Stephen Wilson - Lockstep Consulting - Sydney 14 April, 2010, 21:59 0 likes

I don't know about the South African myth, but I believe this story was true, as reported by the BBC: a Malaysian had his finger chopped off by a gang stealing his fancy car. 

Biometrics have a chequered history in payments.  Here on Finextra you can read about the troubles at the Dutch supermarket with "Tip2Pay" which had to be shelved after error rates got too high. 

Vendors' claims are near hyperbolic.  There is an unfortunate tendency to report the best False Accept Rate and the best False Reject Rate at the same time, as if these figures can be achieved simultaneously.  But they can't.  I debated this at length with vendors and advocates in another forum. 

We were discussing finger vein recognition, which is an advanced technique, with good resistance to theft.  But the independent testing is very worrying when you look closely at the Detection Error Trade-off (DET) curves. The vendor claims a fantastic False Match Rate of 0.0001% ... but the False Non Match Rate then deteriorates to as bad as 20%.  The vendor also claims best case False Non Match Rate of 0.01% ... but the corresponding False Match Rate is 80% or worse.

To summarise my concerns:

- biometrics just don't work as well as vendors claim; 

- in particular, biometrics are susceptible to identity theft

- once stolen, no commercial biometric solution is able to be cancelled and re-issued

- there is no standardised way to test biometric performance

- most if not all biometric testing uses the "zero effort imposter" assumption, which ignores deliberate attempts to spoof the system.  Therefore, reported False Accept Rates don't trell us anything about how well the biometric resists criminal attack.

Rik Coeckelbergs - The Banking Scene - Brussels 15 April, 2010, 06:34 0 likes

Stephen,

Thanks for sharing your experience on biometrics. You some interesting remarks I didn't know about so far.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 16 April, 2010, 17:22 0 likes

As the story of PayByTouch illustrates, biometric payment at the point of sale might be a solution chasing a problem. This well-known  American startup burned through close to US$ 200M in providing a fingerprint-based payment system for supermarket checkout before it went bankrupt.

On the one hand, vendors claim that their solutions can differentiate between a live organ and a dead one, but on the other, we have a Dan Brown bestseller in which villains kill someone only to harvest their eyes to break through a highly-secure system based on iris scanning.

To make sure that a nick in one finger doesn't result in a false-rejection, vendors have started fingerprinting more than one finger - in fact, one state in India has implemented a solution that uses prints from all ten fingers!

I don't think biometric payments come anywhere close to the convenience of cash or credit card - at least not in their present form. And going by the processing fees of PayByTouch, they don't seem to be much cheaper either.

Steven Murdoch - University College London - London 17 April, 2010, 16:12 0 likes

I know of two biometric payment schemes:

The first is the Net1 social grant distribution scheme. This is used in by the government in South Africa, to distribute welfare payments to citizens. While it is a special purpose payment system, it looks rather like a bank because it supports card-to-card payments, has an ATM infrastructure, and even incorporates a micro-lending scheme. Fingerprint recognition is used because citizens are familiar with it, may not be able to remember a PIN, and might have difficulty communicating with staff (due to the lack of a common language). By distributing payments via an ATM, using a smart card and fingerprint reader, only the recipient ever handles cash, and so the system reduces the risk of fraud by staff. This system was described in a talk by Keith Breckenridge, Professor of History and Internet Studies, University of KwaZulu-Natal, South Africa, in December 2007. The slides for his talk are online.

The second scheme is in Japan, and was described by Mitsutoshi Himaga of Hitachi-Omron, at the October 2008 ATM Security conference, organized by the ATM Industry Association. Hitachi-Omron are the manufacturers of a finger-vein detection scheme for ATMs, which he said was used by 81% of Japanese banks. They chose finger-vein detection because it is non-contact (reducing hygiene concerns and doesn't leave traces behind), is stable, and has acceptable error rates (failure to enrol rate: 0.08%; false match rate: 0.01% at 1.26% false non-match rate). The system is optional for customers, but they get a higher withdrawal limit if they opt in.

Stephen Wilson - Lockstep Consulting - Sydney 18 April, 2010, 11:39 0 likes

Steven Murdoch mentions two ATM applications for biometrics, which seem to be working, as opposed to PayByTouchand Tip2Pay which failed.  A crucial difference is that the ATM applications involve a plastic card as well.  The biometric serves to replace the PIN, in a "one-to-one" match of the customer to the card they're presenting. But the failed biometric systems involved much more ambitious "one-to-many" matching, where there is no card presented, and instead the customer is matched against a large database of registered users.

[Just for completeness, it's difficult to imagine how one-to-many matching could ever work for an ATM.  Only in sci-fi movies can you stare at a machine and have cash dispensed from the proper account.  In practice, you need to desigtn for the fact that any one person using an ATM might have more than one account, at more than one bank.  If you had a biometric-only ATM without a card, the system would have to scan the entire databases of all networked banks, present all the matches to the customer, and ask them which account they wish to access.  And then what to do about false matches?  Such a system would occasionally show me other peoples' accounts.  What would stop me accessing their cash?  Nope, biometric ATMs will still always involve traditional cards.]

I wonder if there are real life performance figures available now from the finger vein ATMs in Japan?  The bench testing reported false match and false non match rates are I think only barely acceptable.  Steven mentioned a False Non Match of 1.2% at a False Match Rate of 0.01%.  The International Biometric Group reported slightly worse figures of up to 5% FNMR at FMR of 0.01%.  That is, 1 in 20 legitimate finger vein presentations would be rejected and require a re-try.  This seems quite high.  What will it do for queue lengths at busy ATMs? 

And as I mentioned previously, the FBI cautions that in real life as opposed to the lab, biometric performance is hard to predict. Moreover, if the 'zero effort imposter' assumption applied to the reported bench test results, then the resistance to concerted attack remains unknown.

So, does anyone know how these Japanese ATMs are performing in the field?  Do the banks report error rates and fraud rates I wonder?

Steven Murdoch - University College London - London 18 April, 2010, 13:56 0 likes

Stephen,

All very good points. There does seems to be quite a bit of selective use of numbers within the biometric industry. A major one, which you pointed out, is not differentiating between the one-to-one and one-to-many matching scenario. John Daugman (inventor of iris codes) has written a good description of the mathematical reasons of why this simplification is flawed.

You also pointed out that vendors are sometimes guilty of presenting false positive and false negative figures which cannot be achieved together. Fortunately the representative of Hitachi-Omron did not do this, but he did fail to discuss anything other than the zero effort impostor. In fact, I can't think when I have ever heard a vendor give figures for anything else.

The only biometric which is even close to being good enough for one-to-many matching is iris codes, and it does this rather well. It is used in Dubai for immigration and it can give zero false positive rates for one-to-many matching in country-sized deployments, while giving very few false negatives. There are customer-acceptance problems, however. In the same conference as the Hitachi-Omron presentation, Peter Michael Seitz from Erste Bank said that they prefer finger-vein detection because customers (mistakenly) believe that iris recognition could damage their eye.

In fact iris recognition is simply done with a webcam, preferably on the infrared wavelength. Even if customers could be persuaded as to the safety and security, there are still plenty of problems remaining. One is that many people depend on the ability to give their card and PIN to someone else, to act on their behalf. Currently banks turn a blind eye to such processes, but biometrics would force these to be formalized, which likely neither the bank nor customer would like. Also, the Dubai programme was for an attended scenario, so there is some question as to how it will fare if unattended.

Another interesting point was raised by the representative of a Nigerian bank. They wanted to know whether finger-vein detection could de-duplicate the biometric template database. This is because they are concerned about bank staff enrolling themselves onto a customer's account, and committing fraud. This turns a one-to-one match into a one-to-many, so while there wasn't an adequate answer from Hitachi-Omron, I think that finger-vein detection (or any biometric except the iris code), has no chance solving this problem.