Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
October 19, 2020
All Things Biometrics
Since 2014, I have written a number of posts in our Take on Payments blog on biometrics technology—the automated capture of an individual's unique physical or behavioral characteristics—and related issues. In fact, the Retail Payments Risk Forum (RPRF) hosted a conference on biometrics in November 2015 that brought experts in the field from all over the world to discuss the present and future state of the biometrics being used in consumer applications. Since that time, we have seen some smartphones move from using fingerprint readers to using facial recognition to authenticate users, with some applications even using voice recognition.
But as developers and users are discovering, not all biometric methodologies are equally suited for all applications. We have to consider factors such as risk level, cost, operating environment, and targeted population to determine if a particular biometric modality is better suited than another for an intended application. And along with the technology, a host of policy issues such as privacy, consent, and trust have emerged.
We had hoped to convene another comprehensive biometrics conference this fall but due to the COVID-19 restrictions on group gatherings, we have postponed the event and hope to convene it in the fall 2021. We continue to seek ways to fulfill the RPRF's mission of research and education on payment risk issues, so will focus on biometrics in our next Talk About Payments webinar, which is scheduled for the afternoon of October 29.
We are excited to have James "Jim" Loudermilk as our guest in discussing the current state of biometrics in authentication as well as related policy issues. Jim was a technology executive with the Federal Bureau of Investigation for 21 years, where he represented the bureau nationally and internationally on identification and innovation issues. He was a member of the FBI Biometric Steering Committee and represented the FBI with the National Science Foundation Center for Identification Technology Research. Jim is highly regarded by his peers for his knowledge of biometrics and their applications.
I hope you will join Jim and me as we discuss all things biometrics on October 29 from 3 to 4 p.m. (ET). The webinar is open to the public and free of charge, but you must register in advance to participate. Once you've registered, you will receive a confirmation email with login and call-in information. You can register here or through our Talk About Payments web page. If you have any questions concerning the webinar please direct them to me at David.firstname.lastname@example.org. Jim and I look forward to seeing you on the 29th.
October 5, 2020
Facial Recognition Bias: Reality or Myth?
In an August post, I wrote about some academic reports that had alleged ethnic and gender bias in facial recognition algorithm programs. These reports resulted in some major technology vendors withholding the sales of their facial recognition software to law enforcement agencies in the United States. Fortunately, we have an objective organization to help provide the answer to the question of whether there is bias in facial recognition algorithms.
That organization is the nonregulatory government agency, the National Institute of Standards and Technology (NIST). NIST, under the umbrella of the U.S. Department of Commerce, was founded in 1901 and operates one of the country's oldest physical science laboratories, providing measurements and standards for a wide range of technologies including biometrics. Its mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."
Since 2000, NIST has been evaluating the performance of facial recognition algorithms submitted by vendors as part of an ongoing objective measurement effort called the Face Recognition Vendor Test. Testing results are updated and published annually. While vendor participation is voluntary, NIST believes the participants are representative of a substantial part of the facial recognition industry.
The overall testing cycle was composed of three types of facial recognition algorithm testing: one-to-one matching, one-to-many matching, and, the most recent, testing of demographic effects. This testing used a database of approximately 18 million quality facial images representing 8.5 million individuals. The testing included 189 commercial algorithms submitted by 99 developers from companies and academic institutions from all over the world.
The measurements that NIST made were categorized into false negatives (where two images of the same individual are not associated) and false positives (where an image of two different individuals are erroneously identified as the same person). The latter error has far greater consequences, including the risk of giving an unauthorized person access to a secure location or of possibly falsely arresting an individual. The overall results of the testing are too detailed and numerous to list in this post. As one would expect with such a wide set of submissions, the results of the various algorithms ranged from what I would categorize as highly accurate to substandard. I recommend you watch a YouTube video in which Mei Ngan of NIST covers the test results. (The Women In Identity organization produced the video.) I think that, after you see the results, you'll agree with my assessment of whether there is bias in facial recognition: "It depends." Some of the algorithms show no bias and others do, indicating a need for additional improvement in their development.
In my August post, I also raised the issue of how face coverings will affect the performance of facial recognition programs such as those run by the Transportation Security Administration and Customs and Border Protection. NIST has recently tested the algorithms with this restriction and generally found that accuracy was substantially lower, although the developers are making modifications to the algorithms to improve their performance. Ms. Ngan covers this subject in her presentation as well.
Stay tuned for more biometrics information and discussion in our posts, and check out our October 29 Talk About Payments webinar that will feature one of the foremost biometrics experts in the country.
September 28, 2020
Encouraging Password Hygiene
Many offices have closed their doors to protect employees from COVID-19 infections, causing a surge in people working remotely in 2020. This situation has brought data security concerns to the forefront for many businesses. This past blog is a great reminder about the importance of password hygiene to protect valuable data assets. Don't fall victim to credential theft or social attacks.
Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation Report reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.
Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?
Interestingly, while I was pondering this issue, I came across a Wall Street Journal article. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.
So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.
The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.
I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.
Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!
August 24, 2020
Facial Recognition Biometrics: Bruised but Still Standing
So far, 2020 has been a rocky year for facial recognition biometrics. In June, Amazon, Microsoft and IBM delivered a body blow, announcing they would not sell their facial recognition software to law enforcement agencies. They cited a lack of accuracy, a potential for misuse or abuse, and the lack of federal privacy legislation to safeguard individual rights. Widespread use of facial masks due to the COVID pandemic dealt another punch. Masks have generally rendered facial recognition inoperable for any number of applications on mobile phones. The masks have also hobbled the Transportation Security Administration's plans to further automate passenger authentication and check-in processes. Will the technology be able to recover and go another round?
Unfortunately, there is a great deal of misinformation and misinterpretation of studies about the technology behind facial recognition and its use, particularly with regard to claims of racial and gender bias. Critics often point to a 2018 study by MIT and Microsoft researchers in which three facial classification algorithms misclassified the gender of light-skinned males at a rate of less than 1 percent but darker-skinned females as high as 34 percent. Critics of facial biometrics technology have pointed to the research as evidence of bias against various minority groups.
It is important to note that "gender classification" is a very different from "facial recognition," although they are often lumped together in the media. In a gender classification process, a digital facial image of an individual is captured and processed through an algorithm that determines whether the image is that of a male or female. Numerous studies have shown that the accuracy of such classification systems is largely based on the database of images being used to "train" the algorithm—that is, to teach it to properly classify an image. The smaller the database, the less accurate the classification.
In a facial recognition process, the digital image captured by the camera is compared using a recognition algorithm to see if it matches the individual's image in a database or on their identification document. While the top performing algorithms are highly accurate, studies have found that results can vary based on lighting, camera definition, viewing angle, and other factors. While most people think facial recognition is new technology, the casino industry has used it to identify banned players since the 1990s.
In a future post, I will discuss the findings of the National Institute of Standards and Technology in its 2020 evaluation of more than 200 facial recognition algorithms. The promising news is that the top performing algorithms showed no discernible bias.
While there are certainly privacy and other issues connected to facial recognition and other biometric technologies, I believe objective education and discussions can address these issues. So I think the technology is not on the ropes but is ready to go another couple of rounds.