Eurostar adopts biometric check-in on UK-France trains, experts warn of risks


Taking cues from airports, railways are now adopting biometric check-ins, fuelling ongoing debates on whether the convenience of ticketless travel will outweigh the potential cybersecurity risks.

Eurostar, the high-speed international rail service connecting the UK with mainland Europe, is launching a contactless facial biometric check-in system, SmartCheck, developed by biometric solutions provider iProov.

The forthcoming system is to be implemented at London St. Pancras Station and will automate gate check-in processes and UK exit checks.

ADVERTISEMENT

“We continue looking for solutions to increase capacity in stations and simplify the passengers’ flows. By introducing SmartCheck, we become the first rail travel operator to adopt biometric face verification,” said Eurostar Group’s CEO Gwendoline Cazenave in a press release.

Passport check-up via smartphone

The SmartCheck system will allow passengers to get their tickets, passport, and face checked before they travel, using their mobile device and application.

Before traveling, the passenger uses the app to scan their identity documentation and verify their face alongside their tickets using their mobile device. At the station, passengers are checked at the walk-past facial biometric checkpoint.

The company believes that the new check-in system will help to save time and avoid queues for ticket and UK border exit checks in the station, as passengers will have to go through only one passport check at France’s border instead of two.

St. Pancras Station, London
Eurostar International Departures at St. Pancras railway station, London | Image from Shutterstock

“Eurostar’s SmartCheck solution leverages iProov’s Genuine Presence Assurance technology to employ a multi-dimensional biometric face scan in the remote onboarding process that illuminates a passenger’s face with an unpredictable one-time biometric sequence of colors to verify that a remote user is a right person, a real person and that they are authenticating in real-time. That facial verification is then authenticated when the passenger arrives at the station during a brief additional scan,” Dominic Forrest, iProov's Chief Technology Officer, told Cybernews.

Ensuring compliance with GDPR

ADVERTISEMENT

The railway industry's adoption of biometric technology mirrors the trend set by the air industry in moving towards contactless check-ups. Earlier this year, the US Transportation and Safety Administration (TSA) introduced the first biometric screening at Baltimore Washington International Airport. The move sparked privacy concerns.

However, differing from TSA’s decisions, the use of biometric check-ins on Eurostar trains will be entirely voluntary. According to the iProov, personal data will not be shared with third parties and will be deleted within 48 hours of the trip to ensure privacy and compliance with GDPR.

“The passenger is in complete control of their personal data at all times. This data is stored securely on the user’s mobile device, encrypted during operation, and only shared with the ticket gate and Eurostar’s UK exit services after a passenger confirms their travel which can be up to 24 hours prior to their trip,” Forrest assured.

St. Pancras Station, London
Eurostar terminal at London St Pancras International, London | Image from Shutterstock

Privacy and security at stake?

Matthew Corwin, Managing Director at the security, compliance, and investigations firm Guidepost Solutions, told Cybernews that using biometric systems involves a privacy and cybersecurity risk for users. It can result in breaches, unconsented tracking, or even impersonation for criminal activity such as illicit border crossings.

Corwin explains that facial biometric recognition systems typically convert visual facial images into a numerical format, known as a "faceprint," for storage and future image matching and verification.

Malicious actors can "spoof" these credentials using methods such as 2D images, 3D masks, or even by directly injecting the faceprint credential into the system. While these methods may not deceive a human observer, they have proven successful in tricking biometric computer verification programs.

“Unlike other non-biometric access credentials such as passwords, faces or corresponding faceprints can't be readily altered if compromised,” said Corwin.

“The risk of identity theft escalates when biometric data is collected alongside other personal identifiers, like full name, date and place of birth, passport number, expiry date, gender, and country of birth – information typically contained in passports and used by biometric border crossing systems."

ADVERTISEMENT

Simon Newman, CEO of the Cyber Resilience Centre for London and member of International Cyber Expo’s Advisory Council, told Cybernews that the use of biometric check-in systems in ports and airports is increasingly commonplace and has been routinely adopted by many countries around the world to improve security and speed-up queues in ports and airports.

“Any app or third party that captures sensitive personal data has the potential to be vulnerable to a cyber attack or breach, but this is a tried and tested technology developed with backing from the UK Government,” said Newman.

“It is essential, however, that passengers are fully aware of how their data is being processed, including the length of time any images are kept in compliance with GDPR.”