In the film Minority Report, Tom Cruise undergoes dangerous eye replacement surgery in order to hoodwink the countless retina scanners of the year 2054. Such surgery might not (yet) be an option in 2015, but we certainly have not been made to wait another 40 years for a world rife with biometrics.
Biometrics refers to technology whereby a person’s identity is verified by their biological attributes – facial structure, voice patterns, retinas and fingerprints.
Biometric authorisation spans the width of the economic spectrum. Those who own the latest iPhone make use of a fingerprint scanner whenever they unlock it.
On the other side of the poverty line, the South African Social Security Agency (SASSA) possesses the fingerprints and voice data of its roughly 15 million social grant beneficiaries, who will have received a biometrically verified annual sum of R410 billion by the end of the financial year.
Biometrics and banks
A fraud-infested, security-inhibited part of most of our lives – in dire need of biometric salvation – is banking.
Existing call-centre verification questions – requesting ID numbers, and mothers’ maiden names – are tedious and relatively easy to work around: personal data is often unknowingly accessible on social networks or can be bought and sold on the black market. It is frightfully easy for criminals to pretend they’re you.
Private banking titan Investec has announced that it will soon offer real-time biometric verification to its clients. Instead of answering the conventional questions, the software will recognise your voice to verify your identity.
“The voice, like a fingerprint, is unique – it doesn’t change. The technology has matured very nicely. The first couple of times [that you call], we build a voice print for you, and in the future when you call we compare it to the existing voice print,” says Craig West, head of Investec’s Global Client Support Centre. “Every bank worries about security. If you’re not who you say you are, the technology will know.”
The reasons for using biometrics are twofold: “One reason is to improve the client experience. The second is to enhance security.” West adds that these two factors are closely linked. Consumers’ experience will be enriched, since they can authenticate their calls simply by “utilising a normal discussion”.
Internet banking lags behind
This technology is unfortunately not yet available for the bankers’ most vulnerable sphere: online banking.
Internet banking has been susceptible to fraudsters because its geographic possibilities are as endless as the Internet’s, and because it makes use of “static” values – values that do not change – for passwords. If a criminal learns your pin or password, he enjoys unlimited access until you become aware of the breach – often long after you can remedy it.
Johan Gerber, group head of Processing Product Management at MasterCard, explains how the industry is trying to combat this: “We want to get to a point where we use dynamic values, not static values.” This method of using an ever-changing keyword to gain access is called tokenisation.
Banks have implemented procedures that use these dynamic values. Absa sends to your registered mobile number a randomly generated TVN or RVN (Transaction/Random Verification Number) that you are required to enter when adding a new beneficiary or paying one for the first time. It also sends you an SMS-notification when your Internet banking account is being accessed.
Most of the other retail banks use similar cellphone-centred verifications, such as confirmation based on responding to a text message alert.
These methods of tokenisation have reinforced banking security since their introduction, but most of them are based on the out-dated assumption that you are banking from a computer.
Internet banking and cellphones are no longer mutually exclusive. According to Ernst and Young’s Global Commercial Banking Survey of 2014, 66% of African users use mobile devices for banking. If someone has both your phone and passwords, you are completely exposed.
Biometric authentication is then a strong candidate to combat these weaknesses. Its appeal lies in its simplicity. Additional security measures typically retard the process of payment or log-on, to the detriment of the consumer’s experience.
“Normally, if you increase consumer experience you increase risk exposure, but biometric verification flips this whole thing on its head. It places no burden on the consumer,” says Gerber.
This authorisation will assist other sectors at risk. Per the 2014 Card Fraud Statistics of the South African Banking Risk Information Centre (SABRIC), losses due to credit card fraud were 23% higher in 2014 than in 2013. Card security would be bolstered by biometric authorisation.
MasterCard recently completed its testing of a beta-version mobile app with voice and facial recognition used by a test group of employees in an e-commerce environment. Its success rate was 98%.
This means only 280 out of the 14 000 transactions were unsuccessfully verified.
Biometrics itself is not foolproof. According to an article by Tom Olzak, author of Enterprise Security: A Practitioner’s Guide, the biometric crux is to find the right balance between false positives and false negatives.
A system that is too lenient in accepting a reading might grant unpermitted access. Conversely, if the security is too strict, even the valid entrants could be rejected.
Unless it works faultlessly, users will refuse the technology. If there is no work-around, companies will lose business.
The consequences for consumers of erroneously granted biometric access are graver still: astronomical fraudulent credit card charges and purged savings accounts.
Banking and card security systems must be universal. The same credit card is often used in various countries. If one card transaction is subject to biometric authorisation in one place, this needs to work everywhere. “We set standards at global level,” Gerber explains.
“We are in discussions as an industry with banks in order to put a road map in place for the South African market,” says Gerber.
Republished with permission from Moneyweb