24 October 2017
Lachlan Gunn

ATM Security

Lachlan Gunn - BenAlpin Ltd

12Posts 74,457Views 23Comments

Would you use biometric technology at an ATM?

01 September 2010  |  9441 views  |  9

The European ATM Security Team (EAST) is asking this question in its latest on-line research poll.  Well would you?  Such technology, both palm vein and finger vein is relatively common in Japan and also in use in Brazil.  Other countries such as India are apparently looking to roll it out.  Hmm.  To date only 24% of the respondents would be happy to use such technology in place of their PIN, and 47% would not use it due to concerns about personal data privacy.

This technology means that after feeding your card into the ATM, you place your hand or finger over a scanner which recognises your unique data to authorise the transaction.  From a security point of view I can see that if you do not need to enter a PIN when making an ATM transaction, then your card is less vulnerable to compromise - the magstripe data can still be skimmed, but trapping your card for fraudulent subsequent cash withdrawal would no longer be viable (unless the fraudsters keep you with it, in which case it becomes a duress attack).  It would be really interesting to know what the fraud stats show for ATM skimming, when comparing ATMs before and after the introduction of such technology.

Poland is the first country in Europe to trial this technology, with BPS Bank running a trial using a system developed by Hitachi and Wincor Nixdorf (see picture).

My concerns lie in the area of personal data privacy and protection.  I live in the UK where the relevant government agency three years ago 'lost' the personal data (names, dates of birth, bank and address details) of around 25 million adults receiving financial benefit for a child under 16 - potentially putting them at risk of identity theft!  From time to time financial institutions and other organisations lose laptops containing personal information relating to customers..........and it is possible to buy such information, fraudulently obtained, on the internet.

The European Union has fairly robust data protection and privacy legislation when compared to other parts of the world, partly due to the fact that many member countries have had fairly recent history of abuse of personal information by fascist or communist regimes and their acolytes.  Yet this legislation is far from perfect. Last year the Information Commissioner's Office in the UK published a Review of EU Data Protection Directive which highlighted some areas of concern; among them the fact that its international data transfer rules are unrealistic against a backdrop of high-volume globalised data flows, and the fact that the role of Data Protection Authorities in accountability and enforcement is inconsistent.

From a security perspective, I am an enthusiastic supporter of EMV or Chip and PIN technology, for which the holy grail would be the introduction one day of chip-only cards.  Do we really need biometrics for ATM transactions?  Something in me is uncomfortable with the thought of entrusting any form of my biometric data to organisations that may lose, misuse, or otherwise fail to properly secure and control it.  Am I being paranoid, or is keeping such biometric data private one of the last frontiers of individual personal privacy in a world where it is becoming increasingly impossible to remain invisible, and where virtually every phone call, email, website visited, electronic payment transaction and journey made is monitored, recorded, processed and stored by others?

ATM Finger Vein Authentication Technology TagsSecurityRisk & regulation

Comments: (10)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 02 September, 2010, 06:59

No way I would use a biometric ATM.

It's said that biometric ATMs are proving popular in Japan and elsewhere but actual performance figures are still hard to come by.  The vendors' marketing claims for false positives (must be low for security) and false negatives (must be low for customer convenience) border on the hyperbolic.

Hitachi claims "there's only a 0.0001% chance of someone passing off their vein patterns as yours".  But that's only half the story.  What is the corresponding false negative rate when the system is tuned to be so ultra discriminating?  Well, the only independent testing I have managed to find for finger vein technology shows that at a False Match Rate of 0.0001%, the False Non Match Rate can deteriorate to 20%.  That is, one in five times the customer will have to try again.  I suspect that to keep the retries down, the systems are de-tuned in practice to be rather less accurate than 0.0001%, but exactly what the accuracy and overall security are in practice, we just don't know.

Meanwhile the FBI urges caution because lab testing doesn't translate to real world experience:

For all biometric technologies, error rates are highly dependent upon the population and application environment. The technologies do not have known error rates outside of a controlled test environment. Therefore, any reference to error rates applies only to the test in question and should not be used to predict performance in a different application.

Yes, there are major privacy concerns. At present, no chip-and-PIN card is going to have the biometric template stored on the card, much less matched on the card, because of the cost of the extra memory and software.  So the templates must be stored centrally, and each time you visit an ATM, your biometric data will be sent out for matching.  I agree with Lachlan Gunn's concerns over the ability to safeguard thiese data stores.  If they can't stop card data today being stolen en masse, then we have to assume that stolen biometric data too will one day be in circulation amongst organised crime gangs.  And then what?  At least when my card is stolen, I can have it revoked and re-issued.  But with biometrics that's impossible.  They leave no room for error.

And when the thieves of tomorrow's brave new world steal my biometric template, lord knows how many other accounts they will also automatically have the keys for!

Stephen Wilson, Lockstep.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Keith Appleyard
Keith Appleyard - available for hire - Bromley | 02 September, 2010, 12:06

I'm not keen.

My own experience of biometric access control at my HQ in New York was that I had to register both thumb prints and yet my aggregate error rate was 20% - being blamed for not putting my thumb in the right position on the reader - which means to me the design of the reader is at fault for allowing me to place my thumb in the wrong position.

If my PIN is stolen (and I'm not a fan of CHIP n PIN either), then I can change it and ask for another one. If someone is able to present my biometrics as their own - then there's nothing I can do about - I can't change my fingerprints, blood, saliva, retina, veins, voice etc.

Like with DNA matching (see my separate blog on that topic in Aug 2009 - http://www.finextra.com/community/fullblog.aspx?id=3190), if the technology is just sampling my results, and coming up with a hash equivalent, then its not impossible for that to be impersonated / reproduced.

How much of that data is going to be transmitted around the world, via what routes, is it going to be secure in transit, how long is it going to be held in cached memory, and will it be secure at rest? Will it survive / detect a man-in-the-middle attack?

Whereby, falling back on the good old Signature, when I was transferring £125,000 yesterday via CHAPS, RBS called up my Signature on File, checked my Passport & Debit Card, and recorded me on CCTV. I was happy.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
John Dring
John Dring - Intel Network Services - Swindon | 03 September, 2010, 12:46

Why is biometric data really any different to a photoID, signature, name and address, DOB ?  Its just a nother way of identifying who you are, but its a lot, lot harder to duplicate(forge) your bio credentials in the real world, compared to forging a signature, knowing your address or PIN etc.   You cannot really change your photo/face, and certainly not your DOB.

Apart from insider fraud or core hacking, the other problem with any system is 'man in the middle' where measured identifing information is exchanged for 'stored' correct information.  This applies to any type of ID system.  That's why the measuring terminal has to have a cast-iron transaction wrapping solution to prevent tampering between there and the backend. (It just means that the 'middle' probably has to be between the measuring instrument (thumb reader) and the thumb).

I draw the line at exposing DNA credentials, but knowing your vein pattern, retina details, thumbprint, face geometry etc - so what?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 03 September, 2010, 13:47

"Knowing your vein pattern, retina details, thumbprint, face geometry etc - so what?"

Because then they get replayed, that's what. It's simply not true that biometrics are "a lot, lot harder to duplicate". See the Gummy Bear attack on fingerprints for starters.

And even if a particular biometric does prove very hard to duplicate, are we willing to bet the house on it being literally impossible?  Because once compromised, no practical biometric can be revoked and reissued. There is no room for error.

Everyone knows there is no such thing as perfect security, but biometrics are actually premised on the supposed impossibility of compromise.  They defy security logic.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Lachlan Gunn
Lachlan Gunn - BenAlpin Ltd - Perth | 03 September, 2010, 14:40

I agree.

The concern to me is my personal biometric data falling into the wrong hands or being misused.  There is a big difference between a compromised PIN and compromised biometric data.  My finger vein patterns and palm vein patterns are not going to change and once taken and stored are out of my control for ever (yes, maybe data protection legislation says that they should be destroyed once an account is closed, but if that is the case how do I know that it actually happened and, even if it did, was it compromised beforehand?) 

As has been said, a compromised PIN can be changed, and is for the sole purpose of authorising transactions for a single card - it is unique for that card, which can be re-issued if compromised.  For online transactions we are told to never use the same password for different purposes.  It also can be changed if compromised.

Yet hypothetically, if I have accounts with several different card issuing banks and they all use finger vein technology for ATM transactions, then I am using the same authentication (admittedly unique to me) for multiple cards (and possibly other future legitimate purposes). 

As Stephen states there is a risk, however small, that my data if compromised could be misused for multiple purposes.  In the ‘technology chase’, the good guys are normally well behind the bad guys! 

Even more worryingly, as with the planting of DNA, is there a remote possibility that one day such compromised data could actually be used to evidentially place me where I wasn’t?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
John Dring
John Dring - Intel Network Services - Swindon | 07 September, 2010, 08:20

OK, so the topic is sensitive,  but not altogether completely rational.  I was making the comparison with other 'biometric' type data like your DOB, photo, signature.  All are unique and do not change (you could change a signature, or have several, but they are still unique subject to forgery).

So how exactly can your 'vein pattern' be used against you any more than a forged dignature or photoID?  All can be stored digitally.  All can be replayed.  If the receiving merchant is prepared to accept photocopies of a passport, driving licence etc and not really care about due KYC identity, then anybody can register as me.  Its a complete pain to me when I have to prove it was not, but the merchant/bank has to prove they checked the identity of the fraudster. 

Knowing your DNA is a different matter. That contains info which can be used to discriminate (in an even deeper way than just viewing your photo!).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 07 September, 2010, 08:41

Sorry John, I may have missed your point.

My focus was on automated electronic authentication, where revocability I believe is essential.  Yes today we present handwritten signatures to other human beings as a form of authentication, but the manual decision to accept or reject is subject to all sorts of extra cues and layers of verification, and also forensics.  In contrast, decisions made by machines around electronic biometrics are essentially instantaneous.  The potential for fraud is quite different from traditional in-person presentation of photo IDs, signatures etc.

So we're playing an entirely different game here with electronic biometrics. A forged signature or photo ID cannot be replayed (in person) in the same way as stolen electronic biometrics can.  And a compromised photo ID can always be revoked and re-issued.  Nobody has explained how a compromised finger vein pattern will be revoked.  Vendors will instead try to argue they cannot be stolen.  In principle, that's a bad kind of answer.  And in practice, the likes of the FBI will counsel us to watch this space!  All biometric vendor specs are produced under the "Zero Effort Imposter" assumption, and wilfully ignore the possibility that an attacker might actually make a concerted effort to break the system.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 13 September, 2010, 14:30

Everyone is talking about security issues, and while these are relevant, there are more practical issues. Most biometrics are not suitable for all environments, cold weather for example makes glove removal impractical; voice reciognition in busy streets with vehicles and ambient noise is also difficult.

However the key issue is registration - many people using self service ATMs or POS do not go near a bank branch. I have never visited the branch that holds my account. The risks of impersonation are huge and fraud could well increase.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
John Dring
John Dring - Intel Network Services - Swindon | 13 September, 2010, 20:43

Excellent point.  The cost to the issuing banks would be high (certainly higher than just sending a CHIP & PIN).  And we already know that Banks are 'happy' to accept a level of impersonation fraud because they can offset those losses against the savings of convenience.  That counts more than your identity I guess (joking).

I just received a call from my Credit issuer inviting me to become a Debit account customer (with loads of supposed benefits).  Within 10 mins on the phone (divulging lots of data that I had to decide on the fly if it was relevant to the application or not) and a couple of days, I received a Card and then the PIN.  Easy.  I wonder if I will actually use this account.

On the downside of PINs - I was with my father at his bank the other day (in his 80's), and they wanted to identify him - they asked him to type his PIN into the bankers keyboard to do this, to which he stated out loud what it was. Doh!  He doesn't do CHIP & PIN very often, and I bet he doesn't really shield it when he does, but surprisingly he was right and the bank trusted that above his signature.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Peter  Jones
Peter Jones - Hitachi Europe - London | 29 September, 2010, 15:28

Please click on the link to see Hitachi's response to this blog post: http://www.finextra.com/community/fullblog.aspx?id=4498

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Lachlan

Heat from your fingers could disclose your PIN at an ATM

30 August 2011  |  5114 views  |  1 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Do you get SMS alerts for debit card transactions?

18 August 2011  |  9763 views  |  3 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Europol busts international cross border skimming operation

18 July 2011  |  5665 views  |  0 comments | recomends Recommends 0 TagsCardsSecurity

Fraud migrates away as European EMV rollout nears completion

22 June 2011  |  5839 views  |  1 comments | recomends Recommends 0 TagsCardsSecurity

Is the rise of global card fraud being taken seriously?

11 February 2011  |  4943 views  |  1 comments | recomends Recommends 0 TagsCardsSecurity

Lachlan's profile

job title Director
location Perth
member since 2009
Summary profile See full profile »
Lachlan is Director of BenAlpin Ltd, a security consultancy, and is also founder and a Director of European ATM Security Team Ltd, an independent, non-profit, international ATM user group. EAST has a...

Lachlan's expertise

Member since 2007
12 posts23 comments
Lachlan's blog archive
2011 (5)2010 (4)2009 (3)

Who's commenting on Lachlan's posts