Last year, 30 percent of all e-commerce transactions were executed from a mobile device, according to Internet Retailer. As mobile shopping continues to represent a large slice of online sales, card companies are sprinting to develop technology to better protect this new type of card-not-present transaction from fraud. While physical biometric authentication, such as fingerprint or facial scanning, has emerged as the most popular verification method in recent months, some contest the depth of its security.
More secure than a heartbeat
According to Robert Capps, vice president of business development at NuData Security, using a single form of biometric data is no more secure than simply adding a second password. As he explains in an article published in Mobile Payments Today, this is because biometric information like heartbeats and fingerprints are static. If a fraudster wanted to crack an account, he or she would only need to obtain a high resolution image of the fingerprint or a recording of the heartbeat, which is a pattern that does not change. In fact, it is their unchanging nature that allows us to use physical markers as identifiers in the first place.
While these methods may seem restrictively complex, that is simply because the concept is still relatively new. If biometric identifiers were used universally in the long-run, it would only be a matter of time before fraudsters developed a systematic way to steal such data, similar to the way they they developed "skimming" systems to extract data from credit cards.
Subconscious, but unique
Instead of physical biometrics, security experts are beginning to explore the world of so-called "behavioral biometrics." Behavioral biometrics include subtle details such as the angle at which people hold their phones, the way they perform gestures on the screen and the speed and pressure with which they type. While performed completely subconsciously, these habits are unique to each user. By analyzing this data, which our phones already have the technology to collect, security companies like NuData hope they will be able to detect when a thief is attempting to log in using someone else's credentials.
Plus, Capps explains, "unlike physical biometrics, the markers based on user behavior cannot be stolen, duplicated or reused."
Of course, everyone's habits vary from day to day, and may even change significantly over time. According to Capps, these shifts can be accounted for by using an aggregation of multiple behavioral metrics, as it is rare that they will all change significantly at once.
"In addition to boosting security, behavioral biometrics are more convenient."
In addition to boosting security, behavioral biometrics are more convenient for consumers. Rather than interrupting the checkout process with a prompt to scan their fingerprint or face, consumers would be able to checkout the same way as they always have, with the authentication running in the background. As NuData's marketing director, Matthew Reeves, explained to InformationWeek, behavioral metrics are about "what can we observe, rather than request from people."
NuData is not the only company pursuing behavioral authentication. Israeli-based startup Biocatch is also working to create what is calls a "passive biometric" system, as well as tech startup Toopher, which was recently acquired by Salesforce.
While these technologies may not yet be mainstream, their eventual adoption could significantly lower merchants' risk of accepting fraudulent payments, in turn reducing their number of costly chargebacks.
At Vantage, we offer merchants the latest in both e-commerce and app-commerce to help speed up checkout the checkout process and boost conversion rates. To speak with one of our expert payment advisors, contact us today.