This article in Bob’s Guide identifies several bank hacks that would have been prevented had a mix of authentication techniques that included biometrics been deployed:
“In 2016, HSBC introduced voice and touch ID security sytems to its millions customers in the United Kingdom. Barclays had tested voice systems in 2013 by introducing the systems to its 300,000 wealthiest customers first. Barclays reported that the time required to verify an identity dropped from 90 seconds to 10 seconds.
HSBC used Nuance Communications technology for its voice system. Nuance uses more than 100 unique voice identifiers, such as: speed, cadence, and pronunciation.
Unfortunately, with respect to public confidence in new systems, a BBC reporter and his twin brother fooled the voice system.
Instead of providing alternate methods for authentication, HSBC’s system permitted customer many attempts to become authenticated.”
Clearly would have also been wise to have an additional factor to fallback on, such as a PIN. The information provided on Palm Vein authentication is interesting, especially regarding the ability to store the vein pattern in a smartcard to eliminate the central storage of data that lures hackers:
“Fujitsu’s Palm Vein Authentication Technology has been used by banks for customer confirmation since 2004: Suruga Bank (2004), The Bank of Tokyo-Mitsubishi (2004), The Hiroshima Bank (2005), The Bank of IKEDA (2005). More banks have adopted the technology following the passage of the “Act for the Protection of Personal Information” (effective May 1, 2005).
Palm vein pattern authentication has the advantage of using data from inside a person’s body. Customers and employees do not touch the scanners, this keeps the scanners clean. From a test of 140,000 profiles of 70,000 individuals, Fujitsu reported a false acceptance rate of less than 0.00008% and a false rejection rate of 0.01%.
Suruga Bank stores the vein patterns on a server in its client-server system, enabling the bank to manage vein patterns. The Bank of Tokyo-Mitsubishi stores vein patterns in IC (smart) cards, enabling users to control access to the vein patterns. Banks can use the Fujitsu technology also for door security and for login authentication.
….. In Brazil, Banco Bradesco has reported more than 700 million ATM transactions without fraud using Fujitsu’s PalmSecure biometric readers in its ATMs. Customers can use a card or codes plus hand identification. By contrast, banks using passwords, PIN numbers, or identification cards have experienced fraud problems. The Brazilian social services agency accepts having persons receiving pensions via Banco Bradesco ATMs without presenting paper documents to the agency to prove that pensioners are still alive.”
Mercator has reported that biometrics will have a broad impact on the authentication landscape in several reports including “Behavioral Biometrics Will Restructure the Authentication Landscape in the Next 5–8 Years,” and “Biometrics: A New Wrinkle Changes the Authentication Landscape.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here