Blog article
See all stories »

Biometrics solve a very real problem

I  came across this blog on Finextra which took a fairly cautious view on the use of biometrics in the UK and Europe. It referred to Bank Leumi now using voice biometrics for password re-setting for online banking. Following announcements from Australia and the US, I agree that it is encouraging to see usage of biometrics taking off in the UK and Europe. 

That, however, is about where my agreement ends. The blog also referred to Nick Griffiths' post on biometrics which questioned whether biometrics were in fact necessary and even went as far as terming them ‘a solution looking for a problem’. Unfortunately however, the problem is clear to see – especially to the increasing number of people who are falling victim to ID or card fraud. Financial Fraud Action UK figures for the period January to June 2009 showed that there had been a 23 percent increase (on the same period last year) in the amount lost through card ID fraud and a 55 percent rise in online banking fraud. Biometric technology addresses this problem because it verifies who the person is, rather than what they know and can also be used for verification where Chip and PIN cannot, such as in the growing online transaction space.

David also raises the issue of what would happen if a biometric was compromised (for example your voice). Indeed, if a card is compromised then it can be easily replaced. However, when it comes to voice biometrics this would involve someone stealing the digital data voice print and then using it to authenticate transactions fraudulently. While this is a good issue to raise, the likelihood and value of doing so is very small as it would require a highly sophisticated system. To give you an idea of the complexity we’re talking about – not only are the biometrics encrypted, the biometric voice signature is stored in a separate location to the data centre itself. This means that a fraudster would need to get hold of both sets of data from each of their secure vaults, and then decrypt them both. The likelihood of this happening is slim to none.

There’s no doubt that support for biometrics is growing; figures announced last year from The Unisys Corporation tell us that the majority of people globally would now accept biometric authentication to verify their identities. Bank Leumi is clearly confident in such findings and recognises the opportunities provided by this technology to provide as a secure method of payment verification. With this in mind, it is likely that this is just the beginning of what will be a big year for voice biometrics in the UK and throughout Europe. 


Comments: (4)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 09 February, 2010, 18:50Be the first to give this comment the thumbs up 0 likes


Two things. 

(1) Regarding the possibility of compromising biometrics, I don't think it's good enough to say that "the likelihood of this happening is slim to none".  What if it does happen, what then?  No security system is 100% effective; the art of true security demands that we plan for failure, and have a contingency plan.

The likelihood of biometric ID theft always rises markedly once these systems go live.  In the lab, False Accepts vs False Rejects can be better managed (mainly through very careful control over enrolment quality).  But out in the field, biometrics typically need to be de-tuned to achieve acceptable Fail to Enrol rates and False Reject rates.  This in turn makes them easier to spoof. As the FBI points out: "The intentional spoofing or manipulation of biometrics invalidates the zero effort imposter assumption commonly used in performance evaluations. When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different".

(2) I don't agree that Chip and PIN cannot for be used verification in online transactions.  The humble CAP reader shows that it can. And I believe that the next wave of card applications will use connected readers in a much more sophisticated mode than CAP, to more or less replicate the ATM/POS experience in the home.  Connected smartcard readers are increasingly common in laptops. 

On the other hand, voice biometrics aren't a universal online authentication option.  I do like them in phone banking for sure, but for all e-commerce I am not so sure.  How do they mesh with regular browser based shopping?  I don't think it's natural to make an extra phone call to authenticate a credit card payment when shopping (noting that voice verification tends not to work over VOIP).

So it's horses for courses.  There won't be a single online authentication mechanism.

Nick Collin
Nick Collin - Collin Consulting Ltd - London 11 February, 2010, 11:11Be the first to give this comment the thumbs up 0 likes

Sorry Nick, but I agree with Stephen on this.  Horses for courses.  Voice verification is great for particular applications like telephone banking balance enquiries, but for more risky mainstream financial transactions, in both the physical and virtual world, Chip & PIN seems to me hard to beat.  Remote Chip Authentication (RCA) is already being widely used for secure online banking and the next step will be to combine it with 3D Secure for secure online shopping (ie you use the "humble CAP reader" to generate a dynamic MasterCard SecureCode or Visa VbV).

Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 11 February, 2010, 11:31Be the first to give this comment the thumbs up 0 likes

The main concern banks have with biometrics is the relatively high level of false rejections. Last I heard, you still have around 10% voice mismatch due to all sorts of reasons. If this goes down to fractions of a percent, then banks will probably look at it closely.

It's less about security concerns, can the system be beat or circumvented: by now banks realize that no single technology can stop all fraud. Card issuers have realized it long ago; they had to fight card fraud for ages, and the idea was to introduce multiple lines of defense. CVV2 checks in eCommerce were added a while ago and you'll be surprised but is still effective against some forms of attacks such as automatic BIN generation; Verified by Visa was launched a few years ago and half of the UK eCommerce is already VbV enabled; but as some articles pointed out recently, in itself VbV is not a silver bullet - which is why the issuers added an invisible line of defense where every VbV transaction is analyzed in real time and the vast majority of fraud attempts are intercepted. I did some math: the average eCommerce fraud level in 2009 was 40 basis points. VbV fraud levels were 11 basis points on average, for those issuers using the invisible monitoring.

So the bottom line is: don't look at any technology as a silver bullet. Consider the operational aspects as well: how many genuine people will be rejected? How will you validate their identity using another approach?

Nick Ogden
Nick Ogden - - London 16 February, 2010, 09:28Be the first to give this comment the thumbs up 0 likes

Thank you all for the contributions and debate is exactly what is required.


Of course nothing is 100% secure, and some systems today meet certain demands, however all these systems have failings in one way or another. In biometrics much has been played about false accept and false reject ratios and to be honest many system vendors, and this is not only in the biometrics world, pass acceptance and failure tolerances to their customer. I believe that voice biometrics does meet significantly many of the issues that other systems face, mobility is clearly a winner, and by combining as we do voice biometrics with say e-commerce we create out of band authentication, which is adds substantially to the security and authentication process.


At the end of the day today we have relatively little choice about how we secure our financial instruments or identity, and tomorrow that will change. Not because we say so but in a recent Harris Poll, changes are being demanded by consumers. Voice Biometrics can and will enable consumers and business to chose how they are authenticated, and this will be an evolutionary process, and perhaps will be widely available sooner than you expect.

Now hiring