The Challenge of Consumer Identification with New Methods of Electronic Payment
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
This report is a review of methods to confirm identity during electronic transactions, the security of the transactions, and the compliance of new biometric identification technologies with legislative frameworks governing the protection of personal information.
After analyzing the current trend towards the use of biometric methods for consumer identification, the author concludes that biometric authentication systems will likely be no more secure than current systems, while posing challenges to consumer privacy.
Biometrics work well only if the system can verify that the biometric came from the person at the time of verification and that the biometric matches the master biometric on file. There are reasons why systems often can’t do just that. Also, although biometrics are unique identifiers, they are not secrets and are not failsafe as unique identifiers.
The author concludes that the use of biometric authentication technologies presents greater legal and financial risks than they are worth. He suggests biometrics are complementary to other existing technologies and that no single system is fully reliable.
On the issue of consumer privacy he notes that business is demonstrating an increasing propensity for collecting personal information in an attempt to manage legal and financial risk. The rapid rise of the electronic transaction card and the parallel rise in the use of Personal Identification Numbers (PINs) have led to a redefining of the respective responsibilities of the customer and financial institutions. Although security was historically seen as a shared responsibility, in practice it was a bank’s responsibility to ensure that the signature it accepted was indeed the signature of its client. According to the author, banks are making an attempt to place more of the onus on the customer.
The author feels that consumers have little control over what is being done or will be done with the information that is revealed in return for goods and services. Systems designers argue that secrecy is necessary to security thus adopting the security through obscurity philosophy. The author offers evidence that this approach has long been discredited and that all stakeholders would benefit from an open discussion of the issues. Authentication systems should be designed so that the risks to banks and their commercial clients are balanced against the risks to consumers. The author fears that this is not the case and that the imbalance favours the banks although they occasionally do a poor job of managing the risks.
This document is available in the following language(s):
OPC Funded Project
This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.
Maison du développement durable
50, rue Ste-Catherine Ouest, Bureau 440
- Date modified: