Identity fraud is big news and unfortunately it is also bad news
for an electronic payments industry working overtime to
persuade users that its systems are secure. However, there is a
real potential for biometrics, a still relatively new area of
technology, to provide the answer to this demanding challenge.
Massive data breaches in 2007 involving the UK’s tax and excise
agency’s loss of confidential information including bank account
details of 25 million individuals and US retailer TJX Companies’
loss of details of 46 million credit and debit card users sent
jitters through the payments industry. Adding fuel to the fire,
internet-based commerce is under increasing attack by fraudsters,
prompting the UK’s House of Lords’ Science and Technology Committee
to term the internet “the playground for criminals”.
Go deeper with GlobalData
Sadly, many security measures put in place by banks and online
merchants are not as secure as they claim. For example, single-use
passwords sent to an internet banking customer’s mobile phone via a
short message service (SMS) have been exposed as seriously flawed
by the Queensland University of Technology’s (QUT) Information
Security Institute in Australia. Even EMV PIN and chip cards appear
to have their vulnerabilities. Notably, UK bank Halifax is being
sued by an irate customer who claims that criminals cloned and used
his payment card for which only he knew the PIN.
Enter biometrics
Amidst these and other concerns, enter biometric security that
works on verifying identities using features unique to each person.
These are according to biometric systems consultancy and integrator
International Biometric Group (IBG) divided into two categories:
physiological biometrics which includes fingerprints, hand veins
and hand geometry and behavioral biometrics derived from
characteristics such as voice, keystrokes and signatures.
However, IBG advises that despite vendor claims, there is no
best biometric system. Those contemplating incorporating biometric
security must define its intended use and endeavor to identify the
most accurate, easiest to use, easiest to deploy or even cheapest
system that will meet their needs.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataIBG’s view is supported by industry body the Biometric
Consortium (BC), which adds that while the varying maturities of
different technologies may not indicate which one is best, it can
be an indicator of which one has more implementation experience.
For example, said the BC, fingerprint recognition has been used for
over a century while iris recognition is a little more than a
decade old.
In essence biometric systems convert an individual’s distinct
characteristics into digital format called a template and verify
their identity by matching their sample submission, such as a
fingerprint or voice message, against their original template
contained in a database. This requires the use of algorithms that
take into account variations such as finger placement on a scanner
or in the case of voice verification, background noise.
In the verification process a system allocates a score
indicating the degree of similarity or correlation of a biometric
match. IBG explained that the system determines a score
representing the degree of correlation between the presented sample
and the reference sample. Verification score thresholds are preset
and if a comparison exceeds the threshold, a positive
identification is signalled.
Impressive accuracy
Biometric systems are also not infallible. However, noted IBG it is
possible for some biometric systems to verify identify with error
rates of less than one in 100,000 or even one in 1 million.
However, added IBG, claims of 100 percent accuracy are misleading
and are not reflective of the technology’s basic operation. Indeed,
stressed IBG: “An identical match is an indicator that some sort of
fraud is taking place.”
Even allowing for potential error rates as noted by IBG, these
pale into insignificance when compared with accuracy rates of
security systems such as SMS single-use passwords. According to
QUT, tests revealed that obvious attacks were successful in 21
percent of mock transactions and stealthy attacks in 61
percent.
The most widely deployed biometric security technology is
fingerprinting and according to IBG there are more fingerprint
solutions available in the marketplace than solutions using all
other biometric technologies combined. In 2008 IBG estimates that
companies involved in fingerprint technology used in a wide variety
of applications including access control and payments security will
generate total revenue of $1.5 billion, about a third of all
revenue generated in the biometric market.
Unlike fingerprints used for forensic purposes IBG explained
that those used for security systems store only specific data.
After the data is extracted, the fingerprint is not stored and the
full fingerprint cannot be reconstructed from the fingerprint
template.
A pioneering success
Fingerprint technology has been used successfully in a number of
high-volume transaction applications, one of the first of these
dating back to 1990 when fingerprint identification was introduced
by the local government of the South African province of KwaZulu
Natal to secure payment of pensions and other social grants.
The project was launched by South African bank First National
and IT company Datakor which jointly formed a new specialist
company Cash Payment Services (CPS) to deliver the service. CPS
went on to serve 1 million people and receive an award in 1996 for
its pioneering work from US research and educational institute, the
Smithsonian Institution.
In 1999 CPS was acquired by smart card technology developer Net
1 UEPS Technologies (Net 1), now a US-domiciled company. Net 1 went
on to take CPS’ biometric system to new heights, deploying it as
the security component of its smart card platform, the Universal
Electronic Payment System (UEPS).
The unique element of the UEPS system is its offline
capabilities that are facilitated by moving processing to the chip
embedded on a smart card. Using a smart card reader or POS device,
communication between smart cards is enabled in real time during a
transaction and indirectly with Net 1’s mainframe computer at a
later time. “Offline capabilities are essential in serving the
unbanked and under-banked who tend to be in areas either poorly
served, or not at all, by banking facilities,” Net 1’s founder and
CEO Serge Belamant told EPI.
Also vital is positive offline cardholder verification. In Net
1’s approach, prior to a card being issued all 10 fingers are
captured, with three fingerprint images captured per finger. The
three fingerprint images for each finger are consolidated and
filtered to create the best image for that finger to produce 10
high-quality fingerprint images which are then scored. The four
highest-scoring images are used to generate fingerprint
templates.
The four fingerprint templates are stored on the card and
matched by a scanner when a cardholder performs a transaction.
Significantly, Net 1 has never suffered a security breach or losses
of transactions or funds on its system.
The success of Net 1’s system is reflected in a total of almost
4 million people in South Africa who receive state welfare or
pension payments through the system. Net 1’s system is also being
increasingly deployed in other African countries, the latest of
these being Nigeria where the central bank selected Net 1’s
SmartSwitch Nigeria unit to deploy a payments system based on UEPS
technology, including its biometric identification system. The
Nigerian deployment involves all 23 of the country’s banks and in
addition to banking, the goal is to harness the payments system in
areas including health care, pensions, transport, micro-finance and
insurance.
Asia goes biometric
In Asia one of the most significant steps in the deployment of
fingerprint biometrics was taken in Malaysia when in September 2001
it became the first country to issue smart identity cards.
Named MyKad, the card system, developed by US technology vendor
Unisys, incorporates biometric fingerprint technology and in
addition to uses such as identification for travel purposes, the
storing of medical records and drivers’ licenses, incorporates
payment functionality. MyKad cards can be used to perform ATM
transactions, to for pay road tolls, parking and public
transportation and as an electronic purse that can hold up to the
equivalent of $500 and be used for purchasing low-priced items.
Japan is another Asian country at the cutting edge of
development of biometrics in the payments market, spurred on by a
call by the Japanese Bankers Association for its members to deploy
preventative measures to counter an increase in the prevalence of
counterfeit cash cards. Japan has, however, focused on another form
of biometric identification, palm and finger vein
authentication.
Since August 2004 when Mizuho Bank of Japan launched the world’s
first authentication system based on the identification of vein
patterns, other Japanese banks have followed in large numbers.
According to Japanese technology group Hitachi 80 percent had
deployed finger or palm vein biometric scanners in their ATM
networks by early-2007.
Explaining the technology, Hitachi said near-infrared light is
transmitted through the finger or palm and partially absorbed by
hemoglobin in the veins to capture a unique vein pattern profile.
Accuracy is extremely high and false rejection rates are no more
than 0.01 percent and false acceptance rates less than 0.00002
percent. Hitachi, which has as its main competitor Japanese
technology vendor Fujitsu, is targeting annual sales 10,000 vein
authentication devices in Japan and in foreign markets.
Voice recognition is another biometric identification technology
receiving increased attention. According to UK technology vendor
Biometric Security, voice verification has been around in various
forms for almost two decades but it is only in the past few years
that advances in computer processing power has made commercially
viable applications possible.
Biometric Security’s own product, VoiceVault, uses spoken words
to calculate vocal measurements of an individual’s vocal tract that
are converted into a voice-print that represents a unique digital
representation of an individual’s voice. To verify the identity of
a caller, a process that takes less than a second, 117 calculations
and tests are applied. In addition, the system is programmed to
detect and reject any attempt to use voice recordings and to allow
for voice changes resulting from, for example, a caller having a
cold.
According to Biometric Security, VoiceVault is the only voice
biometric verification system certified to issue European Union
advanced digital signatures, which have the same legal status as a
handwritten signature within Europe.
Users of VoiceVault include Voice Pay, a UK company credited
with launching the world’s first voice-verified payment processing
system, and Netherlands bank ABN Amro, the first major bank to
provide its 4 million Dutch retail customers with access to banking
services secured by voice biometric technology.
ABN Amro uses the VoiceVault system to authenticate up to 35
million calls per year and deployed it after a trial in 2005
involving 25,000 live and 10 million automated verification tests.
Notably, in a survey of retail customers that took part in the
trial, ABN AMRO found that 83 percent would prefer to use voice
verification over the existing PIN-based process.
Cost benefits of voice verification were also highlighted by a
studies conducted in the UK and the US in 2007 by research firm
ContactBabel.
In the UK, according to ContactBabel, it takes on average 20
seconds to verify the identity a customer contacting a call centre.
ContactBabel estimates that the time saved by implementing a voice
verification system in a contact centre receiving 10 million
inbound calls per year would result in total saving over £2 million
($3.9 million) annually.
In the US, ContactBabel drew similar conclusions and estimated
that a contact centre receiving 10 million inbound calls per year
with existing identity verification procedures taking on average 20
seconds per call could save $6.5 million each year by deploying a
voice verification system. In addition, Contact.
Babel noted that for procedures such as internet password
resetting, the higher level of security achieved with voice
verification enables businesses to offer real-time password resets
or reminders, thus reducing up to 70 percent of helpdesk calls.
Voice verification biometrics has also been harnessed by the
world’s largest technology developer IBM which has developed what
it terms conversational biometrics (CB). Specifically aimed at
enhancing card and other transactional processes, CB uses the same
speech signal to verify the user’s voice and knowledge.
In a system using CB, an automated security policy manager would
have access to a pool of possible verification challenges that it
would select randomly until the rules mandating the security policy
are satisfied or otherwise. This approach, said IBM, also provides
the flexibility of adapting the way users get verified to the level
of risk associated with a specific transaction.
Seemingly a sign that IBM sees a positive future for biometric
technology, it announced in August 2007 that it was to incorporate
voice biometric security into its WedSphere application server that
is deployed widely in the financial service industry. Software to
be used was developed by German biometric technology vendor Voice
Trust.
