July 14, 2011
Where will biometric ID technologies fit in fight against fraud?
Biometric systems are designed to recognize individuals based on their unique biological and behavioral traits. Traits such as hand geometry; fingerprints; voice and vein recognition; and retina, iris, and facial scans are all personal characteristics that can authenticate someone's identity. Using biometrics to combat fraud is not novel. In addition, a California-based company introduced in 2008 a risk management solution that identifies fraudsters through the use of voice printing, which allows the company to compare a caller's voice against a database of known criminals before the company authorizes a credit card payment.
In a previous post, we discussed the concept of using biometric technology to combat ATM fraud. Since then, we learned of ATMs abroad that are equipped with voice-based biometric technology that determine user honesty and help prevent consumer credit fraud. In this post, we revisit the issue of biometrics, touching briefly on new developments in the payments industry as well as on issues reported on by companies and researchers.
Biometrics gain trust
Summarizing a poll it took of credit card users, Unisys reported in 2010 that consumers are becoming comfortable with the use of biometrics. In fact, according to the report, about two-thirds of the respondents indicated a preference for fingerprint biometrics over the use of photo verification, PINs, and signatures. A 2009 Gallup survey revealed that 58 percent of survey respondents would use biometrics to verify their identities, and a staggering 93 percent preferred fingerprints as their biometric of choice.
Searching for a secure biometric storage process
The life of biometric data on portable devices such as cards can exist anywhere from six to 12 years. Technology such as Precise Biometrics' Match-on-Card allows cards to be activated with a fingerprint or iris scan instead of a PIN. All biometric information is stored on the card, so the matching of the biometric data takes place on the card.
This type of technology sends a biometric template to the card processor, which is matched to a reference biometric template stored on the card itself. The card protects personal identity information as it is transmitted across a contactless interface using radio frequency technology. Other companies have introduced similar products retaining all the biometric data on the portable device, which can lessen user anxiety since their biometric data is stored in a device the users control. However, user control over biometric data does not necessarily lessen the potential risk for lost, stolen, or damaged credentials.
Recommended considerations for biometric recognition technologies
According to a report by the National Research Council, "no single trait has been identified as stable and distinctive across all groups," so we cannot rely solely on voice printing, for example, or on fingerprints to guarantee security. The report also points out that biometric systems contain numerous "sources of uncertainty" that "need to be considered in system design and operation." For example, biometric characteristics often vary over an individual's lifetime due to a number of factors, including age or disease, and the systems may not capture or account for this variability. Other, more technical, issues may also create variability in these systems, including sensor calibration and data degradation. Even security breaches themselves add variability. As another "source of uncertainty," the report points to the fact that biometric systems may not be "designed and evaluated relative to their specific intended purposes," so they fail to account for factors such as the competence of the systems' users.
A final note
While there is no such thing as an impregnable security system, using multiple forms of credentials and identification components can strengthen most security systems. If biometrics is one of those layers, careful consideration should be given to measuring the merits and risks relative to other authentication technologies, such as PINs and signatures, as well as ensuring that the biometric that is selected functions as intended. Like any other authentication form factor, any biometric identification technology used should undergo a thorough threat assessment to determine its vulnerabilities and its potential for mitigating attacks. Biometrics may or may not become the panacea to authentication, but ensuring that users trust the entire biometric system is integral to its successful implementation and adoption in the fight against payments fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 14, 2011 in biometrics, consumer fraud, consumer protection | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538fe263d3970b
Listed below are links to blogs that reference Where will biometric ID technologies fit in fight against fraud?:
Comments
September 27, 2010
Could the fight against ATM fraud use the help of biometrics?
Biometrics is defined as "the measurement and analysis of unique physical or behavioral characteristics especially as a means of verifying personal identity." There are several different identifiers that may be used in biometrics, including fingerprint and hand geometry, voice and vein recognition, as well as retina, iris, and facial scans. The concept of biometric technology as a customer authentication tool to protect the identity and accounts of individuals from fraud or theft is promising. However, relinquishing something as personal as a unique trait may leave some skeptical and others simply unnerved.
But can privacy concerns or consumer apprehension over the use of biometrics overcome the need to address the growing instances of ATM fraud?
Physical attacks on ATMs increase
According to Javelin Strategy & Research, in 2009, 10 percent of fraud victims in the United States experienced fraudulent ATM cash withdrawals. These schemes typically involve the use of a skimming device that may sit above the actual card reader and capture PIN entries. Other methods are more brazen and involve the physical act of pulling an ATM from the wall or floor and disassembling it elsewhere. Additional types of ATM attacks may involve data breaches, social engineering, and software vulnerabilities.
Successful adoption of biometric technology
Although the thought of biometric technology may conjure up images of George Orwell's 1984, for years now, several major Japanese banks have been using some form of biometric technology to combat ATM fraud. One example is the Bank of Tokyo-Mitsubishi, which uses palm vein-pattern biometrics for account and identity authentication. After inserting the card and entering a PIN, the user holds his or her hand over a sensor on the ATM for verification purposes. Because palm vein patterns are unique to each individual, others are not able to withdraw money using stolen cards. The palm vein information is stored in the card itself, which also keeps the biometric information hidden from bank employees.
In 2006, a new Japanese law made banks liable for fraudulent ATM withdrawals. Prior to the law's passage, banks did not impose withdrawal limits and did not protect against losses due to theft. As a result of the new law, today more than 90 percent of Japan's banks use some form of vein-pattern recognition.
Biometrics obstacles
A lack of standardization and the costs of implementation ring in at the top of the list when we consider why the financial services industry is apprehensive about integrating this technology. Also topping the list are privacy concerns and general consumer apprehension. But surprisingly, consumers have offered positive feedback when asked about the use of biometrics to combat fraud. In fact, when asked what they would choose, more consumers preferred using biometrics as an additional authentication tool over a one-time password device.
|
|
|
|
Will banks be willing to invest the time and money into technology that may or may not become an industry standard? Or are some banks waiting for other banks to serve as pioneers in the United States before they invest in biometric ATM machines?
Creating a chain of trust
U.S. consumers have historically shown reluctance to embrace new technologies until their reliability and trustworthiness have been vetted in the marketplace for a number of years. Part of building this trust will require building a track record of robustness with respect to both security and reliability. While concerns about biometrics may abound, these concerns can be addressed by educating the user and industry.
The concept of biometrics shows great potential for combating ATM fraud, but is it the panacea? Or is the key simply using technology more advanced than that employed by the bad guys, staying one step ahead of them rather than one step behind?
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
September 27, 2010 in ATM fraud, biometrics, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f4a074cc970b
Listed below are links to blogs that reference Could the fight against ATM fraud use the help of biometrics?:
Comments
Posted by:
Mike Urban |
September 29, 2010 at 06:01 PM
Oddly enough this article came out recently:
AUTOMATED BIOMETRIC RECOGNITION TECHNOLOGIES 'INHERENTLY FALLIBLE,' BETTER SCIENCE BASE NEEDED
http://www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=12720
This isn't to say that combining a biometric with a card and PIN could make it less 'inherently fallible'...
The biometric needs to be reliable enough to replace one of the authentication factors with a more effective method. Otherwise you are creating more work/effort/barrier for the consumer to transact with the payment method.