How much is your palm print worth?

Amazon palm print

Our take on Amazon’s $10 promotion to capture customers’ biometric data

Last week, Amazon launched a new promotion offering consumers $10 if they registered their palm print with Amazon’s Amazon One biometric device. Amazon One allows customers at their physical stores to create a “palm signature” and tie it to their credit card and Amazon account. The e-commerce giant is trying to attract consumers to using Amazon One payment by offering Amazon discount rewards and touting it as a contactless payment - which is especially attractive as COVID-19 fear is rising again with the spread of the Delta variant.

Biometric data has been an exciting development in our industry. A palm print is a pretty compelling way to identify someone, especially if you can link it to their identity on the back-end. And who isn’t tired of remembering countless passwords, including different combinations of numbers and special characters? The fingerprint and facial recognition technology that became popular on our iPhones was certainly a welcomed addition to my life.

So, what’s the problem?

The great thing about Apple’s use of biometric technology is that your fingerprint and face ID are only stored on your device itself. That means that if Apple were ever to get hacked, your fingerprint and face ID would not be compromised, and in fact, your iPhone doesn’t even store your image; it stores a mathematical representation of your features. Other applications on your phone make use of this secure data, too. If you use face ID on your banking app, for example, they are actually pulling from your Apple face ID - not storing your biometric data themselves.

What makes Amazon’s use of biometric data — in the form of your palm signature — problematic is that they will store that data themselves in the cloud. This poses a huge security risk for anyone who creates an Amazon palm signature. When Amazon (inevitably) gets hacked, your palm signature can get compromised right along with the rest of their data; and unlike a password that you can change, your palm print is not something you can update. As a result, when Amazon is breached, consumers could lose a lot more than $10 with their biometrics floating around on the open internet.

The power of behavioral biometric data

I have my reservations about biometric data, but I’m not a total hater. In addition to what you might think of as biometric data (facial recognition, fingerprints, etc.), there’s also behavioral biometric data, which looks at a user’s behavior patterns. This data can be incredibly useful for identity verification and transaction monitoring because each person’s way of interacting with a device is unique.

For example, if an account application is being filled out with every field being completed automatically or with the exact same typing cadence, that may be a flag. Or if the user is copying and pasting every single field, that may be another flag. Some of our clients put this functionality to use and see great results weeding out potential fraudsters and even saving some users from the friction of another two-factor authentication cycle if they are verified in the background.

My takeaway

The existing capabilities to identify someone based on their biometrics — fingerprinting, facial recognition, behavior — can be useful but should be used with caution. Adding yet another form of biometric data when other proven, less (albeit only slightly) intrusive solutions exist is at best unneeded and, at worst, irresponsible. Especially given that Amazon is storing this new biometric data in the cloud, outside of the user’s control. The bottom line: a Near Field Communication (NFC) tap would be just as quick and contactless, and a lot more secure.

Related articles

5 min read
Fraud Q&A Series: Detect and prevent account takeover fraud attacks

By Aisana Nurusheva on May 16, 2022

Introducing a new blog series that highlights the most pressing fraud trends affecting financial institutions today. For the first installment, we talked with Mike Cook from Socure about account takeover fraud.

Read more

5 min read
3 reasons why you need a fraud & risk management solution built specifically for the financial services industry

By Natalie Seidman on Sep 9, 2021

It might seem as if the challenges in mitigating fraud are similar across industries and that any fraud and risk management solution could be adapted to whichever type of fraud is relevant to your business, but the truth is it’s not that simple. 

Read more

3 min read
What level of transparency should you have with rejected applicants?

By KJ McAlpin on Aug 5, 2021

When an applicant is opening a bank account or applying for a credit card online - the best-case scenario is their application is approved without any hiccups. But what happens when they are denied?

Read more

1 min read
What is data orchestration and how can it help you grow your customer base? [WEBINAR]

By Alloy on Jul 14, 2021

If you’re still using a linear approach to identity verification, you’re missing a trick. In this webinar with Bank Director, our Director of Data — Andrew Martin — explores how a holistic approach to identity verification can increase your number of digital account openings while mitigating fraud risks.

Read more

Recent Searches