I’ve said this many times: If you want any added level of convenience added to any technology, you will need to relax its security. Of course, it isn’t always the case, but there are very few exceptions to this rule. If you are curbing the security in your tech, you are opening yourself up to attacks and theft. It’s that simple. So, if we are so scared of having our bank accounts emptied, is it really a good idea to have mobile payments where you do not have to enter a PIN number? Android Pay, announced by Google earlier in 2015, has a form of near-field communication (NFC) payment authentication that doesn’t require you to enter your PIN for your cards. Knowing the kind of audience you are, I am betting you are curious how this is going to play out and whether this is actually safe at all.
What’s the Deal?
The push for convenience in mobile payments is quite literally one of the most pressing matters in the security community. There are many attempts to make them even more convenient than they already are, with the most current technology requiring only that you put some money into a special digital wallet that allows you to make payments “on the fly.” Google Wallet is of note, although it still requires you to input a PIN number. There are a number of other services that do not necessarily require any more authentication than holding your physical phone up to a point-of-sale platform (the money is transmitted as soon as the phone gets near the POS).
Google has introduced a new mobile payment platform that does away with the PIN number entirely in a transaction and even takes award points into account on certain products and services. What this means is that payments are going to be a lot more convenient, but will they continue to be secure? Of course, given how you’re still putting your financial agency onto a mobile device, you may not have been using a secure platform to pay for things in the first place.
How Android Pay Solves The Security Issue
To Google’s credit, it appears that Android Pay uses biometric authentication with fingerprints (see here for an introduction to biometrics in banking) as an alternative to your PIN. At the time this is published, whether or not it is the default option isn’t clear, but I’m inclined to believe it isn’t. The reason why is because you may not have fingerprint recognition on your phone or may not have registered a fingerprint profile. Of course, the safe option would be to have the PIN as a fallback in case you do not have fingerprinting enabled, and I’m inclined to believe that this may well be the case.
Are other payment providers going to follow suit? I’m not sure. But there is a bit of a problem with using fingerprints to identify yourself on a glassy surface such as a phone’s touch screen, as is demonstrated in the video below.
The presenter half-heartedly insists that this method of bypassing fingerprint recognition requires a certain amount of “expertise.” That’s not necessarily the case. Rather, it takes practice to pull it off correctly. If you have more than one finger on your body and the right supplies, you have an infinite number of attempts before you get the hang of this method if you’re ambitious enough. PIN numbers are at least very difficult to guess, and Google Wallet’s PIN system did not allow you to use easily guessable combinations (such as consecutive numbers like ‘1234’ or repeating numbers like ‘2222’). A hacker would have to spend a lot more effort breaking your PIN than he would replicating your fingerprint. If someone wants your money, they will go to any lengths to acquire it.
What is your opinion? Should a fingerprint be all you need to make a payment? Is that safer than using a PIN? Tell us in the comments!