“A palm print adds convenience to the payment because it is unique to you, it is (hopefully) unlikely to be lost or stolen, and you have it with you at all times,” financial tech expert and advisor David Shipper told Lifewire via email. “So it scores very high from a convenience standpoint. However, there is always a risk to handing over personal biometric information to a third party. From a risk standpoint, storing that information encrypted on a personal device is likely more secure.”
Convenience Isn’t Everything
It is possible to do all this without storing your palm print. Instead, when it’s first scanned, the system converts the scan cryptographically into a hash or a code that cannot be reversed to recreate your palm print. When you pay, the scanning machine does the same thing again. It scans, creates a hash, and compares the hash to the one it has on file. If they match, you can pay.
Biometric Dangers
But there are multiple problems that accompany using and storing biometrics. One is that sometimes they can be stolen. In 2015, the US Office of Personnel Management was hacked, and the hackers stole the personnel data records of 20 million US government employees, including fingerprint files for 5.6 million. And there’s nothing anyone can do about that. If your credit card is stolen, you can change the number, but none of those 5.6 million people can change their fingerprints. And it works the other way too. “Passwords can be backed up, but if you alter your thumbprint in an accident, you’re stuck,” writes security expert Bruce Schneier on his blog. However, it’s not all bad news for biometrics. Apple’s Face ID and Touch ID take a different approach. They store your face scan or fingerprint details in a ‘Secure Enclave’—a separate hardware vault that is not accessible from the rest of the phone. When the phone scans your face, it asks the Secure Enclave if the scan matches, and the answer is either ‘Yes’ or ‘No’. Even if an attacker has access to your phone, they cannot extract a fingerprint or face scan. Once the authentication is done on the device, the phone makes a regular credit card payment. It’s much safer and just as convenient. And who knows where your data will end up, even if it isn’t stolen? “As we’ve seen with the online behavioral advertising and the data broker industries, every bit of data about us that is surrendered to tech companies—online or in real life—is shopped around for the convenience and profits of the companies,” Sharon Polsky, president of the Privacy and Access Council of Canada, told Lifewire via email. “And the proliferation of unregulated digital and surveillance systems, and the shifting public policy to collect data ‘for good’, it’s not unlikely that the biometrics we use to purchase groceries will soon be able to be used against us.” If there’s one thing we’ve learned from the internet, it’s that companies cannot be trusted not to exploit these valuable troves of data. So, think very carefully before giving up your biometrics, because you may never be able to get them back.