Wednesday, May 24, 2006

Open Letter to Privacy Advocates

I read a lot on the web about how biometrics are privacy invasive. So I thought I'd address the "chicken littles" of the world and show them that when it comes to biometrics, the sky is the limit, and it's not going to be falling anytime soon. Here are the facts:

Misplaced fears impede biometric adoption There are many myths and misconceptions surrounding the use of biometric fingerprint authentication. Why? People are apprehensive about biometrics and fear that biometric fingerprint readers are not secure.

The fact is that people had misplaced fears about using ATM's, yet usage, once consumers understood convenience and speed, took off.

Ironically, now ATM's in Latin America are being equipped with biometric sensors. I'll give you one guess who owns the patent for biometric ATM transactions in the USA. The same company that bought Indivos...
www.atmmarketplace.com/news_story_10618.htm

People were also wary about making purchases on the on the web, yet online purchases swelled to $176 BILLION in 2005. And guess who owns the patent for biometric internet transactions?

www.internetretailer.com/internet/marketing-conference/68071-indivos-awarded-us-patent-tokenless-electronic-financial-transactions-using-biometrics.html


So, while biometric adoption has been impeded to some degree, it's not because there's a "beam me up Scottie" problem...instead, it's all about "unfamiliarity." As consumers become more aware about the benefits of biometric security, there's no doubt that it will be accepted for what it is...a more secure way to protect your digital information.

And wheras, online sales were less than $1 billion in 1996, biometrics have surpassed that benchmark already. (Online sales are projected to be $211.4 billion in 2006 vs. $176.4 billion in 2005) Online Sales to Grow 20 Percent This Year [USA Today - 5/22/06]

I've read so many blog posts and mainstream news media articles about how biometrics "can be fooled." The fact is people are under the false impression that biometric fingerprint readers can be fooled by fake fingers, or that the technology takes too long to implement and use. But the truth is, biometrics is still a more reliable and secure means than password protection, and for financial transactions interms of ensuring the security and privacy of digital assets.

While passwords are still the most pervasive tool used to secure today’s organizations, they are also the weakest link when it comes to securing corporate assets. Too often passwords are lost or shared between employees resulting in increased network vulnerability and internal fraud. In addition, as the number of passwords per employee increases, the likelihood of them being forgotten also rises, resulting in increased IT help desk calls.

In addition, checks are simply former blank pieces of paper filled in with all your pertinent financial information, right down to the name of the bank and your account number. Credit and Debit cards only have 12-16 numbers, whereas a Pay by Touch algorithym is 300 digits long, and protected with a 7 digit PIN number.

So let’s debunk the myths and misconceptions right here, right now; and get rid of the apprehension about biometrics. Here's seven popular misconceptions:

1. One of the most common misconceptions is that fake fingers can easily fool a fingerprint authentication system. However, with currently-available technology, the optical reader scans the fingerprint and uses an algorithm that can detect three dimensional structures so photocopies, transparencies or latent images of a fingerprint will not be accepted as valid. Moreover, today's biometric sensors incorporate military level security (can you say Pentagon) which includes the capacity to measure temperature and pulse.

2. People fear that companies are storing fingerprint images. Enterprise authentication applications do not store an actual fingerprint image, but rather identify data points on the finger to create a stream of ones and zeros that is a unique representation of the fingerprint. Pay By Touch never shares this information with ANY retailer, and the data is securely stored in IBM data centers.

3. People often make the assumption that someone out there has the same fingerprint they do, when in fact the chances of it happening are extremely slim. It’s estimated that the chance of two people, including twins, having exactly the same fingerprint is less than one-in-a-billion. So equivocate that to less than a 1 in billion chance of becoming a victim of identity theft.

4. There is concern around how biometrics addresses people who don’t have fingerprints. Truth be told, there is a rare skin disorder that affects very few people in which they don’t have an identifiable fingerprint. They will simply have to write checks or continue using their Visa and MasterCard.

5. Organizations are often hesitant to deploy biometrics because of the concern short lifespan of the reader itself. In general, fingerprint sensors are designed in mind to last as long as the user’s PC lifecycle.

6. Some believe that utilizing biometrics does not allow for multiple users, or that it simply takes too long. Indeed, multiple users can be authenticated on one terminal or computer in a shared computing environment, and it takes just a few hundredths of a second (in our case) to acquire, process, and verify a fingerprint once it has been scanned.

7. Often people think that a PIN is more secure than a fingerprint system. Not true. A 4-digit PIN code has only 10,000 combinations allowing a hacker to easily cycle through these possibilities. Whereas a reliable fingerprint system, such as from Pay by Touch, having 1/100,000 (0.00001%) false acceptance rate requires the hacker to present 100,000 unique touches to break the system.

So as you can see, despite these myths, fingerprint authentication avoids many of the security issues associated with passwords and tokens and is less susceptible to human error.

Fingerprints cannot be "guessed," shared or written down and users don’t have to think up a "strong" fingerprint, so the security of the metric doesn’t depend on human effort. People cannot forget their fingerprints like they do cards, checks, purses, even passwords, which helps to eliminate IT help desk calls.

Because biometric technologies use a physical characteristic instead of something to be remembered or carried around, they are convenient for users and less susceptible to misuse than other authentication measures.

So all you privacy advocates, let me ask you a question...do you really think biometrics are privacy invasive? Ask a reluctant welfare participant if they enjoy pulling out their EBT card for all to see, or if they prefer to pay by finger, in which case "nobody" knows their method of payment. Do a little homework and you'll conclude that biometric payments are less privacy invasive than any other payment instrument.