Leveraging biometric authentication for ATMs
ATMs in the U.S. and other parts of the world have generally validated the identity of bank customers with something the user has (a card) and something the user knows (a PIN). This decades-old approach is increasingly vulnerable to fraud from a variety of methods. Worse, there are a growing set of digital credentials and identities being stored on ID cards, tokens and smart devices. Without biometrics, these digital identities are not securely bound to the actual person. Additionally, every new digital identity that is created represents yet another element to manage and, as such, becomes a threat to an individual’s one, true identity.
The banking industry continues to look at a number of measures to shore up security, and some measures, such as EMV cards, do address some aspects of the fraud problem. But only biometrics can answer the question of “who” is actually transacting and determine whether that person is a legitimate bank customer or a fraudster. When a biometric solution includes the ability to distinguish live fingerprints from fakes through “liveness” detection, concerns about loss of user privacy and identity fraud are assuaged.
Here are the five most popular ways that biometric authentication is being used today at ATMs and self-service kiosks:
PIN replacement. One common approach is to use the fingerprint in place of the PIN for the ubiquitous card-plus-PIN transaction. Fingerprint authentication is generally easier for the customer than remembering a PIN and it also brings a higher level of certainty about who is transacting. To be a successful component of a transaction, the biometric technology chosen must deliver the highest possible levels of reliability and performance.
With the fingerprint-plus-card approach at the ATM, the customer simply inserts the card and touches a finger to the reader to conveniently withdraw funds. Widely used today in Brazil, the card-plus-fingerprint solution is facilitating an estimated two billion ATM transactions annually for customers at four of the country’s top five financial institutions.
Multispectral imaging is a biometric technology that reads relevant fingerprint information from both the surface and subsurface of the finger. The extra data allows high biometric match performance with a single touch in any environment — and virtually eliminates the fraudulent use of counterfeit fingerprints. With this technology, two institutions in Brazil have enabled customers to enjoy cardless processing, eliminating the need for a PIN while offering the convenience of making the bank customer’s finger the only “key” or “wallet” necessary for accessing cash and conducting other transactions at an ATM. Users simply enter their account number and confirm the transaction with a fingerprint.
Proof-of-life for benefit distribution. For banks that administer citizen benefit programs, the assurance that a recipient is alive and present is critical. Argentina’s Banco Supervielle, for example, uses its kiosks to distribute pension benefits from that country’s social security administration. However, the bank had a significant problem with fraudsters trying to claim their deceased relatives’ pension benefits. To combat the problem, the bank began rolling out fingerprint authentication with multispectral imaging technology as part of a “proof-of-life initiative” in October 2013. The bank’s investment in biometric kiosks has resulted in considerable savings due to fraud reduction.
Provide authentication to new applications. A bank’s greatest investment in biometrics solutions is in the enrollment database. The availability of interoperable authentication devices enables banks to purchase from multiple vendors, permit cross-bank usage and pave the way for many new applications in the future. We have seen fingerprint authentication used for mobile payments and it can also be used to secure mobile banking by requiring a user to provide biometric credentials before accessing information or proceeding with a transaction. If interoperability is ensured, then fingerprint authentication on mobile devices could be used in conjunction with enrolled information that the bank uses for authentication at the ATM.
Multi-transaction sessions. Placing a finger on a sensor takes less time than keying in a PIN. When multiple transactions are desired in a single session, this time benefit is multiplied to provide a quick and easy way for a bank customer to authenticate each transaction so that the bank can enforce per-transaction authentication for greater security without compromising the user experience.
Incorporating biometrics directly into a smart card or mobile device. As banks migrate to a multi-channel strategy for their customers, they have the opportunity to incorporate a user’s biometric template on a smart device such as a smart card or smartphone. When a user biometrically authenticates at an ATM using the template on the smart card or smartphone, the bank is assured both that the smart device itself is genuine and that it indeed is associated with the known user. The ability to intelligently manage digital credentials on cards, phones and wearables — and bind those credentials to the legitimate user with biometrics — improves overall security and user convenience.
The goal of any transaction at the ATM is to conveniently provide a service while ensuring the identity of the individual to whom the service is being provided. Managing risk is a matter of balancing and, ideally, combining security and convenience. Biometric authentication provides this capability with the highest level of certainty, which is why it is increasingly popular for securing ATM transactions.