Secure Mobile Payments Are Best Done In Blood

In our relentless quest for convenience, digital wallets started to give way to biometric payments before they even really took hold. And already the fingerprint ID, still a novelty feature in smartphone authentication, is being pushed aside in favor of a biometric marker experts say is more secure, accurate, and convenient: your veins. Your body's the new wallet, and your blood is the new credit card number.

Veins are the rising star of biometric payments, as we were reminded this week after a Swedish startup debuted its vein-scanning payment technology, Quixter, one of the first to be commercially adopted. If you're not familiar with vein-scanning, how it works is simple: You hover your palm in front of an infrared light scanner and the system recognizes the unique pattern of your veins to identify you.

It's the same concept of other biometric authentication options like the fingerprint scan, iris scan, or facial recognition tech, but veins are like the Goldilocks of biomarkers. Every person's vein pattern is totally unique, even in identical twins; the pattern doesn't change as the body ages; and you can't actually see most people's veins so they're extremely hard to counterfeit—but they're still possible to scan without any physical contact, making them extra convenient.

Fingerprints had a good run, until it became clear that a greasy thumb smudge and a bit of silly putty was all a hacker needed to steal someone's identity. And consumers tend to find the idea of staring into a camera while a laser scans their eyeballs overly intrusive. So security experts are pretty excited about vein-scanning, or "hand vascular pattern identification," to use the technical term. The technology has been around for over a decade, used for forensics, authentication in some hospitals, schools, and ATMs in some countries, namely in Asia. But it's been very slow to take off commercially.

"Vein scanning biometrics is not nearly as popular as face, fingerprint, iris or voice recognition. And for whatever reason, it is not as popular in the US as it is in Asia," Professor Kevin W. Bowyer told me. He's chair of the computer science and engineering department at the University of Notre Dame, and has won awards for his work in biometrics. In the research community, vein-scanning "is one of those exotic 'other' or 'niche' biometrics," he said.

That may be starting to change. In Sweden, the Quixter system profiled this week is now used in 15 shops and restaurants around the Lund university where it was developed, with plans to expand.

In the US, PulseWallet, recently renamed Biyo, is working to commercialize its digital wallet/vein-scanning payment terminal that lets you pay with your hand. It's based off PalmSecure, a product of the Japanese IT company Fujitsu. “The Revolution is here,” its website boasts. “No wallets. No receipts. All you need is yourself.”

As far as security goes, veins and irises are commonly believed to be a safer bet than fingerprints. Quixter founder Fredrik Leifland goes as far as to claim vein-scanning is fraud-proof. “Every individual's vein pattern is completely unique, so there really is no way of committing fraud with this system," he said in a press release this week.

Australian computer science Professor Willy Susilo of the University of Wollongong, speaking to the Sydney Morning Herald yesterday, called fingerprint scanning a "gimmick" that would soon be trumped by veins. After all, you don't leave behind "vein prints," he said.

But Bowyer isn't so sure. He said at this stage, there's not enough research know for sure the real level of accuracy or potential holes in vein-scanning as an authentication method.

After a picture of your eye, or palm, is taken in infrared light, it translates that image to a code related to the biometric data—a "biometric template," he explained, and that template is stored in the system and compared against the next eyeball or palm scan to prove your identity. To protect the stored template, it can be stored in some encrypted form. But how is that any more secure than an encrypted text password?

"Good question," said Bowyer. "One attack on text passwords is to use some knowledge about common passwords… Say you wanted to break into something in Boston, maybe you would guess that 'BostonStrong2014' would be a phrase someone might use, and then encrypt it and compare it against the list of encrypted passwords.  This type of attack can be harder with biometrics, because the biometric pattern itself starts as a more random thing."

Even if biometrics are a security dream come true, they could be a privacy nightmare. Do we really want a map of our veins stored on Amazon's servers? What if marketing companies start selling our biometric data they way they do our personal emails and phone numbers? How do we know identifying information about our bodies won't wind up in a corporate database somewhere, or the government won't stop tracking us via our biometric ID? Even if the biometric data is encrypted, we know that's hardly foolproof. What’s more, if a hacker or spy does get ahold of bio-data like your vein pattern or iris, it's not like you can just reset the information like changing your password. Those are the only palms and eyeballs you've got.

Biometrics aren't a panacea for privacy in the digital age; there probably isn't one. But if convenience wins out anyway, as it seems to be doing so far, we should expect to see more vein-scanners on sales counters soon.