Biometrics in Financial Services Opportunities, challenges and emerging trends
2nd May 2006 Indra P. Chourasia
Biometrics in Financial Services 1. Summary Note •
Financial Services industry has long been gripped with afflicting issues surrounding identity and authentication in its business operations. As per a study conducted by The Federal Trade Commission (FDC), identity theft is considered as one of the fastest growing types of consumer fraud in US with a total cost to businesses and consumers approaching $50 billion.
•
With emergence of e-commerce as a cost-effective business delivery tools, financial institutions are greatly prone to identity theft and account hijacking related frauds. This greatly signifies need of reliable authentication platform to positively verify and authenticate who is actually at the other end of transaction.
•
Financial institutions are not only at risk externally but are also vulnerable from internal quarters with increasing risk of confidential information stolen by employees or participants in transactions or services.
•
New security related regulations, heightened customer sensitivities and expectations in post 9/11 scenario, have increasingly brought strong focus on reliable and effective security measures in financial services operations.
•
As a part of authentication, some form of credential presented by a user is considered to verify the claimed identity of the user. Based on number of credential type required, authentication is considered to be based on single-factor, two-factor or three-factor. Single-factor authentication in form of passwords is often easy to guess, steal, or crack, leaving a legitimate user quite vulnerable. In addition, passwords, PINs, smart cards, tokens or public key infrastructure (PKI) as credential tend to become increasingly cumbersome and complex means to authentication with each new authorization level granted to a user.
•
As an appealing alternative to password, PIN, card oriented authentication, biometrics provides robust and reliable security by identifying the individuals themselves rather than any devices. Biometric technology involves an automated way to measure an individual’s characteristics to recognize and verify the claimed identity. These technologies can be grouped according to biometric characteristic used in authentication process i.e. measurable physical characteristics, behavioral traits or a mix of these two characteristics.
•
Based on data collected by the International Biometric Group1, the total size of biometric market, which was totaling around $1.5 billion in year 2005, is growing to exceed $5.7 billion in over five years.
•
The general trend in Biometric implementation in financial services will continue to follow the typical phases of pilots, tests and limited point based application. These may initially involve employee-facing applications, followed by customer-facing applications. Considering many inherent barriers, industry-wide applications do not promise much in the short-term.
•
Limited awareness about the technology, issues relating with customer acceptance and intrusiveness, integration with legacy system, industry standards and interoperability, difficulties inherent in centralized shared databases, legal recourse framework and above all cost advantages are some of the major hurdles in rapid adoption of the technology.
•
Cost of usage of technology in effecting a transaction will be an equally important determinant in early acceptance by the customers. Biometric stability over period of
1
International Biometric Group, LLC is leading independent integration and consulting firm in the biometric industry, providing a broad range of services to government and private sector clients.
Indra P. Chourasia 2 of 8
Biometrics in Financial Services time, spoofing biometrics and identity theft are some of the teething questions, answers to which are to be found in coming years. •
Despite all the hurdles and challenges, usage and coverage of biometrics applications is expected to continue growing in coming years. With final phase of technology evolution, biometrics is bound to be all pervasive, touching all corners of financial services infrastructure.
2. Authentication Issues in Financial Services Industry Financial Services industry has long been gripped with afflicting issues surrounding identity and authentication in its business operations. In simple terms, authentication is the mean of verifying the claimed identity of a person or entity. Closely associated with authentication is authorization, which determines the level of rights and privileges available to an authenticated user. Most of the financial transactions conducted by customers is governed these two elements of identity management. As per a study conducted by The Federal Trade Commission (FDC), identity theft is considered as one of the fastest growing types of consumer fraud in US. It was estimated that during year 2003, almost ten million Americans were the victims of identity theft, with a total cost to businesses and consumers approaching $50 billion. Some of other recent findings are equally unsettling and reveal a gaping hole in authentication and verification strategy as being practiced by financial institutions. As per a study conducted by Federal Reserve, company employees were found involved in more than 60 percent of bank fraud cases. Another study by Glenbrook Partners indicates that a top US bank reported over 30 percent of its losses from new account fraud stemming from repeat offenders – people having defrauded bank earlier. With emergence of e-commerce as a cost-effective business delivery tools, financial institutions have started greatly relying on self-service model of business. In terms of banking and payments systems, with Internet banking almost universally available, increasing number of customers are using self-service oriented transactions such as electronic banking, bill-payment services, payment authorizations, electronic transfers. However, in absence of reliable authentication platform to positively verify and authenticate who is actually at the other end of transaction, financial institutions are greatly prone to identity theft and account hijacking related frauds. Thus, an unauthorized user by manipulating just a few key pieces of personal information (e.g., an individual’s name, address, social security number, financial institution account number, computer log on ID, or password) or stolen devices, can freely access consumer’s existing accounts and effect fraudulent transactions. Financial institutions are not only at risk externally but are also vulnerable from internal quarters. By very nature of their operation, requiring creation and maintenance of large repository of sensitive and private customer data, issue of authentication and access to such data poses many challenges. Because of the increased networking of internal operations and pervasiveness of huge customer databases, financial institution employees have access to more customer information than ever before. Some industry analysts and security professionals estimate that almost two third of identity theft cases is committed with confidential information stolen by employees or participants in transactions or services. In post 9/11 scenario, apart from strong drive by national government in form of new security related regulations, customer sensitivities and expectations are greatly heightened towards security issues. This has increasingly brought strong focus on reliable and effective security measures in financial services operations too.
Indra P. Chourasia 3 of 8
Biometrics in Financial Services 3. Basic concepts of Authentication Generally as a part of authentication, some form of credential presented by a user is considered to verify the claimed identity of the user. These credentials include: •
Something you know: most commonly a password or PIN.
•
Something you have: most commonly a physical device such as token, cards, digital certificate etc.
•
Something you are: most commonly a physical characteristic, such as a fingerprint, voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of authentication is referred to as biometrics.
These credentials could be any of the above or a combination thereof. Based on number of credential type required, authentication is considered to be based on single-factor, two-factor or three-factor. Single-factor authentication involves use of one of the three authentication credentials listed above, most commonly a password. Usage of smart card/token along with password is considered two-factor authentication. Three-factor authentication involves use of all three credentials for verification purpose. Single-factor authentication is very common and is the method used by the vast majority of financial institutions for granting customers access to Internet-banking applications and by the vast majority of businesses for granting employees access to computer networks. The main problem with single-factor authentication in form of passwords is that these are often easy to guess, steal, or crack, and once a password is compromised unauthorized user has the same access rights as the legitimate user. In addition, the legitimate user may not even know that his or her password has been compromised, since usually no physical evidence of the compromise exists. There is growing realization within industry that passwords, PINs, smart cards, tokens or public key infrastructure (PKI) as credential meet the basic requirements and tend to become increasingly cumbersome and complex means to authentication with each new authorization level granted to a user. 4. Biometric Technology – an appealing option As an appealing alternative to password, PIN, card oriented authentication, biometrics provides robust and reliable security by identifying the individuals themselves rather than any devices. Security experts have expressed strong opinion that authentication strength increases when more than one type of credential is used. In context of multifactor authentication, by adding one more factor in authentication process, biometrics significantly improves and strengthens authentication. Biometric technology involves an automated way to measure an individual’s characteristics to recognize and verify the claimed identity. Biometric technologies can be grouped according to biometric characteristic used in authentication process i.e. measurable physical characteristics, behavioral traits or a mix of these two characteristics. 4.1 Technologies involving physical Biometric characteristics Key technologies involving physical biometric characteristics are: •
Finger Imaging: analyzes the unique pattern created by raised markings found on the tip of the finger.
Indra P. Chourasia 4 of 8
Biometrics in Financial Services •
Facial Recognition: analyzes the geometry of face, typically statistical deviation of measurable facial feature from the average or mean face; the heat generated by the flow of blood under the skin.
•
Hand Geometry: analyzes the size and shape of hand, usually measured from both a top view and a side view; optionally the unique pattern created by the blood vessels in the hand.
•
Iris Scan: analyzes the coloured ring of tissue that surround the pupil on the surface of the eye.
•
Retina Scan: analyzes the unique pattern created by blood vessels situated at the back of the eye (behind the pupil).
4.2 Technologies involving behavioral traits Technologies involving behavioral traits mainly include Handwriting Analysis and Keystroke or Typing dynamics. •
Handwriting analysis: Signature verification analyzes the speed, velocity and pressure of the hand used by the user while signing the name.
•
Keystroke or Typing dynamics: Measures the speed, pressure and cadence of an individual’s keystrokes while typing on a keyboard.
4.3 Technologies involving physical characteristics as well as behavioral traits Voice Recognition is one such technology involving physical characteristics as well as behavioral traits of an individual. It analyzes acoustically derived from biological characteristics (vocal chords, nasal passages and mouth) with behavioral traits (tone, cadence and pronunciation). 4.4 Biometric – How authentication works? A generic biometric authentication system comprises of two key processes enrollment and authentication. During enrollment process, biometric samples of a user are captured using some reader or scanning machine. Subsequently, vendor’s biometric algorithm is applied to the captured samples and the resulting template is stored along with other enrollment attributes, for subsequent identity verification. During the authentication process, when a user asserts an identity, new sample is captured and after applying biometric algorithm, new sample template is compared with the stored template. If the comparison of these two files results into similarity within the defined limit of tolerance, the identity of the user is biometrically verified and authenticated. Due to inherent sampling error in capturing the biometric for many reasons (for example, in finger imaging - different pressure, position, moisture, or dirt on reader), templates do not exactly match. Thus, in case of sample found out of defined tolerance limits, application allows to resample user’s biometric for certain number of attempts before rejecting the verification. 4.5 Biometric - Implementation considerations In terms of ease of implementation and integration, accuracy of results, associated costs, interoperability of technologies, non-intrusiveness in user usage, each of the above listed technologies has its own merit and associated challenges. Technologies involving finger imaging, facial recognition and hand geometry are considered nonintrusive and reasonably low cost technology. However, variations in environmental conditions and application setting may adversely impact the accuracy. In case of Facial Indra P. Chourasia 5 of 8
Biometrics in Financial Services recognition and Hand Geometry, aging and injury may particularly affect the result. Technologies involving Iris Scan and Retina Scan, while provide highly accurate results, these are perceived highly intrusive and requires special and expensive hardware. Voice recognition is considered highly non-intrusive technology with wider user acceptance. However, reliability and accuracy may get affected with surrounding noise or when user is suffering from cold or has laryngitis. Fear of impersonation is a big concern in the mind of the users of voice recognition technology. 5. Biometric Technology – Industry Outlook Based on data collected by the International Biometric Group, the total size of biometric market, which was totaling around $1.5 billion in year 2005, is growing to exceed $5.7 billion in over five years. (Source: International Biometric Group)
A figure depicting relative market share of various biometric technologies by revenue in year 2006 is presented below (Source: International Biometric Group)
Indra P. Chourasia 6 of 8
Biometrics in Financial Services 6. Biometric Technology- Deployment areas in Financial Services The general trend in Biometric implementation in financial services will continue to follow the typical phases of pilots, tests and limited point based application. These may initially involve employee-facing applications, followed by customer-facing applications. There are discussions about industry-wide applications too. However, considering many inherent barriers, industry-wide applications do not promise much in the short-term. 6.1 Employee-Facing Applications Employee-facing applications control access and administer authentication to employees within in-house operations. These may include - computer access, network access, application access, physical access, time and attendance, criminal record check etc. Employee facing applications can be used for refining the program and adjust usability features before deployment of biometrics on customer facing applications. 6.2 Customer-Facing Applications Presently, biometrics has been used in branches mostly on retail basis to identify customers on tellers, authorize transactions (also at ATM and check-cashing kiosks). In long term, biometric application may involve many transactions, such as - new account opening, customer identification in branches, non-customer check cashing in branches, high-risk transaction authorization, tokenless ATM and Point of Sales (POS) transactions. 6.3 Industry-Wide Applications While nothing much can be predicted with certainty about the success of industrywide applications, some of the applications under discussion are - POS applications, Trusted travelers program, National ID cards and enhancements to existing shared fraud databases to include biometric identifiers. Some of these applications involve comparison of biometric sample with the template stored in some form on a card. With very little prospect of success, applications involving central shared biometric repositories and facial recognition as an identification methodology may find some relevance in long-term horizon. 7. Biometric Technology – Challenges and Future Similar to many other emerging technologies, not all the biometric technologies are ready for real-world implementation. A particular biometric technology cannot just be a natural fit to any or every application setting. Many factors such as environmental conditions, application settings, usability perspective and response time will greatly influence the adoption and success of a biometric implementation. Limited awareness about the technology, issues relating with customer acceptance and intrusiveness, integration with legacy system, industry standards and interoperability, difficulties inherent in centralized shared databases, legal recourse framework and above all cost advantages are some of the major hurdles in rapid adoption of the technology. In context of mass-market, considering lack of interoperability between vendors, slow consumer adoption curve and difficulties inherent in centralized shared databases, no significant progress is visible in immediate future. The great hurdle caused by lack of interoperable algorithm and templates towards evolution of mass-market customer oriented applications may be crossed over in coming years either through some form of government enforcement or increased industry realization on its continued futility. Indra P. Chourasia 7 of 8
Biometrics in Financial Services Cost of usage of technology in effecting a transaction will be an equally important determinant in early acceptance by the customers. In order to encourage early adoption and usage, in all likelihood financial institutions may have to come forward by providing the technology to their customers free of charge or at deep discounts. Biometric stability over period of time, spoofing biometrics and identity theft are some of the teething questions, answers to which are to be found in coming years. Considering all these factors, no quick evolution of mass-market customer oriented applications is visible in immediate future. However, based on its inherent merit - in terms of reliability, real-world operational performance and quantifiable cost benefit, biometrics applications will continue making progress, mainly in niche customer-facing applications. Despite all the hurdles and challenges, usage and coverage of biometrics applications will continue growing in coming years. With final phase of technology evolution, biometrics is bound to be all pervasive, touching all corners of financial services infrastructure – starting from authentication of a high risk multi-million dollar inter-bank transaction to access of local savings bank account to effecting payment on purchase of groceries at supermarket. 8. References •
Biometric Market and Industry review- A presentation by International Biometric Group at World Customs Organization, Brussels, Belgium (December 2005)
•
Putting an End to Account-Hijacking Identity Theft - a study by Federal Deposit Insurance Corporation , Division of Supervision and Consumer Protection (December 2004)
•
Biometrics in Financial Services - See Me, Hear Me, Touch Me – an advisory Report by Glenbrook Parners (February 2003)
•
Financial Institutions give biometrics a thumbs up – an article by Christine Barry Published on biometritech.com in May 2002
•
www.biometritech.com
•
www.biometricgroup.com
Indra P. Chourasia 8 of 8