You are on page 1of 46

Biometrics in the Banking Industry

Steve Krawczyk Corinne Michaud CSE 891 Spring 2005

Current authentication systems Gateways for biometrics Biometrics being used:
Fingerprints Signature Vein Pattern Hand Geometry Voice

Future directions

Current Authentication Systems

Online Authentication
Name and Password

Bank Authentication
Token based
ID Card


Fraud in Banking
Internal fraud Employees attempting to withdraw money from a customers account without their consent External fraud An individual assumes the identity of a customer of the bank in order to withdraw money from the account One in twelve online consumers surveyed said they have been victims of identity theft2 1.13 percent of all online transactions are lost to fraud2 Estimates have shown that 70% of fraud is internal1 Financial institutions in the United States lose about $12 billion a year in check fraud (US News & World Report 2001)

Inc: hardware security division of HP 2Gartner: Stamford, Connecticut (January 2004)

Fraud Examples
On 3 February 2005, a Miami businessman filed suit in a U.S. circuit court against Bank of America (BoA). He claimed BoA failed to adequately protect him against risks related to the online theft of $90,000 from his small-business bank account
Online thieves launched a wire transfer out of his account using access credentials stolen from his infected PC. Most regulations for bank accounts, established before the age of cyber crime, dont account for such activity. The customer had reportedly installed a firewall, but the thief got through anyway

Fraud Examples
One con, while in jail serving a state prison term for credit-card theft, actually perpetrated yet another credit card scam over a seven month period, using a technique that allowed him to hide the fact that he was calling from jail He would start off by calling the county-run nursing home saying he was a Bell Atlantic technician to connect to an outside line He then called businesses to get names and phone numbers of customers He tricked the customers to give him personal information He then requested credit cards using this information to make about $25,000 worth of purchases

Internal Fraud Example

Gateways for Biometrics

Transaction Security
Securing client transactions and protect their privacy either remotely or onsite

Network Security
Security of the banks infrastructure, controls what activities specific individuals or job functions have access to

Access Control
Protecting the physical security of facilities (vaults, safety deposit boxes)

Background Checks
Protect against internal fraud and illegal transactions with applicant background checks

Current Biometric Systems

Current Systems

Most commonly used biometric in the banking industry Used in all areas of the banking industry
Transaction security Network security Access control Background checks

Equipment is cheap Highly accurate

Criminal stigma Universality

Fingerprint (Transaction Security)

Goal: enable clients to authenticate themselves before any transactions are made on their account
Enroll customers when the account is created with their fingerprint When wishing to access their account, they must first provide their fingerprint to be verified No ID card is needed Provides non-repudiation Uses
In bank, ATM, kiosk, online

Banco Azteca: the first bank to be opened in Mexico since 1995 Allow people with limited incomes that live in poor and rural communities to establish a bank account for the first time.
Sparseness of banks No form of authentication (drivers license) Account ID cards were often lost or stolen

Digital Persona technology was used to protect accounts using fingerprints

1.2 million customers of Grupo Electra are enrolled

Many customers were farmers and construction workers whose prints were damaged and worn
1 out of 4 people failed to enroll because of low quality prints

Fingerprint (Network Security)

Protect against internal fraud (employees tampering with the system)
Enroll and authenticate bank employees before they can access the banks network to perform a transaction

Bank of Central Asia (BCA) in Indonesia has around 8 million customers throughout the country
Incorporated Identix fingerprint systems to secure the processing of high-value electronic fund transactions

If a large transfer is initiated, the teller and possibly a supervisor need to be authenticated by the system before the teller can finalize the transaction
Non-repudiation: the teller cannot deny performing the transaction

Duress finger
If under duress, the teller can authenticate with a duress finger (alerting the police)

Fingerprint (Access Security)

Instead of using a key or card to for access, use a fingerprint
Access to the bank, vaults, safety deposit boxes

Deutche bank is a European financial service provider with ~65,000 employees Installed AC Controls security to establish biometric access to their building
Fingerprint readers determine who can enter their offices and also restricts what areas each person can access

A one day visitor would need to enroll with the bank, to gain access to parts of the building Consumers may be reluctant to enroll their biometrics with multiple organizations Morpheus technologies: develop a network of secure, licensed enrollment facilities
Standardization + Interoperability

Fingerprint (Background Checks)

Submit requests for backgrounds electronically Background checks ensure the integrity of the employee base

ING Direct installed live-scan fingerprint readers that channel electronic submissions to the FBI IAFIS database (Identix)
Before background checks took 4-5 weeks
While waiting, the prospective employee would be trained If the results effect the hiring, much money was wasted during training

Now, checks can be done in 4-5 days

Able to wait this period before training

Main advantage over fingerprints: Works remotely (by phone), without special readers Used for transaction security Verifying the customer is the rightful owner Disadvantage Can be affected by outside noise

Banco Bradesco, South Americas largest private bank Incorporated Nuance technology to deploy a speech-enabled bill payment system
Can handle more than 300 simultaneous callers

Bill Payment
Enroll: (account number) Verify: Speak their account number Read the 48 digit bar code on the bill Then the system, extracts the payee, customer name, due date, and the payment amount Able to recognize accents and dialects of all Portuguese speakers in Brazil

Chase Manhattan Bank In bank transactions
Enroll with a standard phrase When entering the bank
Go to a podium housing a modified telephone Swipe the bank card (identification) Speak the standard phrase (verification) Receive a receipt to present to teller

Able to pull the customers file before they get to the teller

Reported False Reject Rates of 2%

Signature as a biometric
One of the most ancient forms of identification
Sumerians used intricate seals applied to clay cuneiform tablets to authenticate their writings. Documents were authenticated in the Roman Empire (AD 439) by affixing handwritten signatures to the documents. In 1677 England passed a an act to prevent frauds and perjuries by requiring documents to be signed by the participating parties.

Non-invasive, universal, and highly unique to all users Fast and easy to enroll and verify users no need to learn new skills

Signature as a biometric
False reject rates may be high
Dynamic nature of signatures can make it difficult for the user to match the template

Spoofing the system may be easy

If the system allows for too much fluctuation, forgeries will be more successful

Signature recognition at work

Bank Hapoalim, Israel
Goals of choosing a biometric system:
Increasing security Convenience to customers Saving time, money, and manpower

Penflow system from WonderNet

The Penflow System

Analyzes speed, pressure, acceleration, and rhythm Able to adapt to the dynamic nature of the signature and update the users profile Performs 40 verifications per second Storage size of less than 1KB

Penflow at Bank Hapoalim

Increases security by verifying customers prior to transactions Allows customers to be verified at any branch or remote location Applications will be extended for use with PDAs, home computers, and other remote locations

Applications of Signature Recognition

Vein Pattern Recognition Advantages

Highly unique to every individual Patterns are formed at birth and remain constant throughout ones lifetime Rapid, non-invasive enrollment and verification procedures Works only on living, vascularized hands

Vein Pattern Recognition Disadvantages

Injuries or deformations to the hand may cause failure to enroll Systems which require contact may be considered invasive/unhygienic Some systems still require PIN or other identification

Vein Pattern Recognition

Hand is positioned over a scanner, which illuminates the palm with infrared light Hemoglobin in the veins absorbs the light, making the web of veins appear black The vein pattern is extracted from the image and compared to the stored template

Vein Pattern Recognition

Vein Pattern Recognition At Work

Bank of Tokyo-Mitsubishi
Chose vein pattern recognition, coupled with smartcards, to increase security of teller and ATM transactions

Suruga Bank
Chose vein pattern recognition to increase security of over the counter transactions

Fujitsu Vein Pattern Scanner

Contactless design Lighting, positioning, and height tolerant Testing of 700 subjects/1400 palms:
FRR of 1% FAR of 0.5% EER of 0.8%

Vein Pattern Recognition At Work

Southeast Asia
Several international financial institutions have implemented vein pattern recognition systems from VeID Ltd.

VeID Vein Recognition System

Uses infrared light across the back of the hand Contactless Usability of 99.98% FAR of 0.0001%; FRR of 0.1%

VeID Vein Recognition System

VeID Vein Recognition System

The VPII has been implemented at banks across Southeast Asia Applications include:
Transaction security Employee access Safety deposit box access Network/database access

Hand Geometry

Hand Geometry
Based on measurements of the hand Robust to environmental changes Easy to use Ageing, deformities may affect verification

Hand Geometry At Work

One of the oldest biometric systems:
Shearson-Hamill Investment Bank
Implemented the Identimat Hand Geometry system in the 1960s for employee attendance This system remained in commercial use for over 20 years

Hand Geometry At Work

Diebold, Inc partners with Recognition Systems
Hand Geometry systems were incorporated into Diebolds safety deposit vaults This system eliminates the need for keys, PINs, and assistance from bank personnel

Hand Geometry At Work

FirstBank Puerto Rico
Installed IR Recognition System HandPunch terminals at all branches Employees must swipe an ID card and verify with a hand scan to punch in and out of work Attendance and tardiness have been cut down, as well as labor devoted to monitoring these problems

Hand Geometry At Work

As I told the employees, there are no excuses with the HandPunch. Your hand is your credential. You can forget a card but you cannot forget your hand. - Aida Garcia, first vice-president and director of human resources, FirstBank, Puerto Rico

Biometrics are already being used in banks around the world:
North and South America, Europe, and Asia

Biometrics being used include:

Fingerprints Signature Vein Pattern Hand Geometry

These systems can be applied to virtually every aspect of the banking industry:
Transaction Security Employee attendance Network and Database Security Access to facilities

The banking industry is very reluctant to change its existing infrastructures

It is expected that biometrics will take longer to be incorporated into the banking practices