Biometrics for payments. The use of biometrics in banking



Similar documents
addressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Biometrics: Advantages for Employee Attendance Verification. InfoTronics, Inc. Farmington Hills, MI

May For other information please contact:

Opinion and recommendations on challenges raised by biometric developments

Securing corporate assets with two factor authentication

PalmSecureID for the EDUCATION MARKETPLACE

Framework for Biometric Enabled Unified Core Banking

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

SCB Access Single Sign-On PC Secure Logon

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Biometric SSO Authentication Using Java Enterprise System

Prevention Is Better Than Cure EMV and PCI

Meet The Family. Payment Security Standards

Good Afternoon! Since Yesterday we have been talking about threats and how to deal with those threats in order to protect ourselves from individuals

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

White paper. Biometrics and the mitigation of card-related fraud

PCI and EMV Compliance Checkup

Biometrics is the use of physiological and/or behavioral characteristics to recognize or verify the identity of individuals through automated means.

ENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY

Fingerprint Based Biometric Attendance System

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

WHITE PAPER. Let s do BI (Biometric Identification)

Modern Fraud Prevention from a Bank s Point of View

Biometrics and Cyber Security

Statement of. Carlos Minetti. Discover Financial Services. Before the. Subcommittee on Oversight and Investigations. of the

Voice Authentication for ATM Security

White paper Fujitsu Identity Management and PalmSecure

Electronic Funds Transfer, Internet and Mobile Banking Agreement and Disclosure For Personal Accounts

Hitachi to Expand Finger Vein Authentication System Business on a Global Basis

White Paper How are thieves stealing modern vehicles?

AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA

Biometric Authentication Platform for a Safe, Secure, and Convenient Society

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

MegaMatcher Case Study

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

ONLINE BANKING DISCLOSURE AND AGREEMENT

ACI Response to FFIEC Guidance

Tranform Multi-Factor Authentication from "Something You Have" to "Something You Already Have"

Multi-factor authentication

EMV and Small Merchants:

RSA Adaptive Authentication For ecommerce

FFIEC CONSUMER GUIDANCE

Prairie State Bank & Trust ELECTRONIC FUND TRANSFERS YOUR RIGHTS AND RESPONSIBILITIES

Biometrics Unique, simple, convenient

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

IDRBT Working Paper No. 11 Authentication factors for Internet banking

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

7. You agree to grant MCB a security interest in all your property in our possession to secure payment of your obligations under this Addendum.

Introduction to PCI DSS

Visa Inc. PIN Entry Device Requirements

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

SURVEILLANCE ENHANCED FACE RECOGNITION

Global Deployment of Finger Vein Authentication

How To Protect Your Credit Card Information From Being Stolen

welcome to liber8:payment

Use of biometrics to tackle ATM fraud

Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Banking & Finance Policies and Procedures Manual (Extract)

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Conformance test specification for BSI-TR Biometrics for public sector applications

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

WORLD TRAVEL CARD TERMS & CONDITIONS

TRAVELLING SHOULDN T COST YOU THE EARTH USER GUIDE

Using Contactless Smart Cards for Secure Applications

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Debit MasterCard. Conditions of Use. These are the conditions of use that apply to your Rabobank Debit MasterCard. You must read and retain them.

credit card Conditions of Use

BIOMETRIC AUTHENTICATION SECURITY AND USABILITY

ipayu TM Prepaid MasterCard FREQUENTLY ASKED QUESTIONS

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

FREQUENTLY ASKED QUESTIONS

DEBIT/ATM CARD APPLICATION

What the Future of Online Banking Authentication Could Be

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Prairie State Bank & Trust ELECTRONIC FUND TRANSFERS YOUR RIGHTS AND RESPONSIBILITIES

TECHNOLOGY WHITEPAPER

Transcription:

Biometrics for payments The use of biometrics in banking

Biometrics for payments Biometrics for payments The use of biometrics in banking The use of biometrics for authentication is nothing new. But historically, its use has been mostly concentrated in the government sector (such as for electronic ID and passports) and access control. More recently, a whole range of biometric applications are being released by various industry sectors. The number of people that uses some sort of biometry on a daily basis grows steadily; some analysts even predict that the size of the biometrics market will triplicate in the coming five years. One of the reasons of this popularity is the price. While in the past biometric systems were prohibitively expensive, technology has improved to the point that for less than $7 it is possible to install fingerprint scanners on a mobile phone such as in Apple s iphone 5S. In particular, the mobile and payments industry are paying more attention to biometric solutions. Many banks around the world have already implemented biometrics for customer authentication, in most cases in the form of fingerprint reading. Countries such as Brazil, India, Poland and Japan already support ATM cash withdrawals by means of biometrics, many other countries intend to follow the trend in the near future, especially in Asia and Africa. While security experts are cautious about the use of biometrics in the (extremely regulated) banking industry, banks are rolling-out biometric solutions as a countermeasure to two commonly faced problems: 1. Identity theft, mainly in the form of enrollment fraud, where a customer applies for a bank service or a credit line using a fake ID 2. Increasing frauds at ATMs, in particular, card trapping, use of lost & stolen cards or skimming (in regions that have not migrated to chip). By implementing biometrics systems, banks have managed to reduce losses due to identity theft to a level that quickly justifies the business cases for the implementation. In some cases, the losses could sum up to dozens of millions of dollars. One of the popular methodologies used to ensure that no applicant is registered twice is the Automated Fingerprint Identification System (AFIS), originally implemented by the FBI for criminal cases; nowadays it has been adapted for the banking industry as well, with a high degree of reliability. Once the bank already stores the biometric data of its accountholders in a database, it can also use biometrics for authentication when page 2

Biometrics in payments authorizing transactions. In this way, banks can not only safeguard against skimming or misuse of lost & stolen cards at ATMs, but also as a protection against legislations that makes financial institutions liable for withdrawals denied by the cardholder. While the above seems to justify the adoption of biometrics in the banking industry, one should be aware that the technology has not yet achieved an adequate degree of maturity. The following factors contribute to that: Security and reliability of the device Shortly after the release of the iphone 5S it was possible to fool the fingerprint scanner by copying the fingerprint of another person and creating an artificial or gummy finger which could be used to unlock the device. Fingerprint readers at ATMs are usually equipped with more sophisticated modules to perform live finger detection (LFD). Many of them use multi-spectral and multi-polarization analysis to detect whether the material has the physical structure of a real finger. But this is not an exact science. The reliability of a fingerprint is always a trade-off between the False Rejection Rate (FRR) and the False Acceptance Rate (FAR). Also, the relationship between the FRR and FAR is not unique and depends on various factors, which are still object of scrutiny by scientific experiments and proof of concepts. The false acceptance can, for instance, be increased by ingenuous attacks. Every year, better attacks are published, and better readers and LFD modules are produced. This is good news, but also a warning sign. Although most of the implementations in the banking industry still rely on the fingerprint as the biometric characteristic, the vein structure of hands or fingers is gaining popularity, as it is an equally convenient method, but much more difficult to forge than fingerprints. Also, the vein recognition technology tends to have a much lower FAR then fingerprints. A combination of fingerprint and finger vein recognition may prove to be an even stronger method, but is technologically more complex. It is not only the device Most of the media and academic attention are paid to the falsification of the biometric trait, such as replicating a fingerprint. But after the capture, this trait is transformed into a digitized data. So, the question is, how is this digitized data protected? If one can make a copy of this data, one can pose as the person providing it. Although there is a strong history and culture of physical and logical security for PINs and card data, it is not the same for biometric data. Furthermore, one of the reasons why the financial industry in developed countries is not ready to adopt biometrics is the need to comply with strict personal data protection regulation, such as the European General Data Protection Regulation (GDPR). The risk of compromise of biometric information stored in a centralized database is real and non-acceptable for the Security Officer of many banks. The liability arising from data leakage due to an attack is also difficult to estimate. Recently there have been repeatedly attacks on payment systems; a recent example is the breach of 70 million customer s credit card data of the American retailer Target. page 3

Biometrics in payments Besides the financial loss, banks react to such compromise by re-issuing the card. In case of biometrics, the customer fingerprint cannot be re-issued. Furthermore, some banks do store the full biometric data in their databases, and not only the trait or template. This is done in order to avoid vendor-lock in, as the template is vendor-dependent, while the fingerprint is not. Having the fingerprint database compromised, could affect the customers in all government and industry sectors that rely in the fingerprint, which is a threat of unpredictable liability. Lack of standardization Although the standardization of the representation, interoperability and quality of biometric data has improved in the last years, there is still no widely recognized standard to validate the security of the biometric data for payments. Although there are some organizations that do provide validation of biometric solutions, the methodology and security requirements do not have the same degree of scrutiny of those traditionally used by the card payments industry. As it is usually the case, a biometric system is just as secure as its weakest link. Therefore security standards and security evaluation should cover the whole chain including service enrollment, usage, transmission and storage of biometric traits, and all devices that participates in this process. Standardization bodies, such as ISO, NIST and BSI are regularly releasing biometrics standards, but an industry-wide recognition is still to be seen. Conclusion Biometrics is easy and convenient to the customer and, when used properly, can be secure as well. One must realize, however, that biometrics is not a remedy for all problems. Understanding how it works, when to use and when not to use is essential. For example, the two problems discussed in this note require quite different approaches: The use of biometrics as a form of identification, such as to prevent the enrollment fraud, requires the comparison of one biometric reference to many biometric references stored in the system (1:N). In this case, the false acceptance rate (FAR) plays an important role. On the other hand, the use of biometrics in order just to authenticate a customer, such as to prevent frauds at ATMs requires the comparison of one biometric feature to just one reference feature stored in the system (1:1), as the customer was already identified by using other means. There are a plethora of different architectures and designs used by the banks that have implemented biometry. However, the banking industry still needs to agree on a comprehensive set of robust standards for security and testing. This will be crucial to leverage the strengths of biometrics for payment processing and customer enrollment. As it is usually the case, a biometric system is just as secure as its weakest link. Therefore security standards and security evaluation should cover the whole chain including service enrollment, usage, transmission and storage of biometric traits, and all devices that participates in this process. page 4

Contact details UL Transaction Security info@ul-ts.com www.ul-ts.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information