His problem, which lies at the root of e-commerce, is simple: Neither he nor anyone else can identify the person making a purchase on a distant computer. Passwords and PIN codes can be stolen, or even guessed. Know what the most common password is? PASSWORD. For PIN codes it's 0000, followed by 1234.
In an e-commerce arena with such flimsy defenses, fraud is inevitable. It raises costs for the industry and scares away consumers. Falls, whose five-year-old company booked revenues last year of $1.6 million, says his outfit and the industry would be far bigger if they could just verify who their customers are.
OUTSIDE THE BOX. This hope has led him to biometrics -- the machines and programs that identify people from their fingerprints, voices, facial contours, even the gait of their walk. Since the terrorist attacks in 2001, the government has rushed to biometric technology, putting various scanners in airports, defense installations, and border crossings.
Strangely, though, e-commerce has been slow to embrace biometrics, even though it's perhaps the industry that has the most to gain from effective identification technology. The reason: Hardware costs. How many shoppers are ready to fork out $99 for a fingerprint scanner to hook up to their own PCs, just to buy CDs on Amazon or book a trip on Expedia?
Falls wanted biometric technology that didn't require such a hardware purchase. His hunt led him to a Los Angeles startup called Touchcredit. This company provides a software platform that can be plugged into any biometric technology, whether it scans the iris or the heat patterns of the thumb. Most enticing to Falls, though, are the biometric technologies that don't require a separate purchase. One of them measures the typing cadence of the shopper, the other the tone of his or her voice.
POUNDING THE BOARDS. Electracash's contract with Touchcredit, announced on June 5, is a tiny blip on the $95 billion U.S. e-commerce market. But it could signal important changes ahead. Here's how it works: Before customers download biometric software, they are asked a series of questions, such as date and place of birth.
This is enough for the system to scour public records. Within several seconds, it generates a series of multiple-choice questions. It might ask you which of five cities has never been part of your address, or which of five streets you have lived on. These are called "out-of-wallet" questions. The idea is that someone who steals your wallet would be unable to answer them.
This test should establish that the person at the computer is who he or she claims to be. At that point, the user registers the biometric data. One way is to type several words for the program, repeating them several times. It focuses on typing patterns, creating an algorithm for each user. A second way, if the computer has a microphone, is to repeat a series of numbers the program demands.
MIMIC TEST. Sound iffy? In a recent demonstration, I sat next to Touchcredit founder James Uberti and tried to sign into his account by imitating his keystroke patterns and his voice. I had several advantages over most hackers. I not only had access to his computer but could also watch and listen carefully.
I never mastered his voice. The program gave him a series of numbers to pronounce. He pronounced them and was granted access to the account. I tried numerous times and failed. I did manage once to imitate his keystrokes, but only on a small transaction. The more money at stake, the more rigorously the machine tests the user. When I upped the transaction from a hypothetical $100 to $1,000, the program foiled my treachery every time.
Electracash's Falls believes that the extra security and convenience of biometrics will give him a leg up on rivals. Starting this summer, he'll provide the software at no charge to customers. Early on, he expects most of them to use the keystroke or voice systems. But in time, he foresees banks wooing customers with free fingerprint scanners or Webcams for facial recognition.
EASIER PURCHASES. Banks have plenty of incentive to promote such technology, too. According to U.S. law, in cases of credit-card fraud or identity theft, the consumer is on the hook for only up to $50. The bank has to swallow the rest. "Until now, the major banks and credit-card issuers have passed on these costs to the consumer," says M. Paul Collier, executive director of The Biometric Foundation, a Washington (D.C.) research and advocacy group. But with a growing backlash against banking fees, biometric initiatives like Electracash's could prove enticing.
When biometrics work, they can make e-commerce a whole lot easier. Once the system knows your fingerprint or voice, it can instantly summon a credit-card number, mailing address, or any other data from its own records. The result is that more e-commerce can become as simple as the one-click checkout that's popular at Amazon.com -- but with the added assurance that buyers are who they claim to be.
Frustrations are inevitable. If you're suffering from laryngitis, you're sure to have trouble convincing a voice-recognition system. Fingerprint monitors can act erratically if the finger is too dry or oily. And if you've had a few drinks, your keystrokes may run askew of the patterns you set while sober.
DESIGNATED SHOPPER. Privacy issues are involved as well, as more and more institutions, private and governmental, request information that you might consider personal.
These are the early days in biometrics, however. As the field gains a foothold in areas like law enforcement and immigrant identification, look for it to spread to e-commerce. And in the meantime, if an unforgiving system gets in the way of an alcohol-blurred shopping binge, count your blessings. Baker is a New York-based senior writer covering technolgy for BusinessWeek