Stephen Wilson - Lockstep Consulting - Sydney 09 February, 2010, 18:50 0 likes

Nick,

Two things. 

(1) Regarding the possibility of compromising biometrics, I don't think it's good enough to say that "the likelihood of this happening is slim to none".  What if it does happen, what then?  No security system is 100% effective; the art of true security demands that we plan for failure, and have a contingency plan.

The likelihood of biometric ID theft always rises markedly once these systems go live.  In the lab, False Accepts vs False Rejects can be better managed (mainly through very careful control over enrolment quality).  But out in the field, biometrics typically need to be de-tuned to achieve acceptable Fail to Enrol rates and False Reject rates.  This in turn makes them easier to spoof. As the FBI points out: "The intentional spoofing or manipulation of biometrics invalidates the zero effort imposter assumption commonly used in performance evaluations. When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different".

(2) I don't agree that Chip and PIN cannot for be used verification in online transactions.  The humble CAP reader shows that it can. And I believe that the next wave of card applications will use connected readers in a much more sophisticated mode than CAP, to more or less replicate the ATM/POS experience in the home.  Connected smartcard readers are increasingly common in laptops. 

On the other hand, voice biometrics aren't a universal online authentication option.  I do like them in phone banking for sure, but for all e-commerce I am not so sure.  How do they mesh with regular browser based shopping?  I don't think it's natural to make an extra phone call to authenticate a credit card payment when shopping (noting that voice verification tends not to work over VOIP).

So it's horses for courses.  There won't be a single online authentication mechanism.

Nick Collin - Collin Consulting Ltd - London 11 February, 2010, 11:11 0 likes

Sorry Nick, but I agree with Stephen on this.  Horses for courses.  Voice verification is great for particular applications like telephone banking balance enquiries, but for more risky mainstream financial transactions, in both the physical and virtual world, Chip & PIN seems to me hard to beat.  Remote Chip Authentication (RCA) is already being widely used for secure online banking and the next step will be to combine it with 3D Secure for secure online shopping (ie you use the "humble CAP reader" to generate a dynamic MasterCard SecureCode or Visa VbV).

Uri Rivner - Refine Intelligence - Tel Aviv 11 February, 2010, 11:31 0 likes

The main concern banks have with biometrics is the relatively high level of false rejections. Last I heard, you still have around 10% voice mismatch due to all sorts of reasons. If this goes down to fractions of a percent, then banks will probably look at it closely.

It's less about security concerns, can the system be beat or circumvented: by now banks realize that no single technology can stop all fraud. Card issuers have realized it long ago; they had to fight card fraud for ages, and the idea was to introduce multiple lines of defense. CVV2 checks in eCommerce were added a while ago and you'll be surprised but is still effective against some forms of attacks such as automatic BIN generation; Verified by Visa was launched a few years ago and half of the UK eCommerce is already VbV enabled; but as some articles pointed out recently, in itself VbV is not a silver bullet - which is why the issuers added an invisible line of defense where every VbV transaction is analyzed in real time and the vast majority of fraud attempts are intercepted. I did some math: the average eCommerce fraud level in 2009 was 40 basis points. VbV fraud levels were 11 basis points on average, for those issuers using the invisible monitoring.

So the bottom line is: don't look at any technology as a silver bullet. Consider the operational aspects as well: how many genuine people will be rejected? How will you validate their identity using another approach?

Nick Ogden - RTGS.global - London 16 February, 2010, 09:28 0 likes

Thank you all for the contributions and debate is exactly what is required.

Of course nothing is 100% secure, and some systems today meet certain demands, however all these systems have failings in one way or another. In biometrics much has been played about false accept and false reject ratios and to be honest many system vendors, and this is not only in the biometrics world, pass acceptance and failure tolerances to their customer. I believe that voice biometrics does meet significantly many of the issues that other systems face, mobility is clearly a winner, and by combining as we do voice biometrics with say e-commerce we create out of band authentication, which is adds substantially to the security and authentication process.

At the end of the day today we have relatively little choice about how we secure our financial instruments or identity, and tomorrow that will change. Not because we say so but in a recent Harris Poll, changes are being demanded by consumers. Voice Biometrics can and will enable consumers and business to chose how they are authenticated, and this will be an evolutionary process, and perhaps will be widely available sooner than you expect.