In the ongoing battle to thwart fraudsters, biometrics are the new frontier and fingerprint recognition appears to be the strongest candidate for rolling out to customers now. By Joshua Weinberger.
Hard as it may be to recall, there truly was a time when bank customers would walk up to a live person, fill out a handwritten withdrawal slip with nothing more than an account number, and walk away with cash in hand. In today’s banking environment, however – with customers relying instead on ATMs, direct deposit, billpay and online banking – financial institutions have had to upgrade the systems used to identify and authenticate individual customers.
For decades, bankers and criminals have played a game of cat-and-mouse, with enhanced security measures offset by ever more devious fraudulent activities. Card-and-PIN arrangements, the low-end default for much of the developed world, are no longer considered sufficient because counterfeiting has grown more advanced.
Criminal element
The UK’s Association for Payment Clearing Services (APACS), for example, reports that criminals are “copying magnetic stripe details and using hidden miniature cameras to capture PINs at cash machines”. The development of chip-and-PIN systems was supposed to close the magnetic-stripe loophole, but criminals can still use lost and stolen cards if they have access to a customer’s PIN. And criminals need not have James Bond-calibre spycams to glean those codes: APACS reports that 25% of all Britons have disclosed their PIN to someone else, and 27% use the same PIN for all their cards.
It has been two years since the US Federal Deposit Insurance Corporation (FDIC) suggested that banks should be “upgrading existing password-based, single-factor customer authentication systems to multi-factor authentication”, and split user authentication into three categories:
- Something a customer has (such as a card).
- Something a customer knows (such as a password).
- Something a customer is (such as a physical characteristic).
Additionally, for banks operating in the US, one red-letter day has been looming large: the end-of-year deadline set by the Federal Financial Institutions Examination Council (FFIEC) for institutions to have in place “enhanced authentication methods” to combat fraud, specifically in online transactions.
Option number three
In response, banks are finally turning to the third category: biometrics – the measurable physical characteristics that are unique to each human being. There are several types of biometric identifiers, including the structure of the face, the coloured ring of the iris, the capillary paths of the retina, the tone and pitch of the voice, even the vein pattern in the hand and wrist. But the biometric of choice for banks these days, especially when it comes to ATMs and kiosks, is the fingerprint.
The FDIC’s December 2004 report compared four different biometric authentication systems: fingerprint recognition, face recognition, voice recognition and keystroke recognition. It determined that, of the four, fingerprint scans were the most effective, the simplest for customer use, and the easiest to implement.
Coincidentally, at around the same time, the US-based technology firm NCR opted for fingerprint scanners in its roll-out of a biometric ATM network, located in Colombia.
That deployment, which now comprises 486 ATMs, was not NCR’s first foray into biometric ATMs. According to Charlie Harrow, product manager at NCR’s financial solutions division, the company had learned a valuable lesson during a year-long pilot programme in the UK five years earlier, in which 1500 customers were enrolled in an ATM system that replaced the need to enter a PIN with an iris-scanning system. The test was a complete success from a technological perspective, Mr Harrow says, but the scanners were prohibitively expensive.
A fit for ATMs
“Fingerprint fits the ATM model much better than iris scan does for two reasons,” he says. “One is that the cost of the sensor itself is a lot less than [that of] the iris scanner. The second is that the device is much smaller. Real estate on an ATM is a valuable commodity, so the size of a sensor is quite important. A fingerprint doesn’t take up much space.”
But there are limitations, which Mr Harrow is quick to acknowledge. “One of the drawbacks of biometric technology is that, while it has improved dramatically over the years, it’s still not absolutely perfect,” he says.
As studies by the FDIC and others have made clear, no biometric authentication ever yields results that are 100% accurate. Biometric systems have to be calibrated to balance two measures: the false acceptance rate (FAR), that is the probability that a false biometric credential is accepted; and the false reject rate (FRR), that is the probability that a valid biometric credential could be rejected.
“Quite often it’s a trade-off,” says Mr Harrow. One way of addressing the FAR versus FRR balancing act, he suggests, is to think of the false acceptances as the “fraud rate” (successful attempts to log in fraudulently) and the false rejections as the “insult rate” (legitimate customers turned away). “Banks are trying to keep the insult rate as low as possible,” he says.
As a result of that trade-off, biometric identifiers are generally not used as a single factor to authenticate customers. Other problems are a result of too much success: NCR reported that its 1999 UK trial involving iris scanners as a single-factor authenticator was so successful from a consumer-acceptance perspective that participants had to have new PINs issued at the end of the trial. Consumers had grown so accustomed to being identified from the iris scan they had forgotten their PINs. NCR now promotes biometrics as part of a multi-factor authentication process.
Regional trends
Biometrics, however, will continue to have a distinctly regional feel. “The beauty about South America from a biometric [perspective] is that citizens there are very much used to the idea of fingerprints,” says Mr Harrow. “In many South American countries, the governments are able to fingerprint the citizens as a matter of course.”
In another NCR deployment, in Pakistan, each customer is given a unique card, without a PIN but with a fingerprint biometric – and the card can only be used at a specific bank branch.
Those levels of familiarity with fingerprinting may not extend to the First World nations. “In the UK and the US and the other developed markets, we’ve already got card-and-PIN as the identification/authentication mechanism. You have to ask what the additional benefit of biometric technology on an ATM would be.” Answering his own question, Mr Harrow suggests that biometrics might be called for during higher-level transactions – larger withdrawals, for example – and might also be useful in the creation of an audit trail for disputed transactions.
Internal security
Mr Harrow also suggests that because a great deal of fraud can be traced to internal sources – perhaps as much as 70% of it, according to one Gartner report –biometrics could be deployed on the inside of the ATM as a function of service authorisation. “You put the biometric sensor not at the front of the machine, but in the back. So if you’ve got someone servicing the ATM – replenishing paper, or [repairing] the card reader – before the ATM comes back into service, the service guy has got to give a fingerprint to show that he is authorised to be inside the ATM.”
Biometrics versus PIN
In addition to consumer resistance, biometrics come with their own unique baggage. “From a fraud point of view, a biometric has got a completely different security property from a PIN,” Mr Harrow says. “A PIN is a secret and a PIN can be changed if it’s compromised, and you can have different PINs for different applications. With biometrics, none of those things are true. A biometric is a unique identifier, but it’s not a secret. So in the ATM environment, which is an unattended environment, you’re putting all your faith in the technology to pick out that the biometric that’s been offered to the ATM is a genuine biometric.”
Criminals are never far behind, he warns. “They’re always looking for ways to defeat these sensors. If I were clever enough to figure out some way of manufacturing false fingers, all I’ve got to do is get hold of your fingerprint, which isn’t difficult because you leave fingerprints all over the place.” Alternatively, in a card-plus-PIN-plus-biometric situation, criminals could damage the biometric sensor, forcing the system to revert automatically to the less secure card-plus-PIN requirement.
And so the cat-and-mouse game continues.
