Biometrics in the Banking Industry

1
Biometrics in the Banking Industry

• Steve Krawczyk
• Corinne Michaud
• CSE 891
• Spring 2005

2
Overview

• Current authentication systems
• Gateways for biometrics
• Biometrics being used
• Fingerprints
• Signature
• Vein Pattern
• Hand Geometry
• Voice
• Future directions

3
Current Authentication Systems

• Online Authentication
• Name and Password
• Bank Authentication
• Token based
• ID Card
• Signature

4
Fraud in Banking

• Internal fraud
• Employees attempting to withdraw money from a
  customers account without their consent
• External fraud
• An individual assumes the identity of a customer
  of the bank in order to withdraw money from the
  account
• One in twelve online consumers surveyed said they
  have been victims of identity theft2
• 1.13 percent of all online transactions are lost
  to fraud2
• Estimates have shown that 70 of fraud is
  internal1
• Financial institutions in the United States lose
  about 12 billion a year in check fraud (US News
  World Report 2001)

1Atalla Inc hardware security division of
HP 2Gartner Stamford, Connecticut (January 2004)
5
Fraud Examples

• On 3 February 2005, a Miami businessman filed
  suit in a U.S. circuit court against Bank of
  America (BoA).
• He claimed BoA failed to adequately protect him
  against risks related to the online theft of
  90,000 from his small-business bank account
• Online thieves launched a wire transfer out of
  his account using access credentials stolen from
  his infected PC.
• Most regulations for bank accounts, established
  before the age of cyber crime, dont account for
  such activity.
• The customer had reportedly installed a firewall,
  but the thief got through anyway

6
Fraud Examples

• One con, while in jail serving a state prison
  term for credit-card theft, actually perpetrated
  yet another credit card scam over a seven month
  period, using a technique that allowed him to
  hide the fact that he was calling from jail
• He would start off by calling the county-run
  nursing home saying he was a Bell Atlantic
  technician to connect to an outside line
• He then called businesses to get names and phone
  numbers of customers
• He tricked the customers to give him personal
  information
• He then requested credit cards using this
  information to make about 25,000 worth of
  purchases

7
Internal Fraud Example
8
Gateways for Biometrics

• Transaction Security
• Securing client transactions and protect their
  privacy either remotely or onsite
• Network Security
• Security of the banks infrastructure, controls
  what activities specific individuals or job
  functions have access to
• Access Control
• Protecting the physical security of facilities
  (vaults, safety deposit boxes)
• Background Checks
• Protect against internal fraud and illegal
  transactions with applicant background checks

9
Current Biometric Systems
10
Current Systems
11
Fingerprints

• Most commonly used biometric in the banking
  industry
• Used in all areas of the banking industry
• Transaction security
• Network security
• Access control
• Background checks
• Advantages
• Equipment is cheap
• Highly accurate
• Disadvantages
• Criminal stigma
• Universality

12
Fingerprint (Transaction Security)

• Goal enable clients to authenticate themselves
  before any transactions are made on their account
• Enroll customers when the account is created with
  their fingerprint
• When wishing to access their account, they must
  first provide their fingerprint to be verified
• No ID card is needed
• Provides non-repudiation
• Uses
• In bank, ATM, kiosk, online

13
Example

• Banco Azteca the first bank to be opened in
  Mexico since 1995
• Allow people with limited incomes that live in
  poor and rural communities to establish a bank
  account for the first time.
• Sparseness of banks
• No form of authentication (drivers license)
• Account ID cards were often lost or stolen
• Digital Persona technology was used to protect
  accounts using fingerprints
• 1.2 million customers of Grupo Electra are
  enrolled
• Many customers were farmers and construction
  workers whose prints were damaged and worn
• 1 out of 4 people failed to enroll because of low
  quality prints

14
Fingerprint (Network Security)

• Protect against internal fraud (employees
  tampering with the system)
• Enroll and authenticate bank employees before
  they can access the banks network to perform a
  transaction

15
Example

• Bank of Central Asia (BCA) in Indonesia has
  around 8 million customers throughout the country
• Incorporated Identix fingerprint systems to
  secure the processing of high-value electronic
  fund transactions
• If a large transfer is initiated, the teller and
  possibly a supervisor need to be authenticated by
  the system before the teller can finalize the
  transaction
• Non-repudiation the teller cannot deny
  performing the transaction
• Duress finger
• If under duress, the teller can authenticate with
  a duress finger (alerting the police)

16
Fingerprint (Access Security)

• Instead of using a key or card to for access, use
  a fingerprint
• Access to the bank, vaults, safety deposit boxes

17
Example

• Deutche bank is a European financial service
  provider with 65,000 employees
• Installed AC Controls security to establish
  biometric access to their building
• Fingerprint readers determine who can enter their
  offices and also restricts what areas each person
  can access
• Problem
• A one day visitor would need to enroll with the
  bank, to gain access to parts of the building
• Consumers may be reluctant to enroll their
  biometrics with multiple organizations
• Morpheus technologies develop a network of
  secure, licensed enrollment facilities
• Standardization Interoperability

18
Fingerprint (Background Checks)

• Submit requests for backgrounds electronically
• Background checks ensure the integrity of the
  employee base

19
Example

• ING Direct installed live-scan fingerprint
  readers that channel electronic submissions to
  the FBI IAFIS database (Identix)
• Before background checks took 4-5 weeks
• While waiting, the prospective employee would be
  trained
• If the results effect the hiring, much money was
  wasted during training
• Now, checks can be done in 4-5 days
• Able to wait this period before training

20
Voice

• Main advantage over fingerprints
• Works remotely (by phone), without special
  readers
• Used for transaction security
• Verifying the customer is the rightful owner

• Disadvantage
• Can be affected by outside noise

21
Example

• Banco Bradesco, South Americas largest private
  bank
• Incorporated Nuance technology to deploy a
  speech-enabled bill payment system
• Can handle more than 300 simultaneous callers
• Bill Payment
• Enroll (account number)
• Verify Speak their account number
• Read the 48 digit bar code on the bill
• Then the system, extracts the payee, customer
  name, due date, and the payment amount
• Able to recognize accents and dialects of all
  Portuguese speakers in Brazil

22
Example

• Chase Manhattan Bank
• In bank transactions
• Enroll with a standard phrase
• When entering the bank
• Go to a podium housing a modified telephone
• Swipe the bank card (identification)
• Speak the standard phrase (verification)
• Receive a receipt to present to teller
• Able to pull the customers file before they get
  to the teller
• Performance
• Reported False Reject Rates of 2

23
Signature as a biometric

• One of the most ancient forms of identification
• Sumerians used intricate seals applied to clay
  cuneiform tablets to authenticate their writings.
• Documents were authenticated in the Roman Empire
  (AD 439) by affixing handwritten signatures to
  the documents.
• In 1677 England passed a an act to prevent frauds
  and perjuries by requiring documents to be signed
  by the participating parties.
• Non-invasive, universal, and highly unique to all
  users
• Fast and easy to enroll and verify users no
  need to learn new skills

http//www.flnotary.com/PrintForms.asp
24
Signature as a biometric

• False reject rates may be high
• Dynamic nature of signatures can make it
  difficult for the user to match the template
• Spoofing the system may be easy
• If the system allows for too much fluctuation,
  forgeries will be more successful

http//www.flnotary.com/PrintForms.asp
25
Signature recognition at work

• Bank Hapoalim, Israel
• Goals of choosing a biometric system
• Increasing security
• Convenience to customers
• Saving time, money, and manpower

www.bankhapoalim.com http//www.signature-perfect.
com/uk/f_left.htm
26
The Penflow System

• Analyzes speed, pressure, acceleration, and
  rhythm
• Able to adapt to the dynamic nature of the
  signature and update the users profile
• Performs 40 verifications per second
• Storage size of less than 1KB

http//www.dealtime.com/xPF-Interlink_EPAD_INK_W_E
SIGN
27
Penflow at Bank Hapoalim

• Increases security by verifying customers prior
  to transactions
• Allows customers to be verified at any branch or
  remote location
• Applications will be extended for use with PDAs,
  home computers, and other remote locations

28
Applications of Signature Recognition
http//www.eyenetwatch.com/biometric_users/Bank_Ha
poalim_Case_Study.htm
29
Vein Pattern Recognition Advantages

• Highly unique to every individual
• Patterns are formed at birth and remain constant
  throughout ones lifetime
• Rapid, non-invasive enrollment and verification
  procedures
• Works only on living, vascularized hands

30
Vein Pattern Recognition Disadvantages

• Injuries or deformations to the hand may cause
  failure to enroll
• Systems which require contact may be considered
  invasive/unhygienic
• Some systems still require PIN or other
  identification

31
Vein Pattern Recognition

• Hand is positioned over a scanner, which
  illuminates the palm with infrared light
• Hemoglobin in the veins absorbs the light, making
  the web of veins appear black
• The vein pattern is extracted from the image and
  compared to the stored template

32
Vein Pattern Recognition
î
ì
http//www.jetro.go.jp/en/market/trend/market/docs
/2005_02_palms.html
33
Vein Pattern Recognition At Work

• Bank of Tokyo-Mitsubishi
• Chose vein pattern recognition, coupled with
  smartcards, to increase security of teller and
  ATM transactions
• Suruga Bank
• Chose vein pattern recognition to increase
  security of over the counter transactions

34
Fujitsu Vein Pattern Scanner

• Contactless design
• Lighting, positioning, and height tolerant
• Testing of 700 subjects/1400 palms
• FRR of 1
• FAR of 0.5
• EER of 0.8

http//pr.fujitsu.com/en/news/2003/03/31.html
35
Vein Pattern RecognitionAt Work

• Southeast Asia
• Several international financial institutions have
  implemented vein pattern recognition systems from
  VeID Ltd.

36
VeID Vein Recognition System

• Uses infrared light across the back of the hand
• Contactless
• Usability of 99.98
• FAR of 0.0001
• FRR of 0.1

http//www.veid.net/default.htm
37
VeID Vein Recognition System
http//www.veid.net/Product/default.htm
38
VeID Vein Recognition System

• The VPII has been implemented at banks across
  Southeast Asia
• Applications include
• Transaction security
• Employee access
• Safety deposit box access
• Network/database access

39
Hand Geometry
40
Hand Geometry

• Based on measurements of the hand
• Robust to environmental changes
• Easy to use
• Ageing, deformities may affect verification

http//www.biometricsolutions.com.au/Hand20Geomet
ry.htm
41
Hand Geometry At Work

• One of the oldest biometric systems
• Shearson-Hamill Investment Bank
• Implemented the Identimat Hand Geometry system in
  the 1960s for employee attendance
• This system remained in commercial use for over
  20 years

42
Hand Geometry At Work

• Diebold, Inc partners with Recognition Systems
• Hand Geometry systems were incorporated into
  Diebolds safety deposit vaults
• This system eliminates the need for keys, PINs,
  and assistance from bank personnel

43
Hand Geometry At Work

• FirstBank Puerto Rico
• Installed IR Recognition System HandPunch
  terminals at all branches
• Employees must swipe an ID card and verify with a
  hand scan to punch in and out of work
• Attendance and tardiness have been cut down, as
  well as labor devoted to monitoring these problems

44
Hand Geometry At Work

• As I told the employees, there are no excuses
  with the HandPunch. Your hand is your
  credential. You can forget a card but you cannot
  forget your hand. - Aida Garcia, first
  vice-president and director of human resources,
  FirstBank, Puerto Rico

http//www.recogsys.com/news/casestudies/cs08.htm
45
Conclusions

• Biometrics are already being used in banks around
  the world
• North and South America, Europe, and Asia
• Biometrics being used include
• Fingerprints
• Signature
• Vein Pattern
• Hand Geometry
• These systems can be applied to virtually every
  aspect of the banking industry
• Transaction Security
• Employee attendance
• Network and Database Security
• Access to facilities
• The banking industry is very reluctant to change
  its existing infrastructures
• It is expected that biometrics will take longer
  to be incorporated into the banking practices

46
References
http//www.eyenetwatch.com/biometric_users/Bank_Ha
poalim_Case_Study.htm http//www.penflow.com/ http
//pr.fujitsu.com/en/news/2003/03/31.html http//w
ww.veid.net/Product/default.htm
http//www.findbiometrics.com/Pages/financial_art
icles/financial_3.html http//www.recogsys.com/new
s/casestudies/cs08.htm http//www.tml.hut.fi/Opinn
ot/Tik-110.501/1998/papers/12biometric/biometric.h
tm