By Richard Booth, TITLE
I was in South Africa recently discussing the rising threat of online shopping scams and card fraud with some of the local banks and industry bodies. As I was boarding the plane in London, I noticed an HSBC advert which had the tag line “you are your data” below an image of a thumb where the thumbprint was made up of tiny binary numbers. It was a clever advert and one that got me thinking about personal data for most of the flight.
Further context was added after reading the news of the photos that were taken of the Dutchess of Cambridge while on holiday. This type of invasion of privacy from the paparazzi can be compared to malware sitting on your computer or mobile phone sifting through all of the personal data it can get to. Another comparison can be drawn between these two incidents; motive. Make no mistakes, fraudsters and paparazzi alike are both out to make money and often their methods raise serious ethical questions about invasion of privacy.
One thing that strikes me about the way that online shopping continues to be conducted around the world is that many systems still rely heavily on data to analyze the risk of an online transaction. This data is usually attained through a number of different sources. Some of the data could be answers to questions that you provided during enrollment. Other data could be shopping behaviors and transaction history that the banks store about you. Yet other data could be transparently gathered like the IP address and service provider you are connecting through.
When it comes to authenticating yourself to a system or transaction, this multi-faceted gathering of data is referred to as multi-factor authentication. It is made up of several things that you have and several things that you know. Thinking back to the HSBC advert and the Kate photos made me realize it probably isn’t too long before another dimension is widely accepted in the world of consumer authentication: something you are.
It wasn’t Kate’s account number or ID number that distinguished her identity in the recent news articles. She wasn’t asked to show her passport or submit a password for audiences to know it was her. We recognised her face. Biometric authentication is all about something you are! It could be your fingerprint, your retina or iris pattern, your facial profile, a voiceprint or even the speed and pressure you apply when typing or signing. And this is what HSBC meant by “you are your data”. How long will it be before instead of passwords and PIN numbers, systems simply scan us or listen to our voice to know that you are who you say you are?
Biometrics isn’t old technology, in fact it has been around for quite some time. The challenge has been refining it to a point where consumers feel comfortable with it. Ten years ago, biometric authentication was only something top secret government facilities used or at least they did in the movies. Nowadays it is becoming more common place and the explosion of all things “mobile” makes it so much easier. Your smartphone can now be used to perform biometric authentication in many of the ways I talked about earlier. I guess my burning questions for you are; how comfortable are you with biometrics and are you prepared for the risks to your privacy that biometrics could pose?
Richard Booth is…****This blog was contributed by Richard Booth of RSA’s Identity and Data Protection Group.****