Consumers are nearly twice as likely to trust banks to store and keep their biometric information safe (60 per cent), than they are to trust government agencies (33 per cent), according to a new study from plastic payment card company Visa.
When asked who they would trust to offer biometrics authentication as a service to confirm identity, the largest percentage selected banks (85 per cent) and payment networks (81 per cent) ahead of global online brands (70 per cent), and smartphone companies (64 per cent). This level of trust has grown significantly in the past two years, up by 20 percentage points from 65 per cent in 2014, when the Visa Biometric Payments study was first conducted.
Nearly two-thirds of consumers (64 per cent) want to use biometrics as a method of payment authentication and familiarity is increasing the comfort level of British consumers. The growth in fingerprint authentication for mobile payments is bringing to life the benefits of biometric authentication, which is why 80 per cent of the people surveyed said they were the most comfortable with fingerprint recognition. Fingerprint authentication (88 per cent) is also viewed as the most secure form of payment, ranking higher than other biometric authentication options such as iris-scanning (83 per cent) and facial recognition (65 per cent).
Comments on the findings
Kevin Jenkins, UK & Ireland Managing Director at Visa said: “Banks have a tremendous opportunity in this payment revolution. From trialling voice recognition to behavioural biometrics for authentication, we’re already seeing banks – both high street and challenger banks, alike – making positive steps to adopt this technology in a variety of use cases. This consumer confidence in both authentication as well as the storage of their biometric data gives banks the perfect win-win scenario, enabling them to provide a service that the public wants which will also benefit the banks, themselves.
“Visa is already supporting a number of institutions in the development of emerging forms of authentication. We will continue our role as an enabler of payments and will remain tech agnostic when working with banking partners to ensure that new and emerging forms of payment authentication take place securely, conveniently and discreetly.”
Robert Capps, VP of business development at NuData Security, said: “This study establishes that there is a strong desire on the part of consumers to have a secure user experience when interacting and transacting online. The desire, may not align with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication aren’t fool proof, and there are challenges that may block widespread adoption in non-face-to-face interactions. The fact that 85pc of respondents see banks as the most trusted institution in the provision of biometric authentication isn’t surprising, given that they are part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering outstanding user experience.
“Physical biometrics can be part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints, voice and retinal scans can be spoofed. And, unlike passwords, physical biometrics can’t be changed. It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data.
“Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en-masse. As stolen data is often traded and consolidated into larger, more accurate profiles that can be re-used for a number of nefarious purposes from espionage, to identity theft, and financial fraud. Selfies and voice biometrics have contextual issues, like, it may not always be appropriate to take a selfie or provide a voice sample to authorise an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place). Beyond social and cultural issues, there are concerns how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day-to-day life.
“While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials – effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.
“The true strength of behavioural biometrics is in providing trust. While the consumer trusts the fingerprint, or the voice print, retinal scan or any other visible security the bank may choose, that is what they see and how they feel – it’s the guard at the door, if you will. Using passive and invisible behavioural biometrics (BB), the bank can also have full trust in their key objectives, protecting the user account and providing a good customer experience. In this way BB solutions can draw a straight line to a trust-trust relationship between banks and customers.
“Another advantage of BB solutions is that they use non-static signals and indicators of human identity – signals that cannot be stolen, reused or replayed for impersonation. It can therefore provide a high degree of confidence in the identity of the user. Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint. Additionally, with BB, users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving banks and e-commerce companies the unheard of potential to actually improve their brand experience with their security layer.”
Paco Garcia, CTO at Yoti said that the findings from Visa reaffirm the idea that banks are showing more support for biometric authentication than ever. “Recent announcements from major high street banks such as Nationwide’s behavioural biometrics and HSBC’s voice recognition demonstrate that the sector is leading the move into biometrics. It’s no surprise that banking and payment processors are moving so quickly to adopt these new processes – they are under huge competitive pressure from digitally native newcomers.
“Biometrics introduce better fraud detection, better identity management, better audit trails, better internal controls and, as a result of all of that, more trust from consumers. As such, the public sector should be looking to the financial industry for inspiration on how it can keep up with changing consumer trends. Today’s report highlights some key opportunities for the government to encourage more consumer trust by introducing innovative security technologies. The government needs to show consumers that it is using the latest security measures and looking after consumer data. Once it does this, confidence will grow and biometrics will really become the norm across all industries.”
Stephen Love, Security Practise Lead – EMEA, Insight, said: “The fact that over half (57 per cent) of organisations have admitted to not fully understanding the implications that the EU General Data Protection Regulation might have on their business, is not surprising. Despite the results of June’s referendum, from May 2018, any organisation found to be in breach of the new EU GDPR will be subject to considerable fines that could damage the financial stability of the company and, coupled with the reputational fallout, could see the business facing bankruptcy.
“So why are over half of UK businesses failing to prepare? Some believe the EU referendum would affect the implementation of the legislation, others think it doesn’t apply to their business and others are simply are delaying addressing it as it doesn’t fall into this financial year. However whatever the reason, it is something that urgently needs addressing.
“For an organisation to adhere to the new EU data regulation, they first need to identify the key data that they need to protect, understand where it resides and what value the data has. Additionally, and perhaps most importantly, companies need to evaluate who has access to this data. Once this is established, the organisation needs to create a security strategy and policies that will enable them to not only protect this data but also secure admittance to it. Further solutions can then be implemented to secure the data, from cutting edge, next generation firewall solutions to data loss prevention tools, ensuring the integrity of the data. Identity and Access management solutions and multifactor authentication will also allow for the governance and control of user admission to on-premise and cloud services.
“Planning ahead is the best course of action for any business. 2018 might seem a way off, but we are already nearing the end of 2016 and, before we know it, the new legislation will come into effect. Addressing the EU GDPR now will allow businesses to budget and prepare, taking manageable steps to ensure a compliant business environment that will help protect the company from the potential fallout of non-compliancy.”
Johan Dalnert, of BehavioSec, said that UK consumers are realising the banking sector’s forward thinking and innovative attitude towards security technology. “With so many main highstreets banks such as HSBC and Nationwide launching biometric authentication methods in the past couple of months, the industry is clearly taking a proactive approach in finding security solutions that are in line with changing consumer behaviour. It’s uplifting to see that the banking sector get the trust they deserve as they have focused on keeping their customers’ trust during the digital transformation whilst ensuring they don’t neglect the user experience in the process of trying to secure their customer data. The finance industry has paved the way for other tech sectors to do the same and as customers become more accustomed to using biometrics for their banking, it shouldn’t be long until we see consumers trust biometric security to secure other aspects of their daily lives.”
About the research
Visa commissioned the research with Populus. The research was between 22 April and 6 May 2016 in seven European countries: UK, Sweden, Spain, France, Germany, Italy and Poland. The total sample size was 14,236 with around 2000 respondents per country.
