K campervan last year and I just went to the bank, got a bank draft for 10K and walked out 10 mins later.
(Score: 2) by JoeMerchant on Tuesday July 16 2019, @06:38PM
Seller wanted a wire transfer into his account - we could have written him a $17K check as easily, but he was committed to the wire transfer idea. Half way through he mentioned that it was a big pain the last time he did it, too.
🌻🌻 [google.com]
(Score: 3, Insightful) by AthanasiusKircher on Tuesday July 16 2019, @02:40PM
The question about the latter is -- do they really care about that? I'm serious. I haven't seen it from credit card companies yet, but my perception is that in recent years there's been a systematic push from corporations to undermine the traditional need for purchase authorization.
Why? Because they know that many people just pay bills. They just pay for crap that arrives, rather than go through the hassle of returning it or fighting it. My mother used to be one of these people long before the internet -- she'd see some ad on TV for some magical item ("With 3 easy payments of just $19.95!) and order the thing. And it would arrive. And it wouldn't work. Or she didn't use it. Sometimes she didn't even get around to opening the box for a couple months. And then she'd have some idea about returning the item, but almost never got around to it.
Lots of people are like this, but today even the slightest impulse is enough to get some piece of junk. "Ooh, that looks good!" you think, and Amazon's patented 1-click has the item on the truck to your door immediately. No time to think about it while you're entering an address or card number or even giving the most basic confirmation.
But no, companies are interested in going far beyond this. We saw it with the debacle of in-app purchases, which Amazon and Google et al. fought for years to keep as "open" as possible. People complain that kids racked up $300 bills for Smurfberries or whatever, and others just say, "Well, you should have paid attention to your kids! Look at what apps they have, supervise them, don't allow purchases!" People forget that many of these platforms lacked even basic controls in the early days -- hence the lawsuits. There was originally no way to limit in-app purchases on some early tablets. No way at all. And when they did institute password protection, at first it was limited... and gradually they allowed more.
You know why? Because I'm sure these companies did the math. And they realized for every person who complained that their kid bought X dollars in Smurfberries, there was another consumer to whom this happened, and that consumer just paid the bill... figuring it was somehow their fault or it wasn't worth the hassle to dispute it. What percentage of folks with small bills will just give up and pay them? 30%? 50%? 70%? Even payments for $20 or whatever add up when it's hundreds of thousands of people.
Bottom line is that companies clearly want to break down the authorization component. They want you to order stuff by impulse or even accidentally and then forget to return it or give up and pay because it's too much of a hassle.
Now, you might say -- credit card companies surely don't want that, do they? Well, why not? They skim a fee off the transaction too. Their main concern is outright fraud. With real fraud, they will lose money. So, this system needs to be good at verifying ID. But authorization? Credit card companies have a reputation for having greater consumer protections, but how many people actually dispute a bill if there's some chance they were at fault? Obviously they can't go overboard with this, but most of this isn't usually their fault anyway. How much "authorization" is wielded now by credit card companies when someone clicks on "Buy Now!" on Amazon?
Nobody cares about authorization. They don't now, and companies continuously seem to be pushing for less and less safeguards before you make a purchase, because they probably see that it's profitable.