IMAGE: JOHN WEBER

He stole the identities of the world’s rich and famous—Paul Allen, Oprah Winfrey, Steven Spielberg, Warren Buffett, and Larry Ellison, to name a few. Until the New York City police busted 32-year-old Abraham Abdallah, it seemed that a diabolically gifted hacker, not a busboy at a Brooklyn restaurant, had masterminded this multimillion-dollar caper.

However, a tattered copy of a Forbes magazine featuring America’s 400 richest people found in Abdallah’s possession—along with 800 credit cards—exposed the thief’s simple modus operandi. Here were his targets, listed in order of their net worth, some with Social Security numbers and credit card information scrawled right next to their names. Investigators soon discovered that Abdallah had obtained most of this information from the Internet, as well as from credit bureaus Equifax, Experian, and TransUnion, by sending queries on the forged letterhead of several top investment banks.

With birth dates, addresses, and Social Security and credit card numbers in hand, Abdallah would use a computer at a public library to order merchandise online, withdraw money from brokerage accounts, and apply for credit cards in other people’s names. Things started to unravel when he tried to transfer US $10 million from the Merrill Lynch account of software entrepreneur Thomas Siebel. Someone at Merrill Lynch noticed that the same two Yahoo e-mail addresses, both Abdallah’s, had been used in connection with five other clients. Soon after, on 19 March 2001, two New York City detectives wrestled Abdallah out of his car, ending one of the most sensational identity theft sprees in history.

Catching ID thieves is like spearfishing during a salmon run: skewering one big fish barely registers when the vast majority just keep on going. According to data from the Aberdeen Group, Boston, the cumulative losses suffered by tens of millions of individuals and businesses worldwide registered at an estimated $221 billion in 2003. Aberdeen, which assumed an enormous 300 percent compound annual growth rate, projected that losses would rise to an almost unfathomable $2 trillion in 2005. More recent numbers from Javelin Strategy and Research, based in Pleasanton, Calif., indicate a much lower growth rate, at least in the United States, where total losses rose from about $48 billion in 2003 to $56.6 billion in 2005.

Clearly, it is far too easy to steal personal information these days—especially credit card numbers, which are involved in more than 67 percent of identity thefts, according to a U.S. Federal Trade Commission study. It’s also relatively easy to fake someone’s signature or guess a password; thieves can often just look at the back of an ATM card, where some 30 percent of people actually write down their personal identification number (PIN) and give the thief all that’s needed to raid the account. But what if we all had to present our fingers or eyes to a scanner built into our credit cards to authenticate our identities before completing a transaction? Faking fingerprints or iris scans would prove challenging to even the most technologically sophisticated identity thief.

The sensors, processors, and software needed to make secure credit cards that authenticate users on the basis of their physical, or biometric, attributes are already on the market. But so far, the credit card industry hasn’t seen fit to integrate even basic fingerprint-sensing technology with their enormous IT systems. Concerned about biometric system performance, customer acceptance, and the cost of making changes to their existing infrastructure, the credit card issuers apparently would rather go on eating an expense equal to 0.25 percent of Internet transaction revenues and the 0.08 percent of off-line revenues that now come from stolen credit card numbers.

Indeed, only a few companies worldwide have even experimented with biometric credit cards. The best known is the Bank of Tokyo–Mitsubishi. Since 2004, it has issued Visa cards embedded with chips that identify a customer according to vein patterns in the palm. All of the bank’s ATMs have palm scanners that match the imaged vein patterns to a digitized copy of the customer’s vein patterns—called a biometric template—that is stored in the card. But because merchants lack the requisite palm scanners to go with this technology, customers still sign receipts or enter PINs when making purchases with the card.

All biometric systems recognize patterns, such as the veins in your palms, the texture of your iris, or the minutiae of your fingerprints. As researchers who have investigated and engineered numerous biometric devices, we want to propose the broad outlines of a new authentication system for credit cards, based on biometric sensors that could dramatically curtail identity theft. Our proposed system uses fingerprint sensors, though other biometric technologies, either alone or in combination, could be incorporated. The system could be economical, protect privacy, and guarantee the validity of all kinds of credit card transactions, including ones that take place at a store, over the telephone, or with an Internet-based retailer. By preventing identity thieves from entering the transaction loop, credit card companies could quickly recoup their infrastructure investments and save businesses, consumers, and themselves billions of dollars every year.

If credit card issuers don’t act soon, customers, many of whom are becoming increasingly comfortable with biometric technologies, might just force the issue. In the United States, millions of people at hundreds of supermarkets have already given the thumbs-up to services offered by BioPay LLC, Herndon, Va., and Pay By Touch, San Francisco, which let shoppers pay for their groceries by pressing a finger on a sensor mounted near the cash register—no card necessary. Millions more, mostly in Asia, have fingerprint sensors built into their cellphones to act as locks and into their laptops to replace text-based log-ins. All of this activity translates to 29 percent annual growth for a worldwide biometrics market that’s expected to reach $3.4 billion in 2007, according to Research and Consultancy Outsourcing Services, a market research organization based in New Delhi, India. Finger-scanning technology made by companies like Atmel, AuthenTec, Digital Persona, Fujitsu, and Identix will account for almost 60 percent of the total market, the organization estimates. And that market will greatly expand if and when credit card companies get serious about combating ID theft [see photos, “Scanners Galore”].