IN THE PIPELINE: Startup Seeks E-Commerce's Holy Grail
Tiny biometrics startup TouchCredit Financial Services Inc. has its eye on the Holy Grail of e-commerce: instantaneous, fraud-free transactions.
TouchCredit, a closely held, 10-employee Los Angeles company, says its technology can verify consumers' identities expertly through the sound of their voice, the way they type on a keyboard or by their fingerprint. And it says it can speed online shopping dramatically.
Fraudulent purchases are a serious problem online, because thieves can easily use stolen credit-card numbers without having to face a sales person or sign a slip. Fraud unnerves consumers, robs merchants and weighs on the growth of e-commerce.
Merchants, who are liable for online fraud, have mainly fought back with sophisticated software that sniffs out and rejects fraudulent orders. But that's an imperfect system that can block legitimate sales. Merchants accept the tradeoff because of the high cost of fraud and the fact that banks will take away their ability to accept credit cards if their fraud rates go too high. Research firm Gartner Group estimates U.S. e-tailers last year lost $1.64 billion to fraudulent sales and turned their backs on $1.82 billion in good sales that looked suspicious.
Many experts consider a system for verifying buyers' identities the next frontier in the fraud fight, but it has been hamstrung by consumers, who say they want more security but resist extra steps in the purchase process that would give it to them. U.S. consumers have little reason to compromise because, by law, they can't be held liable for more than $50 in fraud losses and, in practice, they typically enjoy zero liability.
Enter TouchCredit, which verifies users through unique personal characteristics. Because these items represent something you are, rather than something you know, such as a password or pin, they offer stronger security. Biometrics can't be easily broken or written on a Post-It note for prying eyes. And because biometrics are so reliable, TouchCredit can tie them to private information for online checkout forms, reducing the time it takes to make an online purchase to 15 to 30 seconds from the usual three to five minutes.
TouchCredit argues this technology would be a boon to online merchants and financial-services companies. But it faces no shortage of obstacles, chief among them consumers' privacy worries and big players' skepticism that this unknown company can succeed where the larger and more powerful have failed.
But TouchCredit's shopper-authentication system, which took three years and $1.6 million to develop, offers creative answers to the technical and psychological problems that have stymied other such systems.
Visa International's Verified by Visa and MasterCard Inc.'s SecureCode, perhaps the best stabs at it so far, are fairly unobtrusive programs but involve an extra step: typing a pin into a pop-up window. It doesn't take long, but industry insiders say cardholder interest in those programs has been disappointing.
Now TouchCredit just needs to convince a corporate heavyweight that its technology is the better answer.
"Once this is deployed by one major bank or institution or (credit-card) association, everything else will be considered a disadvantage," said TouchCredit founder and Chairman James Uberti. "Faster, more convenient, easy - that's what people want."
First Customer
TouchCredit got one step closer in June, when it announced its first customer - and test case - e-check processor Electracash Inc., of Long Beach, Calif. In late July, the payments company began offering TouchCredit's service to its 550 online merchants as a way to reduce fraud, and a half dozen are now gearing up to use it, said Lee Falls, its chief executive.
"They have figured it out when others haven't because they had nothing to lose" by discarding the status quo, said Edward Horowitz, the former chairman of e-Citi, the Citigroup Inc. (C) unit that was charged with getting the bank online, and a member of TouchCredit's advisory board. Horowitz, now chairman of his own venture capital and consulting firm, EdsLink LLC, of New York, hasn't invested in TouchCredit, but he said he has introduced the company to several large financial institutions, including Citigroup and Visa.
Despite these connections, TouchCredit could still face a tough sell to a skeptical crowd.
"I can't imagine that it's good enough for prime time," said Gartner Group's e-payments industry analyst Avivah Litan. "Even if it was foolproof, they have an adoption problem."
Technology and human nature have been major impediments to broad consumer adoption of authentication systems. The technology needs to be fast, easy to use, workable without additional hardware and nearly perfect at both letting authorized users in and rejecting pretenders. Consumers must also be assured that their sensitive personal data will be safe from hackers, corporate interests and Big Brother. Moreover, there need to be compelling carrots and effective sticks for all the critical parties - consumers, merchants, banks and credit-card associations.
TouchCredit claims to have figured it all out. Uberti says its system can verify a registered user in 3.3 seconds using any of three devices already available for users' PCs: a fingerprint reader, a microphone, or the ubiquitous keyboard. Next year, the company also plans to make use of video cams for facial recognition.
Consumers need not worry about their privacy, he says. For one, they won't have to trust TouchCredit to safeguard their data because the company won't store it. Rather, it will work direct links to the financial institutions consumers already trust. Those institutions will also determine the content and difficulty of the registration process, which involves a short quiz that can contain questions unanswerable with stolen credit reports.
After passing the quizzes, users download TouchCredit's software and record the biometrics that will verify them in the future, either by touching their finger to a print reader, speaking 12 to 16 numerical phrases or typing a username and password eight to 10 times. There will be no need to remember anything, TouchCredit says. The voice system prompts users to say a randomly generated number phrase, and it won't hesitate to divulge the usernames and passwords used by the keystroke system because the typing rhythms - which the company says are unique to every person - provide strong enough security.
'Virtually Impossible' To Break System
TouchCredit also says none of these biometrics can be used to invade users' privacy. The fingerprint technology it gets from SecuGen Corp., Santa Clara, Calif., doesn't capture images that can be stored or shared. Rather, the reader generates a number that then works like a passcode. Its speech-recognition biometric, made by NGM TECH Inc., Newtown, Pa., uses changing number phrases so fraudsters can't use illicit recordings of their victims' speech. And the keystroke software, though it does capture typed words, can't in its current form be used for eavesdropping, says BioNet Systems LLC, Bellevue, Wash., which makes that technology.
Uberti claims it's "virtually impossible" for a fraudster to break the system. Besides the inherent difficulty in foiling a biometric, TouchCredit also matches that biometric during verification to a unique identifier implanted in users' PCs. Thus, a fraudster would have to beat the biometric and steal the user's laptop or get into his house.
In fact, TouchCredit's biggest problem is that it might frustrate bonafide users by turning them away too often. This is an issue for voice and keystroke biometrics especially, because users need to behave similarly each time they log in. Its answer is to require less user accuracy for low-priced purchases and more for high-priced ones.
"If you can type you can use it," says Andrew Tull , executive vice president of sales and marketing at BioNet, of the keystroke biometric. "That doesn't mean at the end of your four-martini lunch you can hunt and peck your way in."
生物识别系统夺标电子商务
微型生物统计技术新兴公司TouchCredit Financial Services Inc.的眼睛正瞄著电子商务一块重要领域的冠军奖杯:即时且能避免欺诈的网上交易。
TouchCredit是一家位于洛杉矶,仅有10名雇员的私人控股公司。该公司表示,它的技术能通过消费者声音、敲击键盘的方式或指纹来识别消费者身份,并称这能大大加快网上购物的速度。
欺诈是网上购物面临的一个重要问题,因为诈骗者可以轻易使用偷来的信用卡购物,而无需与销售员面对面签单。欺诈使消费者提心吊胆、商家利益受损并对电子商务的成长造成打击。
商家要对网上欺诈负责,它们主要通过发现并拒绝欺诈订单的尖端软件来应对欺诈。但这也是一个不甚完善的系统,会阻止一些合法交易。但商家只能接受这种折衷的方案,因为为欺诈购物所付成本极高,而且如果公司欺诈率过高,银行可能会取消公司接受信用卡结帐的权利。研究公司Gartner Group估计,美国电子交易商去年因网上欺诈而损失了16.4亿美元,同时拒绝了18.2亿美元可疑交易。
许多专家正在考虑用一种识别消费者身份的系统作为应对欺诈的最新武器,但此举却遭到消费者的反对。消费者称,他们需要更多购物安全保障,但反对增加网上购物步骤。美国消费者没有理由让步,因为根据相关法律,就算出现欺诈损失,消费者最多承担50美元,而在实际操作中,他们根本就无需承担任何损失。
TouchCredit则是利用独特的个人特性来识别消费者。由于这些特性是人本身的组成部分,而不是人知道的某些事情,如密码或个人识别号码,所以安全性更强。生物统计特性不能轻易被破解或被贪婪窥视的眼睛看到并记在告示贴上。由于生物统计特性如此可靠,TouchCredit可以将之与网络检测格式的个人信息相互结合,可以使一宗网上购物所需时间由目前的3-5分钟降至15-30秒。
TouchCredit表示,该技术对网上商家及金融服务公司来说是一个福音。但该技术也并非没有任何阻碍,主要的障碍就是消费者对私人信息的担忧,及大型公司对这家不知名的小公司能在诸多大公司纷纷落马的领域取得成功所表现出的怀疑。 但TouchCredit耗费三年时间及260万美元开发的这套生物统计识别系统却为打垮其他类似系统的技术及心理难题都找到了创造性的答案。
威士国际组织(VISA International)测试的Visa及MasterCard Inc.的SecureCode可能是迄今为止最好的安全系统,程序相当友好,但多了一个步骤:在弹出的窗口中敲入一个个人识别号码。这不需要多长时间,但业内人士称,信用卡持有人对此却颇感失望。
现在TouchCredit仅仅需要说服一家重量级公司,其生物统计测试系统是一个更好的解决方案。
TouchCredit创始人、董事长詹姆斯.尤博提(James Uberti)称,一旦公司这项新技术被一家大型银行、机构或信用卡联盟应用,其他系统都将相形见绌。更快、更方便、更容易──这些正是人们所期待的。
第一个客户
今年6月份TouchCredit朝著上述目标迈进了一步,当时公司宣布赢得了第一个客户:电子支票处理商Electracash Inc.。7月末Electracash 开始向其550家网上经销商提供TouchCredit的服务,以便减少网上欺诈,其中有6家正准备使用TouchCredit识别系统。
原e-Citi董事长兼TouchCredit顾问艾德华.豪威兹(Edward Horowitz)称,这些经销商发现了该识别系统的优势。e-Citi是花旗集团(Citigroup Inc., C)旗下处理网上银行业务的子公司。豪威兹目前担任他自己的风险投资及谘询公司EdsLink LLC的董事长,他并未投资TouchCredit,但称,他将该公司介绍给了包括花旗集团及Visa在内的几家大型金融机构。
尽管有这些联系。面对充满怀疑的大众,TouchCredit的销售仍困难重重。
Gartner Group电子支付行业分析师阿威瓦.利坦(Avivah Litan)称,这不能算良好的开始。就算该系统极为简便可靠,但仍需面临一个如何让大众接受的问题。
科技及人性本能是这套生物测试识别系统被广泛接受的主要障碍。现在的技术要求识别变得更快、更易使用,无需配备其他硬件,并在允许授权用户及阻止伪装侵入者方面要同样接近完美。而客户则需要确保他们敏感的个人数据不会因电脑黑客、公司利益及垄断者而变得不安全。而且,公司还需要为批评各方:消费者、商人、银行及信用卡联盟,亮出更为诱人的优势,并施以更为有效推动举措。
TouchCredit则表示早就解决了这些问题。尤博提称,其生物测试识别系统可以在3.3秒钟内识别一个注册客户,使用的设备是客户个人电脑上通常早已配备的三种设备:一个指纹读取机、一个麦克风及一个普通键盘。明年公司还计划使用视频镜头进行面部识别。
他称,消费者不用担心他们的私人信息。其时,他们无需信任TouchCredit来保卫他们私人数据的安全,因为该公司根本就不会存储这些数据。相反该系统直接与早已取得客户信任的金融机构相连接。那些金融机构将确定识别内容及难度,其内容包括一些个性问题,偷信用卡的人不可能答对这些个性问题。
通过这些个性问题测试后,用户可以下载TouchCredit软件,并通过在指纹读取机上留下指纹、读12-16个短语或敲入用户名和密码8-10遍来纪录其生物个性特徵,以用于日后识别。而用户无需记住任何东西。声音系统会提示用户说出一个随机产生的短语,生物测试识别系统也不用担心泄露键盘敲打识别系统所用的用户名及密码,因为据公司称,每个人敲击键盘的节奏都是不同的,这提供了强大的安全保障。 生物统计识别系统不可破解
TouchCredit还称,这些生物测试特徵都不会被用来窃取用户的私人信息。从SecuGen Corp.获得的指纹技术无需留住任何可能存储或共享的图像。其声音识别系统由NGM TECH Inc.提供,使用不断变化的短语,仿冒者不可能利用预先违法录制的用户声音 混过关。而制造键盘敲打识别技术提供商BioNet Systems LLC 则表示,虽然使用用户此前输入的词,但仿冒者不可能以同样状态敲入这些字母。
尤博提表示,仿冒者没有可能突破该系统。除了生物特性本身的破解难度外,TouchCredit还将生物识别技术与用户的个人电脑中置入的特殊识别器相配合。如此一来,仿冒者只有突破生物识别系统并窃取用户的手提电脑或进入用户居所才能得手。
事实上TouchCredit的最大问题是:可能会因频繁将真正的用户拒之门外而令人沮丧。尤其是对声音及键盘敲击识别来说,因为用户每次登录都需要表现得与录入信息时状态相仿。公司对该问题的答复是:低金额交易所需准确度较低,但金额较高的交易需要的准确度极高。
BioNet负责销售及市场推广的执行副总裁安德鲁.塔尔(Andrew Tull)称,如果你会打字就能使用键盘敲击生物识别系统,但这并不意味著你喝完四杯马提尼酒后,你还能正常敲击进入交易系统。
