I blogged the other day about knowing where customers are, but knowing who they are is always a challenge.
Banks continually talk about fraud and the lack of dependable identification and authentication methods. We talk about things you know (a PIN number), things you have (a card or phone), but things you are (blood, DNA, fingerprint, etc) will be the ultimate authentication method eventually, when it's affordable and reliable.
Biometric authentication in other words.
I haven’t talked about biometrics for a while now, and that's because there hasn’t been a whole lot of new biometrics to talk about.
We all know that fingerprints, iris recognition, palm and vein readers and more are out there, becoming more robust and that they work ... just that they don’t work well enough for mission critical banking applications in high volume environments, where false positives and false negatives mean that customers become dissatisfied.
False positives are where the system recognises you as you, but it’s not you. It’s someone pretending to be you.
For example, someone puts a sellotaped version of your fingerprint over theirs and gets away with being read as you, because the fingerprint matches. Even worse, the fingerprint is accepted even thought it doesn’t match.
Historically, these false positive rates have been too high for ATM or other high volume transaction systems, where 1 in 1,000 acceptances would cause high losses.
Even worse, and more likely, are false negatives.
This is where the system says it’s not you, even though it is you.
A fuzzy fingerprint, a sweaty palm or difficulty aligning your eyes to the reader mean that you get rejected for a transaction. That’s ok if it’s once a year, but many systems reject once a day and that’s not good enough.
This is why biometrics is yet to be seen in widespread use in banking, and that's even after seven years since Minority Report came out (remember the bit with the eyes?).
Sure we see biometrics at airports with Americans asking foreigners to stick their fingers up at border crossings – not the middle one thank goodness! – and other airports offering iris machines for fast track through the gates, but there’s little of this in banking.
In banking, most usage of biometrics is for internal purposes to ensure only the right staff sign-on to branch and bank databases with fingerprint controls or access head office through a facial recognition system.
Biometrics for end-users and customers in real world, mission critical, scalable volumes?
No really.
The only place you see such usage is in countries where identification is hard as most of the population do not have passports or driving licenses. For example, ICICI Bank use fingerprint cards with their rural population for identification purposes, as does Banco Azteca in Mexico.
But a big time, heavy duty bank in a developed economy using this to authenticate customers?
Nope … except, of course, in Japan.
Completing this week’s discussions of Japanese and Asian innovations, Hitachi presented an overview of the use of biometric ATMs in Japan.
These ATMs use palm and vein recognition, rather than fingerprint, as it is more hygienic because you don’t have to touch your finger to the grubby terminus that the last person swiped their fingers over. You just hold your hand over the terminal and it recognises the blood pulsing through your unique map of arteries and veins in your hand (double-click the picture to see a larger version):
Now this may seem like small beer, but it’s not that small when over half of all major bank ATMs use such authentication, and it works with false positives down at 0.0001%, one in a million, and false negatives at 0.01% or one in ten thousand.
Tohshiya Cho-san who heads up Hitachi’s Financial Practice in Japan talks about how this works:
We were also joined by Professor Stan Li, an expert in biometrics in China, who showed how biometrics had been used for facial recognition at the Beijing Olympics last year:
Maybe that's a sign of things to come although the privacy lobbyists will fight against face tracking up and down main street I reckon.
Anyways, that’s it for now.
I’ve tried to summarise some of the many presentations delivered in Hong Kong by selecting the ones that may be more surprising for the non-Asian readers of this blog, and maybe for the Asian readers too!
There were many other insights during the course of the week from Asian payments infrastructures for low and high value payments through changes in clearing and settlement; and from the major contactless card and chip programs across subway and bank systems through to the role of the Hong Kong Monetary Authority as a major processing hub for all of Asia.
There's far too much to talk and blog about but, if you have any specific interests in what’s going on in the area, give me a shout as the presentations and videos are now in the library.
Hi Chris,
Nice and interesting post. Tha fact is that to my knowledge the biometrics are beeing used in large scale in a few countries, such as Angola where the ID documents are scarce and not reliable, so banks use finger prints and biometric devices to identificate either their customers at cashier transactions, either their own employees to avoid internal frauds.
Another example are the portuguese airports where since a few year ago you have special channels to enter the boarding areas where you selfservice by introducing your hand and showing your face, and introduce your micro-chiped passport with your biometric data (hand, finger prints, face). End of the qeues...
So, biometrics is on the move. I just don't understand why the smartphones don't yet "read" your prints our iris to ID the user for transaction authentication. Just an idea crossing my mind...
Regards,
Paulo Félix
Posted by: Paulo Félix | March 20, 2009 at 10:09 AM
The vendor reported performance specs for finger and hand vein recognition are indeed impressive, but need to be viewed with caution on at least two fronts.
Firstly and most generally, as the FBI pointed out in a set of authoritative research reports released last October, "For all biometric technologies, error rates are highly dependent upon the population and application environment. The technologies do not have known error rates outside of a controlled test environment".
(see http://www.biometriccoe.gov/SABER/index.htm).
What's crucial is that almost all error rates are measured using the "Zero Effort Impostor" assumption, in which deliberate spoofing is ignored. That is, published error rates tell us nothing about how well these systems resist criminal attack. For biometric ATMs, surely resistance to deliberate spoofing should be top of mind.
Secondly, it is not possible in my experience to achieve false positives of 0.0001% and false negatives of 0.01% at_the_same_time. It is perhaps misleading to publish these figures without qualification.
Publicly available scientific testing of biometrics remains disappointingly rare. The British Government's Communications Electronics Security Group (CESG) was responsible for perhaps the only published "Detection Error Tradeoff" curves available for vein biometrics, in 2001. Prototype vein recognition in 2001 performed as follows:
========================================
Best False Reject Rate = 0.2%
Corresponding False Accept Rate = 70%
Best False Accept Rate = 0.001%
Corresponding False Reject Rate = 40%
Equal Error Rate 5%
Ref: FBI / MITRE TECHNICAL REPORT
State of the Art Biometrics Excellence Roadmap Technology Assessment: Volume 1 (of 3) Fingerprint, Palm print, Vascular, Standards, October 2008; v1.2, page 4-12.
==========================================
As mentioned, this was a prototype technology but you can see the fundamental tradeoff at work: to get false accept/detect down to one in 10,000 you inevitably get false detect/accept rates of maybe 1 in 10.
In an ATM, getting the false accept and false reject balance just right is a tough compromise between security and user convenience. It's important that the vendors publish the Detection Error Tradeoff curves, rather than provide best case FAR (0.0001%) and best case FRR (0.01%) as if these performance specifications can be enjoyed at the same time.
Posted by: Stephen Wilson | March 22, 2009 at 04:38 AM
First, the disclosure: I represent Hitachi.
OK, on the error rates for finger vein, yes our "marketing" numbers are 0.0001% and 0.01% for FAR and FRR respectively. These are lab results according to ISO/IEC 19795-1 evaluation (30,000 samples).
Actually, lab-based accuracy figures of this magnitude are not uncommon. For example, for palm vein, Fujitsu quote FAR of 0.01% with FRR of 0.00008% (with certain settings). And iris vendors do similar.
If we really wanted to deceive by publishing "best case" non-simultaneous results, we would of course choose 0% FAR and 0% FRR. These are easy to achieve: in the first case reject everybody; in the second accept everybody. I don't need sophisticated technology to do this :)
There are some publicly available DET results for finger vein. You can download the IBG CBT-6 report from http://www.biometricgroup.com/reports/public/reports/CBT6_report.htm (registration required). This has some very thorough analysis of some simulated real-life tests of three biometric scanners.
The IBG scenario is much more realistic than the lab-based ISO/IEC scenario, so no vendor achieves anywhere near their "official" accuracy (as per the FBI report cited by Paulo). As a single data point for finger vein, IBG measures the same-day FRR at 1.26% with the FRR at 0.01%. This is the best of the three devices under test (finger vein, palm vein, iris).
On spoofing: no successful attacks yet... We are not complacent, but we do believe that the finger vein technique has characteristics that make it inherently more challenging to spoof than other common biometrics.
Posted by: Ben Edgington | March 24, 2009 at 10:24 AM
Many thanks for the link to the IBG testing.
Certainly finger vein is a promising technology, and far more resistant to spoofing than regular fingerprint scanning, which I regard as fully broken.
Now, let's sanity-check the "marketing" numbers of 0.0001% FAR and 0.01% FRR. The DET curves published by the IBG are actually for False Match and False Non Match which are subtly different from False Accept and False Reject. But having said that, the IBG report (Fig 18, p73) shows that:
When False Match = 0.0001%,
False Non Match = 2% best case (Same Day), 20% worst case (Different Day).
When False Non Match = 0.01%,
False Match = 80% best case (Same Day), 90% worst case (Different Day).
So in my view, customers should not be allowed to conclude that error rates of 0.0001% FAR and 0.01% FRR are achievable at the same time time.
Furthermore ... yes, for an FRR of 1.26%, the Same Day FRR is 0.01% (Table 46, p72). But the Different Day performance deteriorates by a factor of more than one hundred: FRR = 1.99% and FAR = 2.56%. In banking, under what circumstances would the same day error rates ever be relevant?
Stephen Wilson
www.lockstep.com.au
Posted by: Stephen Wilson | March 26, 2009 at 05:02 AM
Hi Stephen,
Thanks for your comments. What we are seeing is simply that DET results for biometrics depend strongly on factors like the environment, the population, the test conditions and dozens of other factors. So it is no surprise that same-day IBG results differ from different-day which differ from our lab results which differ from any real-life implementation.
Obviously vendors will choose to quote the most favourable results (the ISO/IEC in our case). It's not wrong, just subject to some rather controlled conditions. Personally I always quote the IBG results as well in presentations. But in the end, only the real-life results amongst your user-base matter. The true value of a report like IBG's is in the comparative information it provides between devices.
On the different-day IBG results, you can see Hitachi's response on page 107 of the report.
Ben Edgington
Hitachi Europe
Posted by: Ben Edgington | March 26, 2009 at 09:41 AM
What Ben says is true. It accords with the repeated caution in the October 2008 Mitre/FBI report:
"For all biometric technologies, error rates are highly dependent upon the population and application environment. The technologies do not have known error rates outside of a controlled test environment" [Ref: Vol 1, page 2.10 at www.biometriccoe.gov/SABER/index.htm].
I'm sorry to be bit of a bore, but everything in this thread points to it being very optimistic to imply as Chris did that biometric ATMs will have false positives of "one in a million" and false negatives of "one in ten thousand". These error rates are not achievable simultaneously, even in the lab. And the FBI tells us these results do not apply outside the lab, where real ATMs operate.
Posted by: Stephen Wilson | March 27, 2009 at 06:07 AM
Much has been discussed about Identity Theft, user ID's and Passwords stolen or hacked, credit cards being used without the owners knowledge and so on. Now there is a safe way of protecting your passwords and identity online from being copied, stolen and hacked by keyboard trojans, using your biometric fingerprint and face recognition, and even voice, to log on to web sites. By simply scanning your finger or face or voice you can log on to a web site, log on to your computer, and even encrypt files and folders. No more worrying about who might hack into your online accounts or even your email. No more remembering passwords or using the same passwords on many sites. This is an exciting new innovation from myBiodentity and they have about fourteen products that are enabled with biometrics including email encryption, password manager, virtual disk, and many more. You can read more at http://www.mybiodentity.com
Posted by: biometric01 | April 02, 2009 at 01:29 PM