Biometric banking

By Catherine
Share on LinkedInTweet about this on TwitterShare on FacebookShare on Google+

By Catherine Bolgar

The next frontier for security is likely to arrive at your bank soon: biometric verification of your identity—and you may or may not be aware of it. The global banking sector is expected to spend $2.2 billion (€1.9 billion) on biometrics this year, according to Biometrics Research Group Inc.

Fingerprints, facial recognition and iris patterns are among the methods that could be used, thanks in large part to smart phones that already use fingerprints and that have cameras that can capture information for the second two. Other methods include vein patterns (in fingers, in palms and on the back of one’s hands) and even a solution under development that recognizes the ear cavities of a person by the resonance of sound, says Christy Lin, analyst with TrendForce, a Taipei-based provider of market intelligence on technology industries.

Issues include the cost, ease of use and the amount of time needed to capture the biometric, says Anil Jain, professor of computer science and engineering and head of the biometrics research group at Michigan State University in East Lansing, Michigan. Fingerprints and facial and voice recognition are convenient already. The iris is very accurate and becoming more convenient as more phones incorporate iris readers.

Authorization is faster than presenting a card to a sales clerk and having them swipe it,” says Jain. “It takes three to five seconds.”

There are two ways to create the link between you and your payment data for biometric payments, says Lorenzo Gaston, technical director at the Smart Payment Association, an industry group based in Munich. In either case, a biometrics device captures your biometrics—for example, taking a picture or a fingerprint—then digitizes it, and compares it with biometrics you already registered and enrolled with your payment data.

In one case, you use a device that stores your original biometrics. “Typically, it’s a chip card and it decides whether biometrics captured are close enough to what was enrolled the first time for that particular person,” Mr. Gaston says. The storage device also could be a secure element in your mobile phone. This is similar to using a super-PIN, which is stored only in your personal device under your exclusive control.

A second way is to send the captured biometrics information to an online database storing all the enrolled biometrics data from the users. In that case, a remote server decides whether the right person is gaining access. “The problem in that case is the biometrics are stored in a central database. Biometrics [is] considered very personal information. If somebody manages to hack into that, they can impersonate you,” he says. Resolving the problem could be tricky.

You can change a password, but you cannot change your face or your fingerprint.”

Alternatively, a hacker might change the information, replacing the real biometrics with the hacker’s.

“Online databases must have very strict access-control mechanisms,” Mr. Gaston says. That’s why from a security and privacy perspective, the storage and comparison of the biometrics in your personal tamper-resistant device (chip card, secure element in a mobile phone) is by far a preferable solution, he says.

Financial institutions have tight enough security that breaking in involves a significant investment of time and money, and encryption can further tighten safety, says Darci Guriel, professor of computer information technology at Northern Kentucky University in Highland Heights, Kentucky.

As a result, the people trying to break into accounts aren’t aiming for mass hacking but are grifters, targeting one account at a time. “They’re looking for the weakest link, and the weakest link in banking is people,” Prof. Guriel says.

That could mean winning over a customer-service agent to get a PIN reset. Or finding enough information online to be able to answer private questions necessary to change a password. The elderly often are targeted.

“Biometrics are there to help,” she continues. “To break into a single account at a time, nobody is going to have plastic surgery.”

Some things about you don’t change with age or even surgery—the space between your eyes and that across the bridge of your nose is unique, as is the depth of your eye sockets. For a voice, the sinus cavity and vocal cords don’t change. “The pitch might change, the tone might change, but the physical attributes—which are what get measured—stay the same,” Prof. Guriel says.

Banks probably already have or can easily get your biometrics, she notes. ATMs have cameras. Phone calls are recorded. They can find your picture online.

Some consumers worry that biometric authentication systems would be incapable of distinguishing between living and faked or preserved biological tissues, notes TrendForce’s Ms. Lin. “Biometric recognition systems that only authenticate living tissues would prevent the hypothetical scenario where criminals can use severed body parts (e.g., fingers) to steal money or access sensitive information,” she says.

Making fake biometrics isn’t easy, and phone companies—at the forefront of biometric technology—are making phones harder to spoof, Dr. Jain says. “You can’t just present a photo of me when it isn’t me live. Security is a cat-and-mouse game. Fraudsters will try to circumvent it, and security guys have to come up with ways to fix it.

 

Catherine Bolgar is a former managing editor of The Wall Street Journal Europe, now working as a freelance writer and editor with WSJ. Custom Studios in EMEA. For more from Catherine Bolgar, along with other industry experts, join the Future Realities discussion on LinkedIn.

Photos courtesy of iStock

Mobile money aids the unbanked

By Catherine
Share on LinkedInTweet about this on TwitterShare on FacebookShare on Google+

By Catherine Bolgar*

Mobile money

Imagine paying at a shop by sending a text message from your phone. Or sending money to your child at university in another city with an SMS. Or getting a small loan via your phone.

This futuristic vision of mobile money has been promised ever since mobile phones took off in the 1990s. In most of the developed world, mobile banking means using a phone to do the same kinds of transactions—checking a balance, transferring funds—one would do on a desktop computer. Mobile money hasn’t found footing.

In Kenya and some other developing countries, however, mobile money is widely accepted. The World Bank estimates 2.5 billion people in the world are “unbanked”—without access to formal bank accounts. Mobile money programs offer a bridge toward financial inclusion, not just in developing countries but also for unbanked people such as the poor or immigrants in the West.

In Africa, where people were trying to transfer money from urban to rural areas or across borders, they had to rely on really insecure methods like giving the money to a bus driver to deliver,” says Janine Aron, economics professor at the University of Oxford in the U.K. and author of “‘Leapfrogging’: A Survey of the Nature and Implications of Mobile Money.” “In the West we have secure methods like credit cards, payment cards. People are suspicious of the security of mobile methods.” But in Africa, the mobile methods are more secure than the alternatives.

In Kenya, the biggest mobile phone operator, Safaricom, offers a service called M-Pesa—pesa is Swahili for money. Since its launch in March 2007, M-Pesa has reached 18 million active users among Kenya’s 43 million population.

In poor countries that rely heavily on cash, these services are likely to take off,” Dr. Aron says. Vodafone, which developed M-Pesa with Safaricom, took the mobile money program in March to Romania, after launching it in India last year.

In 2001, there was only one mobile money service for the unbanked, she says. By 2007, there were 11, including M-Pesa. Last year, there were 219, with the biggest growth in Africa.

Mobile money

M-Pesa takes advantage of Safaricom’s dense network of 45,000 agents who sell mobile phone airtime. People go into the Safaricom kiosk to top off their SIM cards. “My SIM card becomes my bank,” explains Sunil Gupta, business professor at Harvard University in Cambridge, Massachusetts. The Safaricom agents thus act as bank tellers handling cash, taking deposits and paying out withdrawals. The kiosks are open early and close late for maximum convenience.

Kenya has two commercial bank branches and about four automated teller machines per 1,000 square kilometers; high-income countries have an average of 28 branches and nearly 75 ATMs per 1,000 square kilometers, according to the World Bank.

The whole service has really helped compensate for the lack of infrastructure,” says David Albertazzi, senior analyst at Aite Group, a market research consultancy in Boston, Massachusetts. “The lack of infrastructure let mobile devices become that infrastructure.”

In addition, Kenyans mostly are using older models of mobile phones. That made the M-Pesa approach different from the fancy user interfaces and responsive Web design that vendors in high-income countries are developing for smart phones and tablets. “In the rest of the world, I don’t care how it looks—I just want to conduct transactions and I want it to be ubiquitous,” Mr. Albertazzi says.

The system continues to evolve. In December 2012, Safaricom partnered with Commercial Bank of Africa to launch M-Shwari, a service with a savings account that bears interest—important in a country with inflation topping 6%—and 30-day loans that can be applied for via SMS. The program is open to M-Pesa users who have had an account for at least six months. Algorithms analyze the customer’s transactions on M-Pesa to substitute for what in the U.S. would be a credit score. M-Shwari already has 2.4 million active users and has collected the equivalent of $21 million.

“It’s tremendously enabling,” Dr. Aron says. “It has reduced transaction costs and reduced risk.”

In the absence of credit information about people who don’t have bank accounts, banks have been reluctant to give loans. The lack of access to credit is a key culprit in Africa’s economic stagnancy—people can’t start small businesses because they don’t have enough savings (in cash) upfront; small businesses can’t get loans to expand. M-Shwari begins to address that situation by making small loans accessible—not only in terms of openness to a population who previously couldn’t get loans through a bank but also in terms of ease of use—a simple SMS.

However, only Kenya, Tanzania, Ghana and the Philippines have mobile financial services adoption rates above 10%, according to the World Economic Forum. Adoption of mobile financial services remains under 1% in some very populous countries, including India, Pakistan, Nigeria and Brazil.

The world’s poor have long been ignored, not just by banks but also by companies and governments, because the cost of reaching them was so huge, Dr. Gupta says, “That’s the next battle to win, for banks and the rest of the private sector.”

*For more from Catherine, contributors from the Economist Intelligence Unit along with industry experts, join The Future Realities discussion.