advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

January/February 2007 issue

New biometrics see right through you


Ron Condon

Biometrics in retail banking

The modern banking system relies heavily on strong authentication to ensure customers are who they say they are - but how strong is strong enough?

For years, the magnetic stripe, combined with a PIN satisfied the basics of two-factor authentication (something you have, and something you know) but soon the criminals learned how to copy the stripes, and in Europe the banking system has largely opted for the more secure chip-and-PIN option, which is a lot harder to crack.

But the search is always on for more security, and various biometrics technologies now offer the way forward in helping to determine who you are.

There are plenty to choose from, including fingerprint recognition, iris scans, face recognition, voice recognition, and systems that can recognise the veins in your fingers, the palms of your hands, or even the back of your hands.

Which technology a bank ends up choosing is determined not solely by how well it works, but is also influenced by other factors, such as cost, convenience, ease of registration and how well it is accepted in the culture of each country.

And although security is one clear driver for the deployment of biometrics in banking and its close cousin, retail, other drivers may also be at play, such as improving customer service or learning more about customers' buying habits.

Fingerprint recognition technology has improved greatly in recent years, and is in wide use by Governments (as anyone flying into the US will know by experience) and the police.

While it used to be possible to lift a thumbprint off a reader from a previous user, newer readers now require the user to swipe their print past a scanner, thus avoiding the problem. Readers also look for an electrical charge or blood-flow to ensure the thumb is still attached to the user -with previous readers, criminals had been able to use the severed digit of their victims to help them withdraw money.

The perceived drawback of fingerprints in the UK and much of Western Europe, is their criminal connotations. The banks fear customers would object to having their dabs taken.

"Attitudes towards fingerprint biometrics vary from country to country," says Chip Mesec, a manager with DigitalPersona, a specialist in biometric fingerprint authentication. "In South America for example, fingerprints are used for national voting, so people there have naturally adapted well to the use of biometrics within retail banks. This attitude will eventually catch on in countries where currently, issues of privacy are associated with the use of fingerprints - like the US and Europe. This must start with the realisation that fingerprint systems do not capture fingerprints, but mathematical representations of fingertips."

As he says, fingerprints are better accepted in South and Central America, where bank customers have strong concerns over security. In Colombia, for example, the fifth largest bank Bancafe has installed fingerprinting technology from NCR. The new biometric ATMs do not require customers to use a card to initiate a transaction.  Instead, they can just place their finger on a reader at the ATM, enter an ID number and access their cash.

This holds an appeal to a large proportion of the company's customers, who are small coffee-growers living out in rural areas. It means their money can be transferred electronically to their accounts, and they can easily withdraw small amounts of cash without fear of having a bank card stolen.

In Malawi, where small tobacco growers are mainly illiterate, fingerprint recognition has provided the means for them to open and operate an account with the Opportunity International Bank of Malawi, part of an international charity devoted to helping small businesses.

The bank has around 55,000 depositors with accounts worth as little as $5. They are given a smart card to carry, but they also have to register with four fingerprints and have a portrait photograph taken. When accessing their accounts, they hand over their card, place a finger on the reader, and for further confirmation, the bank clerk checks their face. 

According to one of the project workers, Deborah Foy, registration of the client's details currently takes between one and three weeks, but the organization is now running a pilot to streamline the process by putting it online between the bank branch and IBM, which handles registration.

The case for fingerprints elsewhere is boosted by the technology now becoming a regular feature in laptop computers, PDAs, USB memory sticks and even mobile phones. The more people get to use it in their everyday lives, the more acceptable it will be.

This is certainly the case in the US, where the Pay by Touch system allows shoppers to pay just by putting their finger on a fingerprint reader, and then entering a seven-digit code, usually their phone number. The convenience of the system, which does not require people to produce their bank card, has already won over more than 3 million users.

One other promising field is voice recognition, which has also come on in leaps and bounds, and according to many people, is extremely reliable in authenticating users. "It is remarkably reliable," says Jonathan Charley, head of retail banking at EDS. "They have had impersonators in, they've had pegs on noses, tried to trick the system, but the technology is so good now that even if you have a cold or a sore throat, it will still recognise you."

He says that some UK banks and call centres are already experimenting with the technology, and says that one bank already uses it as a "first line of defence" for its telephone call centre, although it has not yet informed the public.

The Dutch bank ABN Amro certainly believes the technology works. It will soon introduce a telephone banking service to its 4 million customers, using the Voice Vault Caller Authentication system, which will replace the use of PINs and instead ask customers to speak their account number and personalised shared secret in order to authenticate themselves. The VoiceVault biometric engine then carries out more than 100 measurements of the voice pattern and compares it against a previously stored voiceprint to verify the caller's identity.

Voice verification has a number of advantages, says Pierce Buckley, a senior manager with VoxGen, a British company that supplies voice recognition systems to the defence and Government sector as well as financial services.

With most forms of biometrics, customers need to go to the branch to register, which is inconvenient for them and costly for the bank. By contrast, they can register their voice over the phone as part of an automated process. Furthermore, given the recent spate of security breaches in offshore call centres, an automated authentication process can prevent call centre operators getting access to customers' security information.

Other technologies, such as iris scans and face recognition seem to figure less in the banks' plans. While the EU favours iris scans for passport verification, most commercial companies feel the intrusive nature of a lightbeam in the eye is unlikely to prove popular with customers.

Face recognition is still not reliable enough to authenticate a bank customer, but according to EDS's Jonathan Charley, at least one UK bank has experimented with the technology to boost customer service. In a pilot project, the bank looked at putting an RFID tag in a passbook or card that would register as the customer entered the branch, and trigger a camera to photograph them. This would allow the bank assistant to check their identity against a known picture of the customer, and also prompt them to give extra attention to high-value customers.

Finally, one of the most successful deployments of biometric technologies in banking has taken place in Japan over the last couple of years. Prompted by a sudden rise in card fraud in 2003, the Japanese authorities forced the banks (which had insisted on forcing customers to bear the cost of any losses) to adopt more secure technologies than the magnetic stripe cards they had at the time.
Deciding to leapfrog chip-and-PIN, the Japanese opted for vein recognition technology from Hitachi and Fujitsu. According to comparative tests by the US-based International Biometrics Group, vein recognition comes out top in both effectiveness and usability.

Since then, the technology has been adopted by several major banks and also the Japanese Post Office, which is uses it in 20,000 branches.

While the Fujitsu systems scans the veins in the palm of the hand, the Hitachi system (used in 75 per cent of bank branches) works on veins in the finger. Vein patterns are set from birth, according to Peter Jones of Hitachi, and are detected by an infra-red light that is shone through the skin.

The system requires the customer to go to a bank branch for a registration process that takes less than two minutes, according to Jones. The biometric data is gathered by the system and then stored on the user's smart card.

When the customer goes to an ATM, they have to insert their card, enter their PIN code, and then place their finger or palm on the pad to provide a third factor of authentication.

Some Western banks may need convincing that a third factor is necessary, especially having forked out so recently on chip and PIN. But for the Japanese, the big incentive is much lower bank charges once they register.

As our own banks start increasing their charges, lower charges could be the perfect incentive to get users to accept more levels of security.

Features index



 

 
Search this Site:
Google Custom Search



Click here...