Constable Fowler, from the Northern Constabulary in Inverness, Scotland, might have prevented massive amounts of credit card and cheque fraud, if his award-winning thumbprint signature scheme had been widely adopted. Today, Jamie Jamieson, a 69-year-old former GCHQ worker, might be the only user. However, anyone can use thumbprints to prevent ID fraud in the UK. Elsewhere, it depends on the co-operation of the credit checking companies.
The citywide scheme in Inverness asked shoppers to leave a thumbprint to guarantee their cheque and credit card purchases. The thumbprint was held temporarily by the retailer, and not given to the police unless the transaction proved to be fraudulent. This reduced fears of a Big Brother-style database, and most buyers were willing participants.
In the first six months, the Inverness Thumbprint Signature Scheme reduced credit card fraud by 84.3 percent and cheque fraud by 70.6 percent. The number of thefts of "handbags, purses, wallets etc" also fell by 64.5 percent, according to the schemes Tilley Award summary (PDF).
That was back in 2002. Obviously, the idea failed to take off. However, it did inspire Jamie Jamieson to create his own system. What he did was send a "notice of correction" to the main credit reference agencies -- Experian, Equifax, and Callcredit -- to say that he would authenticate his own deals with a thumbprint. Therefore, he told them, "Any application without a thumbprint should be considered fraudulent."
Of course, Jamieson has to carry around his own small gel pad to provide the thumbprint required. Someone attempting ID fraud would be unlikely to have a pad handy, or, when asked for a thumbprint, would be unlikely to leave one.
Jamieson's idea was featured on BBC Radio 4's Money Box in March 2004, with a brief follow-up in 2007. It was also covered in IDG's Techworld in 2005 and by Haymarket's SC Magazine in 2007. This weekend, it reappeared again as the front-page story in the Money section of the Guardian newspaper, which is what prompted this post.
Jamieson's idea works because adding a "notice of correction" means his credit checks cannot be handled automatically by computers: they have to be processed manually. This could cause delays, though Jamieson says that hasn't been a problem.
Unlike the Inverness scheme, Jamieson's system doesn't apply to normal purchases. It's only invoked when the transaction requires a credit check. This includes taking out mortgages and loans, opening bank accounts, applying for credit cards, and signing mobile phone and similar contracts.
Neil Munroe, an expert on credit reporting, told the Guardian: "It's workable if you're not 'credit active'. That's where Jamieson is coming from, he wants to protect himself. I wouldn't necessarily advocate it for everyone, but it does have merits in certain circumstances."
This is different from some American banks requiring users to put a thumbprint on the front of checks. This aims to protect the bank rather than the customer.
Of course, if you pay for things using a smartphone, your security may already be protected by your thumbprint, if that is what you use to unlock your device. In the future, it may depend partly on face recognition, as mobiles move to systems similar to the Samsung Galaxy S8's Face Unlock feature and Windows 10's Hello.
However, users should be aware that a biometric -- whether it's a fingerprint, an iris scan, or face or voice recognition software -- is the equivalent of a logon name or identity. It is not a password. You can change a password.
If a biometric is used to unlock a phone, the payment system should ideally be protected by a separate PIN, password or pattern, at least when transferring significant amounts of money. However, the trend is towards faster and more frictionless payments. With the contactless cards I use most of the time now, there is no verification at all -- no signature, no biometric, no PIN, no password -- for sums up to £30/€34/$40. I just "wave and pay".
PREVIOUS AND RELATED COVERAGE
BankBot trojan malware waits twenty minutes after the app is used before moving to run its payload.
The vulnerability lets an attacker steal the contents of a Keychain -- without needing a password.