Share
How much is your palm print worth?
Our take on Amazon’s $10 promotion to capture customers’ biometric data
Last week, Amazon launched a new promotion offering consumers $10 if they registered their palm print with Amazon’s Amazon One biometric device. Amazon One allows customers at their physical stores to create a “palm signature” and tie it to their credit card and Amazon account. The e-commerce giant is trying to attract consumers to using Amazon One payment by offering Amazon discount rewards and touting it as a contactless payment - which is especially attractive as COVID-19 fear is rising again with the spread of the Delta variant.
Biometric data has been an exciting development in our industry. A palm print is a pretty compelling way to identify someone, especially if you can link it to their identity on the back-end. And who isn’t tired of remembering countless passwords, including different combinations of numbers and special characters? The fingerprint and facial recognition technology that became popular on our iPhones was certainly a welcomed addition to my life.
So, what’s the problem?
The great thing about Apple’s use of biometric technology is that your fingerprint and face ID are only stored on your device itself. That means that if Apple were ever to get hacked, your fingerprint and face ID would not be compromised, and in fact, your iPhone doesn’t even store your image; it stores a mathematical representation of your features. Other applications on your phone make use of this secure data, too. If you use face ID on your banking app, for example, they are actually pulling from your Apple face ID - not storing your biometric data themselves.
What makes Amazon’s use of biometric data — in the form of your palm signature — problematic is that they will store that data themselves in the cloud. This poses a huge security risk for anyone who creates an Amazon palm signature. When Amazon (inevitably) gets hacked, your palm signature can get compromised right along with the rest of their data; and unlike a password that you can change, your palm print is not something you can update. As a result, when Amazon is breached, consumers could lose a lot more than $10 with their biometrics floating around on the open internet.
The power of behavioral biometric data
I have my reservations about biometric data, but I’m not a total hater. In addition to what you might think of as biometric data (facial recognition, fingerprints, etc.), there’s also behavioral biometric data, which looks at a user’s behavior patterns. This data can be incredibly useful for identity verification and transaction monitoring because each person’s way of interacting with a device is unique.
For example, if an account application is being filled out with every field being completed automatically or with the exact same typing cadence, that may be a flag. Or if the user is copying and pasting every single field, that may be another flag. Some of our clients put this functionality to use and see great results weeding out potential fraudsters and even saving some users from the friction of another two-factor authentication cycle if they are verified in the background.
My takeaway
The existing capabilities to identify someone based on their biometrics — fingerprinting, facial recognition, behavior — can be useful but should be used with caution. Adding yet another form of biometric data when other proven, less (albeit only slightly) intrusive solutions exist is at best unneeded and, at worst, irresponsible. Especially given that Amazon is storing this new biometric data in the cloud, outside of the user’s control. The bottom line: a Near Field Communication (NFC) tap would be just as quick and contactless, and a lot more secure.