The privacy perils of biometric security

Business Spectator 11 October 2012

It may sound like something straight out of a James Bond movie, but believe it or not, Australia’s major banks are moving to embrace biometric security systems.

There are two main reasons why the banks are moving in this direction; both of which revolve around customer experience. The first is to improve their customer's experience whilst utilising ATMs and Eftpos machines and terminals. The second is to remove the need for customers to carry around a wallet or purse full of plastic cards.

But the move is a bit of a gamble, as it’s still uncertain as to how consumers will respond to this new technology.

The case for a biometric security system

Biometric security systems utilise some aspect of a person’s physiology to verify identity. Law enforcement agencies have been using biometrics including fingerprints and DNA to solve crimes for decades. 

But are biometric security systems practical for anything other than law enforcement?

Banks aim to introduce biometric security systems to reduce the incidence of fraud. There’s also the fact that ATMs and Eftpos are time consuming, require customers to have a plastic card that stores account details and to remember a Personal Identification Number (PIN).

By using biometric security there would not be a need for customers to have the plastic card nor to remember a PIN.

Customers would press a thumb against a scanner or have their eye scanned and then be able to complete the transaction.

ATM and Eftpos security could be enhanced by using a combination of biometric security and a near field communications (NFC) capable smartphone that has a bank provided security application installed. A customer would have their thumb or eyes scanned and then wave their phone near the ATM or Eftpos terminal to complete a financial transaction.

There is no doubt that a combination of biometric security and NFC would improve customer experience when using ATM or Eftpos and remove the need for customers to carry plastic.

Introducing the biometric into banking would overcome the bank’s customer service challenges, but there are still lingering issue around the technology.

Hollywood leads the way in circumventing biometric security

Movies have embraced biometric security - not because biometric security is a futuristic concept that moviegoers will find entertaining but because movie makers have found moviegoers are captivated by portrayals of how to overcome biometric security systems - many of which are gruesome.

With a new James Bond film on the way it may be a good time to revisit how biometric security systems were portrayed in previous Bond films. In Die Another Day, James Bond cut off the arm of a dead bad guy so that he can press the hand against a door security scanner to open a door. In Never Say Never Again one of the bad guys had an eye transplant to fool a retinal scanner protecting nuclear weapons.

Many films have now been released that highlight how to circumvent biometric security systems. This is an unfortunate situation where movies have generally portrayed biometric security in a bad light but possibly for all the right reasons - biometric security systems are not perfect. 

But perfect or not biometric security systems do have practical use. In the US biometric security based gun safes have been available for many years and have been found to reduce the incidence of a child finding the key to a gun safe, accessing the guns inside and killing themselves in a gun related accident.

Can we trust the banks with our biometrics?

Another issue could be privacy concern by customers that they do not want to utilise biometric security systems. There is concern that companies that utilise biometric security systems will trade or sell biometric data collected from their customers.

In 2003 at a Security in Government Conference Malcolm Crompton the Federal Privacy Commissioner highlighted the use of new biometric technologies as being either Privacy Invasive Technologies (PIT) or Privacy Enhancing Technologies (PET) depending on implementation and use.

Add to this a point made by Roger Clarke a visiting professor at the Australian National University.

"Biometrics are among the most threatening of all surveillance technologies, and herald the severe curtailment of freedoms, and the repression of ‘different thinkers’, public interest advocates and ‘troublemakers” he said.

An inevitable move to biometric security

Philip Chronican CEO of ANZ Australia recently indicated that a Newspoll survey commissioned by the ANZ found that 67 per cent "would be comfortable" using an eye scanner. The bank now plans to slowly introduce biometrics into ATM machines commencing in 2013 and initially permit deposits to be made using biometric security.

Be assured that our future will include the use of biometric security. In five years biometric security will be incorporated into many aspects of our lives. There will be benefits including not having to carry plastic cards for financial transactions, magnetic cards to access swipe card activated doors or keys to start your car.

But what is the cost? An Australian's right to privacy will be compromised unless the government bans the trade or sale of biometric data and sets an appropriately high jail term for directors of companies that fail to comply.

Mark Gregory is a Senior Lecturer in Electrical and Computer Engineering at RMIT University