Biometrics invade banking and retail
Illustration: Eniola Odetunde/Axios
Banks have been quietly rolling out biometrics to identify customers — verifying them by their fingerprint, voice or eye scan — and retailers like Amazon are getting into the game.
Why it matters: These companies are amassing giant databases of our most personal information — including our gait, how we hold our cellphones, our typing patterns — that raise knotty questions about data security and privacy.
Driving the news: Amazon wants consumers to be able to pay for items in physical stores by waving their palm in front of a payment terminal, the WSJ reports.
- The system would link your palm image to a payment card.
- Amazon "plans to pitch the terminals to coffee shops, fast-food restaurants and other merchants that do lots of repeat business with their customers," the Journal reports.
- Palm biometrics haven't been used for payments on a big scale, but fingerprints have: Apple Pay and the Apple credit card involve pay-by-touch with a cellphone.
- Voice ID is also prevalent, particularly in bank call centers.
The intrigue: Banks have have had a love/hate relationship with biometrics for decades — customers are leery, and there's a high rate of failure. As anyone with an iPhone knows, a wet or greasy finger often won't work, and voice recognition systems often fail if someone has a cold (or is tipsy).
But banks — and, increasingly, retailers — have been working in overdrive to use biometrics both in back-end systems (where consumers won't see them) and public-facing ones:
- Chase, Bank of America, Citi and Wells Fargo have introduced various biometric ID options, including voice, fingerprint, eye or facial recognition.
- Mastercard and Visa are rolling out payment cards with embedded fingerprint ID.
- BMO and Mastercard pioneered "selfie pay," which lets customers authenticate themselves for online shopping.
Banks say their systems are completely secure, but they are proceeding gingerly to avoid making their customers nervous. Several banks gave "no comments" to Axios when asked about their biometrics programs; Amazon did too.
- Some banks have dropped the creepier biometrics: Republic Bank of Kentucky said in 2016 that it would let customers log in to their mobile banking app by fingerprint or eye vein scan — now it offers the finger option plus facial ID.
There are already some horror stories:
- Thumbprints have been spoofed with the type of gelatin used in Gummi Bears and a picture of someone else's thumb.
- A pair of twins hacked HSBC's phone banking voice ID system — though it wasn't easy.
- Facial recognition systems can be foiled by deepfakes, masks, and virtual reality — and they often show racial bias.
What they're saying: "A biometric is a very sensitive piece of personal information. If your password gets stolen, you create a new password. If your fingerprints get stolen, you can't create new fingerprints," Stephen Ritter, chief technology officer of Mitek, an identity verification company, tells Axios.
Reality check: Banking and credit card companies say biometrics — which, so far, are usually optional — are invaluable in fighting fraud and that spoofing is rare. They call the technology proven and safe, and say that many customers — particularly younger ones — welcome it.
- Biometric systems have ways of checking for "liveness," to guard against robots and AI intruders.
- The systems routinely avert criminal behavior. One example: Discover, the credit card company, "receives so-called voiceprints of callers — not recordings of their voice — and flags known fraudsters," reports the WSJ.
A growing number of people welcome the convenience, thanks to cellphones making finger ID routine. "If it weren't for being able to use your thumbprint on your iPhone, I think biometrics would still be something on the fringe of authenticating," Trace Fooshee of Aite Group, a banking consultancy, tells Axios.
On the retail side: Amazon isn't the only company dabbling in biometrics.
- The New York Mets have kiosks that will let you pay for snacks by fingerprint.
- A handful of quick-serve restaurants like Caliburger and Malibu Poke are letting customers order via facial recognition at self-serve kiosks.
- Mitek, which sells a face ID verification system, counts Airbnb, Instacart and Poshmark as customers.
Between the lines: What customers don't see is banks' and retailers' heavy use of "passive" or "behavioral biometrics" to thwart fraud. "On a mobile phone, that could be the angle that you currently are handling the device, whether you are typing in the password with your thumbs," Chris Reid, EVP at Mastercard, tells Axios.
- "Those passive biometrics can tell this isn't actually" the real customer.
The bottom line: Whether we like it or not, biometrics are going to be a bigger part of our lives.
- And while the banking industry is heavily regulated, the retail world is not — so there are different standards of trust and security.