Could Biometrics Help Eliminate Identity Theft?

Guest Post by Kayla Matthews

Now that biometric technology has found a place in many people’s lives through their phones and devices, could it help solve the issue of identity theft? If so, how would we get it done?

If it’s implemented well, biometric technology is superior to previous security standards. It may not be enough on its own, however, and it introduces several new headaches. Let’s look at some of the potential benefits and some of the problems that could arise out of our using this technology.

Why biometrics?

The U.S. Federal Trade Commission finds that identity theft victims pay a total of $5 billion out of their own pockets each year to resolve identity theft incidents. The FTC puts the cost for the business community at around $50 billion every year.

One of the reasons why this problem is so stubborn is because our technology hasn’t caught up yet. Pew Research polling finds that as many as 39 percent of adults in the United States use similar or identical passwords across accounts and 25 percent knowingly use less-secure passwords than they should.

Overall, our password hygiene is poor. Plus, two-factor authentication via email isn’t that safe because email itself isn’t that safe.

Biometrics leverage features that are unique to each of us. This includes fingerprints, scans of our retinas, irises or faces, recordings of our voices, prints of our hand geometry and even behavioral characteristics. Many of us are already accustomed to pressing our finger to our phones or holding still for a quick scan with the front-facing camera, but this is a broader category than that.

However, each type of biometrics technology generally relies on three components to work: a sensor to collect data, software to interpret the results, and a device to interact with and house the other components.

Biometrics are fundamentally safer than passwords and other types of security for several specific reasons. That’s not to say they’re without potential pitfalls, though.

Why biometrics work against identity theft

Biometrics may soon become an even more common bulwark against identity theft and other types of digital fraud. They are already helping to phase out encryption keys, one-time codes, and traditional passwords in some places. Here are some of the reasons:

• Biometrics make people the password. Ordinary passwords can be stolen or forgotten. Passwords are more secure with a secondary PIN number, but this doubles the amount of information a user must retain, or that they can misplace or have stolen.
• Biometrics are more difficult to fake compared to other types of security. For example, two-factor authentication relies on secondary devices which may, themselves, be compromised.
• Biometrics are becoming more ubiquitous. This is thanks in large part to consumer technology. Research says around a billion fingerprint-reader-equipped phones are sold per year. As a result, 93 percent of top banks in the United States have added biometrics to their mobile apps.

For those who’ve experienced identity theft, it is every bit as unpleasant as the name makes it sound. Somebody has compromised and leveraged your very identity to satisfy their own ends. To protect something so personal to you, it just makes good sense to use a type of security that’s equally personal. So far, nothing beats biometrics.

The points above cover three things that are vital to the successful rollout of any new security paradigm: it’s more secure than what came before, it’s more convenient, and it has the means to achieve quick adoption. But what is it about identity theft, specifically, that makes biometrics a good fit here?

Identity crimes most frequently take the form of social engineering (coercion or deception over the phone or online), mail theft, and credit or debit card theft. The addition of biometrics into the equation would seem to raise the security bar significantly:

• It’s not enough that a dumpster-diver can spoof your phone number and your address to apply for a personal loan. Your bank can tell it’s not them based on the sound of their voice.
• It’s not enough that a cyber-criminal has your Social Security number and the login credentials for your health insurance app. In order to order a prescription refill, the app needs a fingerprint scan.
• It isn’t enough that somebody bought your credit card information on the black market. You’ve locked down your card controls using your fingerprint or face scan. The card is useless to them.

Biometrics represent an important addition to the existing cyber-security and identity crime tapestry. At the end of the day, however, even face and fingerprint data is zeroes and ones. Storing our zeroes and ones anyplace still requires a certain leap of faith.

What are the problems with biometrics?

There may come a day when we use this tech to secure each of our internet accounts, pick up our train tickets and boarding passes, pay for morning coffees, and navigate every interaction with every public institution, from the local library to the IRS.

Nevertheless, there are already some stumbling blocks when it comes to using biometrics as the new de-facto security standard:

• Biometrics aren’t foolproof. Many people became familiar with biometrics technology thanks to smartphones from Apple and Samsung. Neither of these technologies has a perfect track record, meaning dedicated criminals may still find a way in if they want to. High-resolution photos and photorealistic masks can unravel a digital identity built on facial identification.
• Biometrics have inconsistent appeal. Facial recognition had a 34 percent approval rating among adults in the United States in a recent Morning Consult poll. A similar poll in the U.K. said 54 percent of adults found facial recognition technology creepy.
• Biometrics are politically divisive. In 2019, San Francisco became the first U.S. city whose board of supervisors voted to ban the use of facial recognition technology within city limits. Police departments already claim to depend on the technology, but civil liberties groups have long opposed its use. Lawmaking on the subject will be inconsistent for many years, and possibly longer.
• Biometrics require expensive infrastructure. Social Security numbers and other identifiers require infrastructure to use, but not as much as facial recognition cameras or retina scanners. Biometrics may not be cost-effective everywhere.
• Biometrics cannot be changed. This may be the most critical potential downside to the widespread use of biometrics technology. A password is something the user can change. They can even get a new phone number, email address, PIN or other identifier. But fingerprints, iris scans, and face scans are unique to you and cannot be changed once they’ve become compromised.

Like any other packet of data, the digital “key” that is your iris or face scan must be stored securely on a device or transmitted elsewhere for storage and/or processing. Whether in transit or at rest, this intimate data is only as secure as the companies entrusted with it.

It’s smart to stay aware of biometrics and other developments in digital security. But like everything that came before, it’s wise not to put all of our faith in any one protective measure, and to take every vendor, developer, and manufacturer’s security claims with a grain of salt.

Kayla Matthews, a tech and security journalist, has written articles for sites including WIRED, Information Age, Security Boulevard, and the National Cyber Security Alliance. To see more of her work, follow her on Twitter @KaylaEMatthews or check out her tech blog, Productivity Bytes.