24 October 2014

71326

Nick Ogden - Novmo.com

44 | posts 146,059 | views 12 | comments

Biometrics solve a very real problem

09 February 2010  |  3385 views  |  3

I  came across this blog on Finextra which took a fairly cautious view on the use of biometrics in the UK and Europe. It referred to Bank Leumi now using voice biometrics for password re-setting for online banking. Following announcements from Australia and the US, I agree that it is encouraging to see usage of biometrics taking off in the UK and Europe. 

That, however, is about where my agreement ends. The blog also referred to Nick Griffiths' post on biometrics which questioned whether biometrics were in fact necessary and even went as far as terming them ‘a solution looking for a problem’. Unfortunately however, the problem is clear to see – especially to the increasing number of people who are falling victim to ID or card fraud. Financial Fraud Action UK figures for the period January to June 2009 showed that there had been a 23 percent increase (on the same period last year) in the amount lost through card ID fraud and a 55 percent rise in online banking fraud. Biometric technology addresses this problem because it verifies who the person is, rather than what they know and can also be used for verification where Chip and PIN cannot, such as in the growing online transaction space.

David also raises the issue of what would happen if a biometric was compromised (for example your voice). Indeed, if a card is compromised then it can be easily replaced. However, when it comes to voice biometrics this would involve someone stealing the digital data voice print and then using it to authenticate transactions fraudulently. While this is a good issue to raise, the likelihood and value of doing so is very small as it would require a highly sophisticated system. To give you an idea of the complexity we’re talking about – not only are the biometrics encrypted, the biometric voice signature is stored in a separate location to the data centre itself. This means that a fraudster would need to get hold of both sets of data from each of their secure vaults, and then decrypt them both. The likelihood of this happening is slim to none.

There’s no doubt that support for biometrics is growing; figures announced last year from The Unisys Corporation tell us that the majority of people globally would now accept biometric authentication to verify their identities. Bank Leumi is clearly confident in such findings and recognises the opportunities provided by this technology to provide as a secure method of payment verification. With this in mind, it is likely that this is just the beginning of what will be a big year for voice biometrics in the UK and throughout Europe. 

TagsSecurityPayments

Comments: (4)

Stephen Wilson - Lockstep Group - Sydney | 09 February, 2010, 18:50

Nick,

Two things. 

(1) Regarding the possibility of compromising biometrics, I don't think it's good enough to say that "the likelihood of this happening is slim to none".  What if it does happen, what then?  No security system is 100% effective; the art of true security demands that we plan for failure, and have a contingency plan.

The likelihood of biometric ID theft always rises markedly once these systems go live.  In the lab, False Accepts vs False Rejects can be better managed (mainly through very careful control over enrolment quality).  But out in the field, biometrics typically need to be de-tuned to achieve acceptable Fail to Enrol rates and False Reject rates.  This in turn makes them easier to spoof. As the FBI points out: "The intentional spoofing or manipulation of biometrics invalidates the zero effort imposter assumption commonly used in performance evaluations. When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different".

(2) I don't agree that Chip and PIN cannot for be used verification in online transactions.  The humble CAP reader shows that it can. And I believe that the next wave of card applications will use connected readers in a much more sophisticated mode than CAP, to more or less replicate the ATM/POS experience in the home.  Connected smartcard readers are increasingly common in laptops. 

On the other hand, voice biometrics aren't a universal online authentication option.  I do like them in phone banking for sure, but for all e-commerce I am not so sure.  How do they mesh with regular browser based shopping?  I don't think it's natural to make an extra phone call to authenticate a credit card payment when shopping (noting that voice verification tends not to work over VOIP).

So it's horses for courses.  There won't be a single online authentication mechanism.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nick Collin - Collin Consulting Ltd - London | 11 February, 2010, 11:11

Sorry Nick, but I agree with Stephen on this.  Horses for courses.  Voice verification is great for particular applications like telephone banking balance enquiries, but for more risky mainstream financial transactions, in both the physical and virtual world, Chip & PIN seems to me hard to beat.  Remote Chip Authentication (RCA) is already being widely used for secure online banking and the next step will be to combine it with 3D Secure for secure online shopping (ie you use the "humble CAP reader" to generate a dynamic MasterCard SecureCode or Visa VbV).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Uri Rivner - BioCatch - Tel Aviv | 11 February, 2010, 11:31

The main concern banks have with biometrics is the relatively high level of false rejections. Last I heard, you still have around 10% voice mismatch due to all sorts of reasons. If this goes down to fractions of a percent, then banks will probably look at it closely.

It's less about security concerns, can the system be beat or circumvented: by now banks realize that no single technology can stop all fraud. Card issuers have realized it long ago; they had to fight card fraud for ages, and the idea was to introduce multiple lines of defense. CVV2 checks in eCommerce were added a while ago and you'll be surprised but is still effective against some forms of attacks such as automatic BIN generation; Verified by Visa was launched a few years ago and half of the UK eCommerce is already VbV enabled; but as some articles pointed out recently, in itself VbV is not a silver bullet - which is why the issuers added an invisible line of defense where every VbV transaction is analyzed in real time and the vast majority of fraud attempts are intercepted. I did some math: the average eCommerce fraud level in 2009 was 40 basis points. VbV fraud levels were 11 basis points on average, for those issuers using the invisible monitoring.

So the bottom line is: don't look at any technology as a silver bullet. Consider the operational aspects as well: how many genuine people will be rejected? How will you validate their identity using another approach?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nick Ogden - Novmo.com - Jersey | 16 February, 2010, 09:28

Thank you all for the contributions and debate is exactly what is required.

 

Of course nothing is 100% secure, and some systems today meet certain demands, however all these systems have failings in one way or another. In biometrics much has been played about false accept and false reject ratios and to be honest many system vendors, and this is not only in the biometrics world, pass acceptance and failure tolerances to their customer. I believe that voice biometrics does meet significantly many of the issues that other systems face, mobility is clearly a winner, and by combining as we do voice biometrics with say e-commerce we create out of band authentication, which is adds substantially to the security and authentication process.

 

At the end of the day today we have relatively little choice about how we secure our financial instruments or identity, and tomorrow that will change. Not because we say so but in a recent Harris Poll, changes are being demanded by consumers. Voice Biometrics can and will enable consumers and business to chose how they are authenticated, and this will be an evolutionary process, and perhaps will be widely available sooner than you expect.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Nick

Competition probe, your views count!

18 July 2014  |  1656 views  |  1  |  Recommends 0 TagsPaymentsRetail banking

Birth of a new Currency?

16 July 2014  |  1899 views  |  0  |  Recommends 0 TagsPaymentsRetail banking

Non Bank, Business Bank Accounts?

22 April 2013  |  2746 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Politics, Payments and DNA

05 February 2013  |  1983 views  |  0  |  Recommends 1 TagsPaymentsTransaction bankingGroupInnovation in Financial Services

A Change is in the Air

04 December 2012  |  1887 views  |  0  |  Recommends 0 TagsRetail bankingGroupInnovation in Financial Services
name

Nick Ogden

job title

Chairman and CEO

company name

Novmo.com

member since

2012

location

Jersey

Summary profile See full profile »
I am passionate about business change and have been fortunate to have had some success with my va...

Nick's expertise

What Nick reads
Nick writes about

Who is commenting on Nick's posts

Tony Wenzel