Biometric banking

By Catherine Bolgar

The next frontier for security is likely to arrive at your bank soon: biometric verification of your identity—and you may or may not be aware of it. The global banking sector is expected to spend $2.2 billion (€1.9 billion) on biometrics this year, according to Biometrics Research Group Inc.

Fingerprints, facial recognition and iris patterns are among the methods that could be used, thanks in large part to smart phones that already use fingerprints and that have cameras that can capture information for the second two. Other methods include vein patterns (in fingers, in palms and on the back of one’s hands) and even a solution under development that recognizes the ear cavities of a person by the resonance of sound, says Christy Lin, analyst with TrendForce, a Taipei-based provider of market intelligence on technology industries.

Issues include the cost, ease of use and the amount of time needed to capture the biometric, says Anil Jain, professor of computer science and engineering and head of the biometrics research group at Michigan State University in East Lansing, Michigan. Fingerprints and facial and voice recognition are convenient already. The iris is very accurate and becoming more convenient as more phones incorporate iris readers.

Authorization is faster than presenting a card to a sales clerk and having them swipe it,” says Jain. “It takes three to five seconds.”

There are two ways to create the link between you and your payment data for biometric payments, says Lorenzo Gaston, technical director at the Smart Payment Association, an industry group based in Munich. In either case, a biometrics device captures your biometrics—for example, taking a picture or a fingerprint—then digitizes it, and compares it with biometrics you already registered and enrolled with your payment data.

In one case, you use a device that stores your original biometrics. “Typically, it’s a chip card and it decides whether biometrics captured are close enough to what was enrolled the first time for that particular person,” Mr. Gaston says. The storage device also could be a secure element in your mobile phone. This is similar to using a super-PIN, which is stored only in your personal device under your exclusive control.

A second way is to send the captured biometrics information to an online database storing all the enrolled biometrics data from the users. In that case, a remote server decides whether the right person is gaining access. “The problem in that case is the biometrics are stored in a central database. Biometrics [is] considered very personal information. If somebody manages to hack into that, they can impersonate you,” he says. Resolving the problem could be tricky.

You can change a password, but you cannot change your face or your fingerprint.”

Alternatively, a hacker might change the information, replacing the real biometrics with the hacker’s.

“Online databases must have very strict access-control mechanisms,” Mr. Gaston says. That’s why from a security and privacy perspective, the storage and comparison of the biometrics in your personal tamper-resistant device (chip card, secure element in a mobile phone) is by far a preferable solution, he says.

Financial institutions have tight enough security that breaking in involves a significant investment of time and money, and encryption can further tighten safety, says Darci Guriel, professor of computer information technology at Northern Kentucky University in Highland Heights, Kentucky.

As a result, the people trying to break into accounts aren’t aiming for mass hacking but are grifters, targeting one account at a time. “They’re looking for the weakest link, and the weakest link in banking is people,” Prof. Guriel says.

That could mean winning over a customer-service agent to get a PIN reset. Or finding enough information online to be able to answer private questions necessary to change a password. The elderly often are targeted.

“Biometrics are there to help,” she continues. “To break into a single account at a time, nobody is going to have plastic surgery.”

Some things about you don’t change with age or even surgery—the space between your eyes and that across the bridge of your nose is unique, as is the depth of your eye sockets. For a voice, the sinus cavity and vocal cords don’t change. “The pitch might change, the tone might change, but the physical attributes—which are what get measured—stay the same,” Prof. Guriel says.

Banks probably already have or can easily get your biometrics, she notes. ATMs have cameras. Phone calls are recorded. They can find your picture online.

Some consumers worry that biometric authentication systems would be incapable of distinguishing between living and faked or preserved biological tissues, notes TrendForce’s Ms. Lin. “Biometric recognition systems that only authenticate living tissues would prevent the hypothetical scenario where criminals can use severed body parts (e.g., fingers) to steal money or access sensitive information,” she says.

Making fake biometrics isn’t easy, and phone companies—at the forefront of biometric technology—are making phones harder to spoof, Dr. Jain says. “You can’t just present a photo of me when it isn’t me live. Security is a cat-and-mouse game. Fraudsters will try to circumvent it, and security guys have to come up with ways to fix it.


Catherine Bolgar is a former managing editor of The Wall Street Journal Europe, now working as a freelance writer and editor with WSJ. Custom Studios in EMEA. For more from Catherine Bolgar, along with other industry experts, join the Future Realities discussion on LinkedIn.

Photos courtesy of iStock



Catherine Bolgar is a former managing editor of The Wall Street Journal Europe, now working as a freelance writer and editor with WSJ. Custom Studios in EMEA. For more from Catherine Bolgar, along with other industry experts, join the Future Realities discussion on LinkedIn.