Categories
Uncategorised

“My Plaid” and how DeFi identity is coming to disrupt Open Banking

Was intrigued to read in the latest Fintech 🧠 Food that @Plaid has launched a beta product called My Plaid (http://my.plaid.com) that allows users to see which companies they are sharing their financial data with 🧐

Naturally, I wanted to take it out for a spin…

For now, it doesn't seem to have the capability to see which companies have access to data. You can only add accounts, like any personal finance app out there, and see an aggregated view of accounts.

So, nothing *too* differentiated for now 🤷🏽‍♂️

Where it breaks down potentially is that this will likely only work where the origin/destination of financial data uses Plaid APIs.

The alternative – as @ACTobin from @evernym put it – is to “make the user their own API” 💡

And THAT is why I'm bullish about the application of #selfsovereignidentity in #fintech:

1. It goes beyond the scope of what data is available under Open Banking (mostly current accounts & credit cards)
2. It doesn't rely on a single, proprietary vendor like Plaid to work

In a way, I'm glad Plaid is doing this now because it demonstrates clear product-market fit and demand for digital identity services, that we *can* solve in a more efficient and privacy-preserving fashion @cheqd_io 👍🏽

It’s taken SEVEN years since Open Banking regulations were defined in Europe to get to any semblance of consistent access for users being able to take their current/card account data elsewhere.

And this has arguably been GOOD for competition and more consumer choice.

If the financial services industry tried to solve data portability with traditional means, I can see this taking another half a decade.

Do we really want to wait that long? Or will we see bolder fintechs embracing new standards in DeFi identity eat the lunch of incumbents again?

Originally tweeted by Ankur Banerjee (@ankurb) on 22 August 2021.

Categories
Technology

Good and bad takes on Amazon’s in-store biometrics

I’m seeing a lot of takes (some good, some bad) about Amazon’s incentive to register palm prints for its stores in exchange for $10. A 🧵on some of the biometrics and tech behind this – and why some of the takes get implications wrong 👇🏽

For starters, it’s an imbalance on whether it entices certain demographics to give up personal biometric data in return for $10.

This kind of asymmetric power *needs* to be looked at closely, on how that data is used in the future.

“Amazon stores biometrics in the cloud”

What is often not appreciated in this is that biometrics are often stored as mathematical templates; equivalent to “hashes”. A biometric hash CANNOT be used to reconstitute the original hand, fingerprint, or palm print. This is low risk.

If you think of traditional methods of storing passwords, they are often “salted” (add some random data) and then “hashed”.

This is also often how biometric templates are stored. ✅

If there’s a data breach, the templates are useless to a hacker in reusing at a different place.

⚠️ However, this is ONLY secure and private if the company registering biometrics ONLY stores this as a biometric template. It should NOT store the original image/picture of the hand or palm print. 🖐

The analogy here is similar to passwords, where best practice is to never store the original plaintext password, and to only ever store it as a salted and hashed version of the password. ✅

So even if Amazon or any other system stores biometric templates in the cloud, the risk is the same as losing securely stored password hashes: they are useless to a hacker.

It’s all the OTHER data with personal information that’s more useful to hackers.

How does Amazon One compare to on-device biometrics like Apple Touch ID or Face ID? 🤔

The main difference is Touch/Face ID can ONLY be used for 1:1 matching with a single person.

Something like Amazon One which is a central system can be used for 1:1 matching (“give me access to my own account”)

But it can also be used for 1:many matching (“does this palm ✋ print belong to a known fraudster?”)

(How and who decides who is a “known fraudster”?)

Then there’s how Amazon One works, or most biometrics in general.

As a biometrics operator, you want to prevent fraudsters from taking a picture and showing it to a scanner.

⛔️ This is a risk with finger and palm prints…if someone is targeting a specific individual.

As a fraudster though, you’d want to maximise returns and minimise the effort.

Lifting physical finger or palm prints at large scale is *hard* to do.

Amazon uses vein prints, which also can check for something called “liveness”: it’s not just a static image, but can also see if there’s realistic motion that would happen with blood flowing through an actual human’s palm.

This makes it very hard to spoof by a fraudster.

Even if someone had my fingerprints or palm prints, that’s not the same kind of data as my vein patterns.

And even if they had pictures of my vein patterns, it’s hard to spoof the motion associated with vein prints.

TL;DR: the way Amazon One uses vein prints from a palm ✋is secure and follows best practices.

SHOULD they be doing this and whether it’s creepy is a different question that comes down to what’s acceptable in this context by society and users.

(E.g., people don’t mind doing this for passports or border control. They also have no choice in that scenario, whereas Amazon One biometrics is an opt-in programme)

If you’ve stuck by this far (thank you 🙏🏽), would YOU register and give your biometrics to Amazon for entering their grocery stores?

Originally tweeted by Ankur Banerjee (@ankurb) on 6 August 2021.