HAMPSHIRE, England – Contactless payment services that employ biometric scanners may “irretrievably compromise” online identity, according to a new study by Juniper Research.

The consultancy reached the conclusion, offered in its report “Mobile Identity, Authentication & Tokenisation 2015-2020,” after examining insecure software distributed with HTC’s One Max smartphone. The software mistakenly stored fingerprint data on the device in plain text and in a world-readable location.

Although the mistake was rectified, report author Dr. Windsor Holden warned the implications of insecure storage could be devastating.

“When a password or PIN is hacked, the consumer can simply get a replacement,” Holden noted in the report. “When biometric data — fingerprint, iris, facial — is stolen, the consumer’s online identity could be irretrievably compromised.”

The report pointed out that the greater prevalence of cybercrime — more than 1 billion online records were exposed by data breaches in 2014 — means tokenization is an increasingly attractive proposition for acquirers and processors. The process could significantly reduce exposure to fraud. Furthermore, with hackers obtaining only tokens that are meaningless in isolation, the scale of attacks on websites might also decline.

However, Holden noted, extreme precautions must be taken to ensure the security of biometric data, as it is unique and could be exploited with disastrous consequences. Increasing deployment of convenient fingerprint scanners likely will make biometrics a primary mechanism for transaction authentication worldwide by 2016.

Juniper’s research indicates the increased rollout of contactless payment services using fingerprint scanners will push the number of biometrically authenticated transactions to nearly 5 billion by 2019, up from less than 130 million this year.