Apple's TouchID is brilliant - I now use it not only to unlock my phone, but also to log into my Amazon account. I can also use it to log into my Amex app and my bank's mobile banking app. And of course, it is the way to initiate Apple Pay transactions. The only trouble is that none of those providers can be assured that it is really me doing all of this. TouchID allows registering up to 10 different fingerprints, and authenticates the user locally by matching his or her fingerprint to the registered templates. However, authentication
is not the same as identity
- banks and other apps know it is someone authorised to use that phone, but they don't know it's me, Zil Bareisis. It is likely to be me, but it could also be my wife or my kids. It could even be a total stranger if in some bizarre bout of insanity, I allowed them to register their fingerprint with my phone. The Telegraph reported last week
that the UK banks are very much aware of this issue and have decided to take a hard stance:
"Banks have warned customers that if they store other people's fingerprints on their iPhones they will be treated as if they have failed to keep their personal details safe.
This means the bank can decline to refund disputed transactions or refuse to help where customers claim they have been victims of fraud."
According to the paper, "the banks' position is typically buried in the detail of bank account Ts & Cs", something as we all know that most people accept without reading in detail. I can appreciate the banks' concerns, but I wonder if they are somewhat overblown. Although this will change in time, most of Apple Pay transactions in the UK are still capped at the contactless limit (£30). Any of my family members today can take my contactless card and use it as contactless without any PIN. I haven't heard too many suggestions that I should keep my card locked away from my family members. However, if this were to happen, I should be prepared to accept my family's transactions and not report them as fraud. I am no legal expert, but it doesn't feel like inserting protective statements within T&Cs is the way forward. First, it's not very transparent. Second, if the issue were to arise, it is something that would not be easy for banks to prove. Could consumers just delete all the other fingerprints in case of a dispute? Finally, it's just poor customer service. Instead, banks should invest into educating consumers about digital technologies and how to use them safely and responsibly. Even if it's as basic as, "don't allow strangers to register their fingerprints on your phone" and "be prepared to accept your family's transactions and not dispute them as fraud." As the value of Apple Pay transactions grows, banks ought to consider deploying additional techniques, such as behavioural analysis to authenticate the users and minimise fraud. As with most security, multi-layered approach is likely to work best.