Are Fingerprints a Secure Way to Pay?
You may have heard Google wants to absorb your wallet into your smartphone. But these days, slimmer is better. So how about making the wallet disappear altogether? Paytouch wants to link credit cards to fingerprints (your index and middle fingerprints, to be exact). What’s the advantage of a fingerprint payment system? No more carrying around cards. No more losing cards. No more worrying about identity theft. Fingerprints are unique and therefore secure (maybe). The world is your oyster, and your oyster alone.
Sounds lovely. But a few (mostly worried) thoughts come instantly to mind. First, our fingerprints are unique whether or not they’re attached to our hand. That sounds like a dangerous incentive to chop off a few fingers, no?
Apparently, people worry about this one a lot. So much so, that Paytouch’s FAQ helpfully notes their scanners use a “very low electric shock…to detect pulse and finger ridges.” Fingers with no pulse will get you nowhere. (And no sales clerk is going to allow you to place a pair of disembodied fingers on the scanner.)
But here's something else: Take a moment to google “how to fake fingerprints.” What do you know? Unsurprisingly, there are numerous "how-to's" out there (YouTube, WikiHow, eHow, etc.). All you need is a good copy. And as any lover of detective stories knows, we tend to leave copies of our prints everywhere.
A prospective thief need not steal your card, or learn your social security number, or break into your house—he only has to follow you around for a day. Or maybe some enterprising thieves will go “phishing” for prints by selling folks items and yanking their print profile from the scanner.
Once our future-thief has a good print image, a fake fingerprint will soon follow. Sure, the scanner detects a heartbeat, but ultra-thin material should allow enough of a pulse to fool the machine. Or if the scanner doesn’t like the artificial fingerprint material because it doesn’t conduct electricity like human skin—soon enough, we’ll be 3D printing tissues and real fingerprints to order.
According to MythBusters, there's no need to wait. The show reportedly fooled a scanner that detects prints, body temperature, pulse, and skin conductance with a 3D-imprinted latex strip, 3D-imprinted ballistics gel, and even a photocopy of a scanned print!
The final worry: You're in trouble if/when your prints are stolen. We can easily replace a card…but a fingerprint? Once compromised, there's no substituting it with a new copy.
Maybe the point isn't perfect security, but good enough security. That is, security that slows down or demotivates theft. And in this case, two fingers are better than one. Likely, in the future it'll be a continuous back-and-forth between security makers and security breakers. And the best last line of defense will be common sense and attention to your accounts, just as it is today.