Using thumbprints to prevent ID fraud

If you're worried about identity fraud, you can prevent it -- at least in the UK -- by requiring a thumbprint to verify any transaction that requires a credit check. Jamie Jamieson has been using the idea for 13 years.

Fingerprint

Constable Fowler, from the Northern Constabulary in Inverness, Scotland, might have prevented massive amounts of credit card and cheque fraud, if his award-winning thumbprint signature scheme had been widely adopted. Today, Jamie Jamieson, a 69-year-old former GCHQ worker, might be the only user. However, anyone can use thumbprints to prevent ID fraud in the UK. Elsewhere, it depends on the co-operation of the credit checking companies.

​As phone phishing grows, can bank biometrics screen out the scammers?

With the victims of phone phishing scams often left out of pocket, biometric security may ultimately offer banks the best option for eliminating this growing type of fraud.

Read More

The citywide scheme in Inverness asked shoppers to leave a thumbprint to guarantee their cheque and credit card purchases. The thumbprint was held temporarily by the retailer, and not given to the police unless the transaction proved to be fraudulent. This reduced fears of a Big Brother-style database, and most buyers were willing participants.

In the first six months, the Inverness Thumbprint Signature Scheme reduced credit card fraud by 84.3 percent and cheque fraud by 70.6 percent. The number of thefts of "handbags, purses, wallets etc" also fell by 64.5 percent, according to the schemes Tilley Award summary (PDF).

That was back in 2002. Obviously, the idea failed to take off. However, it did inspire Jamie Jamieson to create his own system. What he did was send a "notice of correction" to the main credit reference agencies -- Experian, Equifax, and Callcredit -- to say that he would authenticate his own deals with a thumbprint. Therefore, he told them, "Any application without a thumbprint should be considered fraudulent."

Of course, Jamieson has to carry around his own small gel pad to provide the thumbprint required. Someone attempting ID fraud would be unlikely to have a pad handy, or, when asked for a thumbprint, would be unlikely to leave one.

Jamieson's idea was featured on BBC Radio 4's Money Box in March 2004, with a brief follow-up in 2007. It was also covered in IDG's Techworld in 2005 and by Haymarket's SC Magazine in 2007. This weekend, it reappeared again as the front-page story in the Money section of the Guardian newspaper, which is what prompted this post.

iphone-5s-touch-id-vertical.jpg

Apple's Touch ID helped make fingerprint recognition popular on smartphones like the 5s

Image: Apple

Jamieson's idea works because adding a "notice of correction" means his credit checks cannot be handled automatically by computers: they have to be processed manually. This could cause delays, though Jamieson says that hasn't been a problem.

Unlike the Inverness scheme, Jamieson's system doesn't apply to normal purchases. It's only invoked when the transaction requires a credit check. This includes taking out mortgages and loans, opening bank accounts, applying for credit cards, and signing mobile phone and similar contracts.

Neil Munroe, an expert on credit reporting, told the Guardian: "It's workable if you're not 'credit active'. That's where Jamieson is coming from, he wants to protect himself. I wouldn't necessarily advocate it for everyone, but it does have merits in certain circumstances."

This is different from some American banks requiring users to put a thumbprint on the front of checks. This aims to protect the bank rather than the customer.

Of course, if you pay for things using a smartphone, your security may already be protected by your thumbprint, if that is what you use to unlock your device. In the future, it may depend partly on face recognition, as mobiles move to systems similar to the Samsung Galaxy S8's Face Unlock feature and Windows 10's Hello.

However, users should be aware that a biometric -- whether it's a fingerprint, an iris scan, or face or voice recognition software -- is the equivalent of a logon name or identity. It is not a password. You can change a password.

If a biometric is used to unlock a phone, the payment system should ideally be protected by a separate PIN, password or pattern, at least when transferring significant amounts of money. However, the trend is towards faster and more frictionless payments. With the contactless cards I use most of the time now, there is no verification at all -- no signature, no biometric, no PIN, no password -- for sums up to £30/€34/$40. I just "wave and pay".

PREVIOUS AND RELATED COVERAGE

This bank data stealing Android malware is back - and it's now even sneakier

BankBot trojan malware waits twenty minutes after the app is used before moving to run its payload.

Ex-NSA hacker drops macOS High Sierra zero-day hours before launch

The vulnerability lets an attacker steal the contents of a Keychain -- without needing a password.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All