Law Offices of David J. Bartone
Your Subtitle text


Biometrics in E-Commerce:  A Leap into the 21st Century


As financial institutions search for more secure authentication methods for bank card processing, e-commerce, computer user-access and other security applications, biometrics is gaining increasing attention in the business and legal communities. After years of research and development, several biometric identification systems have been developed.  Some are relatively new, but even in their fledgling state, those systems have substantially improved the integrity of identification processes.


Security systems normally utilize three types of authentication methods: (1) something the user knows (a password, PIN, or piece of personal information (such as your mother’s maiden name, for example); (2) something the user owns – a card key, smart card, or token, like a secure ID card; and/or, (3) something the user is; that is, a physical aspect of the person’s being – a biometric.  Of these, a biometric is the most secure and convenient authentication tool.  It cannot be borrowed, stolen, or forgotten, and forging one is practically impossible.  Biometrics measure an individual’s unique physical and/or behavioral characteristics to recognize or authenticate that person’s identity. Common physical biometrics include: fingerprints; hand or palm geometry; and retina, iris, or facial characteristics.  Behavioral characters include signature, voice (which also has a physical component), keystroke pattern, and gait. Of this class of biometrics, the technology for signature and voice are the most developed.


A fingerprint looks at the patterns found on a fingertip. The thumb print is commonly used.  There are a variety of approaches to fingerprint verification. Some emulate the traditional police method of matching the details of the print.  Others use straight pattern-matching devices.  Some verification approaches can detect when a live finger is presented and when it is not.  A greater variety of fingerprint devices is available than for any other biometric. As the price of these devices and processing costs decreases, using fingerprints for identification purposes is gaining acceptance, despite the common-criminal stigma.


Hand geometry involves analyzing and measuring the shape of the hand.  This biometric offers a good balance of performance characteristics and is relatively easy to use.  It might be suitable where there are more users or where users access the system infrequently and are perhaps less disciplined in their approach to the system.  Accuracy can be very high if desired, and flexible performance tuning and configuration can accommodate a wide range of applications.  Organizations are using hand geometry readers in various scenarios, including time and attendance recording, where they have proven themselves to be extremely popular. Ease of integration into other systems and processes, coupled with ease of use, makes hand geometry an obvious first step for many biometric projects.


A retina-based biometric involves analyzing the layer of blood vessels situated at the back of the eye.  It is an established technology that involves using a low-intensity light source through an optical coupler to scan the unique patterns of the retina.  Retinal scanning can be quite accurate.  However, the downside is that it requires the user to look into a receptacle and focus on a given point.  This is not particularly convenient if the user wears glasses or is concerned about having close contact with the reading device. For these reasons, retinal scanning is not warmly accepted by all users, even though the technology itself is reported to work well.


An iris-based biometric, on the other hand, involves analyzing features found in the colored ring of tissue that surrounds the pupil.  Iris scanning is undoubtedly the least intrusive of the eye-related biometrics because it uses a fairly conventional camera and requires no close contact between the user and the reader.  In addition, it has the potential for higher than average matching performance.  Iris biometrics work with glasses in place and is one of the few devices that can work well in identification mode.  Ease of use and system integration have not traditionally been strong points with iris scanning devices, it is expected that improvements in these areas will be made as new products emerge.


Face recognition analyzes facial characteristics.  It requires a digital camera to develop a facial image of the user for authentication. This technique has attracted considerable interest, although many people do not completely understand its capabilities. Some vendors have made extravagant claims, which are very difficult, if not impossible, to substantiate in practice, for facial recognition devices. Because facial scanning needs an extra peripheral not customarily included with basic computers, it is more of a niche market for network authentication.  However, the casino industry has capitalized on this technology to create a facial database of scam artists for quick detection by security personnel.


Security systems use the aforesaid biometrics, among others, for two basic purposes.  The first, is to verify a user; the second, is to identify a user.  Identification tends to be the more difficult of the two uses because a system must search a database of enrolled users to find a match.  The biometric that a security system employs depends in part on what the system is protecting and what it is trying to protect against.


E-commerce developers are exploring the use of biometrics, smart cards and bank cards to verify a party’s identity more accurately.  For example, many banks are interested in this combination to authenticate customers and ensure non-repudiation of online banking, trading, and purchasing transactions.  Point-of-sales (POS) system vendors are working on the cardholder verification method, which would enlist smart cards and biometrics to replace signature verification and use of personal identification numbers.  MasterCard has estimated that maintaining that adding smart-card-based biometric authentication to a POS credit card payment will decrease fraud by 80 percent.  Some developers are using biometrics to obtain secure services over the telephone through voice authentication.  Voice authentication systems are currently deployed nationwide.  Some developers use the catch phrase:  "No PIN to remember, no PIN to forget."


Accompanying the implementation of some of these systems, there has been an ongoing debate over two issues: (1) effectiveness and infringement on civil liberties; and, (2) the implementation of this type of software. Face recognition has been criticized as being a potential violation of our civil liberties.  Privacy is a major concern, especially when the general public may be somewhat uninformed of the capabilities of such a system. On the flipside of this debate, many people feel that biometric technologies are imperative to the prevention of fraud in bank card processing and e-commerce and our security in the wake of September 11.  They also argue that it could be a great tool for apprehending criminals as well.  Advocates in favor of such technology place emphasis on the fact that if you are obeying the law then you should not worry about the existence of this technology.