Biometric authentication systems for credit cards could put identity thieves out of business

This is a survey from IEEE Spectrum about identity theft and the new biometric technology that should be used to reduce this problem.

According to data from the Aberdeen Group, Boston, the cumulative ID theft losses suffered by tens of millions of individuals and businesses worldwide registered at an estimated $221 billion in 2003. Aberdeen, which assumed an enormous 300 percent compound annual growth rate, projected that losses would rise to an almost unfathomable $2 trillion in 2005. More recent numbers from Javelin Strategy and Research, based in Pleasanton, Calif., indicate a much lower growth rate, at least in the United States, where total losses rose from about $48 billion in 2003 to $56.6 billion in 2005.

Clearly, it is far too easy to steal personal information these days—especially credit card numbers, which are involved in more than 67 percent of identity thefts, according to a U.S. Federal Trade Commission study.

The sensors, processors, and software needed to make secure credit cards that authenticate users on the basis of their physical, or biometric, attributes are already on the market. But so far, the credit card industry hasn’t seen fit to integrate even basic fingerprint-sensing technology with their enormous IT systems. Concerned about biometric system performance, customer acceptance, and the cost of making changes to their existing infrastructure, the credit card issuers apparently would rather go on eating an expense equal to 0.25 percent of Internet transaction revenues and the 0.08 percent of off-line revenues that now come from stolen credit card numbers.

Even if thieves fashion a latex glove molded in a slab of gelatin containing a nearly flawless print of your right index finger, painstakingly transferred from a cocktail glass. Such an effort would fail, thanks to new applications that test the vitality of the biometric signal. One identifies sweat pores, which are just 0.1 millimeter across, in the ridges using high-resolution fingerprint sensors. We could also detect spoofs by measuring the conduction properties of the finger using electric field sensors from AuthenTec Inc., of Melbourne, Fla. Software-based spoof detectors aren’t far behind. One of us (Jain) is currently leading an effort at Michigan State University, in East Lansing, in which researchers are differentiating the way a live finger deforms the surface of a sensor from the way a dummy finger does. With software that applies the deformation parameters to live scans, we can automatically distinguish between a real and a dummy finger 85 percent of the time—enough to make your average identity thief think twice before fashioning a fake finger.

Biometric authentication systems based on available technology would be a major improvement over conventional authentication techniques. If widely implemented, such systems could put thousands of ID thieves out of business and spare countless individuals the nightmare of trying to get their good names and credit back. Though the technology to implement these systems already exists, ongoing research efforts aimed at improving the performance of biometric systems in general and sensors in particular will make them even more reliable, robust, and convenient.