VIEWPOINT: Vinod Raghavan, Security Architect, Temenos
Verifying that someone is who they claim to be is a perennial challenge for banks. It spans the whole banking spectrum, from private banks seeking to avoid money laundering, to retail banks guarding against identity theft, to institutions servicing the unbanked who have no record of their identity.
Biometrics has already gone a long way to solving this problem. Through fingerprint authentication, banks can establish and verify a customer’s identity, unequivocally. This overcomes issues of forgery and impersonation, greatly enhancing security, while decreasing costs.
Now, as banks transform from being branch-focused to becoming digital organisations, biometrics will have an increasingly large role to play.
Photo ID obsolete
As banks move away from having a physical presence, paper-based forms of identification, such as photo ID and signatures, are losing primacy. This is good news from a security point of view, owing to the notorious unreliability of these forms of evidence. It also removes the onus from staff to visually match up sets of signatures or a face with a photo. Instead, they are being replaced by a variety of truly unique biometric identifiers.
During the enrolment process at a bank, customers simply touch a fingerprint scanner. Quality scanners capture complete images and create minutiae templates that are one-of-a-kind, unique identifiers. Combined with demographic data, biometrics create a complete identity file for each customer. When customers access funds or services, they scan a finger and the authentication system compares the scanned template to the stored templates. Unlike relying on photo ID, fingerprint identification ensures that multiple identities cannot be created for the same person.
Employees of banks and other financial institutions can follow a similar process when logging onto systems, accessing secure assets or clocking in at work. Instead of typing in a user ID and password, a finger scan verifies their identity and security levels, providing fast access to applications, systems and networks. Employee biometrics templates are linked with their credentials account (usually based on Microsoft Active directory, a special-purpose database).
For both customer and employee activity, access is only granted when the scanned biometric matches the information stored in the individual’s secure identity file. Suspicious activity is automatically flagged and detailed in management reports, which can be delivered individually in real-time, or as part of an aggregate report.
More than fingerprints
Fingerprint scanning is the most common form of biometric identification. It has been used for many years, and relies on the uniqueness of each person’s fingerprints. Contrary to a common assumption, however, the actual fingerprint image is not stored in the database. Instead, a mathematical representation of the fingerprint, known as a template, is stored, making it very difficult to compromise the fingerprint data. Creating templates from multiple fingers can also result in a more secure system, and improve access for the broadest range of customers.
Indeed, as Mexico-based Banco Azteca discovered, fingerprints are not always straightforward to obtain. A high proportion of its customers are from poor rural communities, working as farmers or labourers, and often their fingers are damaged or worn. Consequently, a fingerprinting solution had to be developed that was sophisticated enough to image and authenticate these difficult-to-read fingerprints.
As a further level of security, mechanisms have been developed that can identify whether blood is flowing through the finger at the moment of authentication. This, of course, ensures that the finger belongs to a live human, countering concerns that it’s theoretically possible to fake fingerprint biometrics.
Fingerprints are just one of a many unique human identifiers, and further technological advances are allowing banks to use other measurements to verify identity. These include iris, facial, and finger-vein scanning, and voice recognition. Finger-vein scanning is an interesting twist on fingerprinting, where the tip of the finger is also scanned, but the patterns of the veins beneath the skin’s surface are recorded instead. Blood vessel patterns are unique to each person, and are more challenging to counterfeit, as the ID scanner can only authenticate the finger of a living person.
Biometrics for ATMs
The potential for biometrics in banking is vast. As Michel Nerrant, of Crossmatch, a fingerprint biometric solution provider, observes, “with one fingerprint you can do so many things in so many contexts with both small and large banks.”
Biometric authentication can be used in two key channels – ATMs and mobile banking. ATMs can be fitted with fingerprint readers where customers can identify themselves and complete basic banking ATM transactions, including reviewing their balance, withdrawing cash or purchasing mobile phone pre-paid minutes. Several countries around the world are already using biometrics-enabled ATMs. Japan has been an early adopter of this technology, deploying it widely, with more than 80,000 biometrics-enabled ATMs in the country and more than 15 million customers using them.
Chip and pin-based ATM authentication presents security exposures. Biometrics provides...