Following the news that ‘Amazon has announced a new payment system for real-world shops’, please find a comment below from David Emm, Principal Security Researcher at Kaspersky.
The new Amazon One payment sounds very convenient: you just hold your palm above the reader and it charges your card automatically – no swiping, no PIN, nothing. But to do this, they’re taking biometric data – in this case, a palm – and storing it in the cloud correlated with payment data. Amazon says the data will be encrypted. If we want to bring on the future securely, we must ensure it’s well encrypted, because Amazon One combines identification, authentication and authorisation into a single point. If someone were to steal and decrypt the data from the cloud they could potentially spoof someone\’s identity and spend their money.
The key lies in how the data is being encrypted and stored. Where identification and authentication are separate, for example where a biometric is used to identify you and a PIN is used to verify that identity, anyone stealing the biometric data wouldn\’t have a complete set of information or enough to steal people\’s money. But in the case of Amazon One, they would have everything they need.
Much safer to keep the two thing separate – biometric data to identify you and something else (such as a PIN) for authentication.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics