Top Trends for Biometrics in Financial Services

Biometrics is certainly a technology that is rapidly being adopted by the Financial Services industry and this is not just confined to mobile deployments. Mobile is a growing channel for the delivery of financial services and will start to dominate most financial sectors over the next five years but other channels are still a vital part of any delivery strategy.

This is an important message that I have learnt after spending the second half of 2015 researching how biometrics is becoming an important tool within the security toolbox that can be utilised in the fight against financial fraud and identity theft.

In a series of analyst reports that I authored in 2015 that were published in June, October and December 2015 by Goode Intelligence, I was able to carry out a deep-dive  into the adoption of biometric technology in financial services. This included banking, payment and mobile-based biometric services.

In the reports I identified five key trends that are currently shaping this market.

Bye Bye PINs for ATM Security

ATMs are unattended and when I type in my PIN I am always uber-aware of who is standing behind me in case they may be attempting to steal my PIN. Being a paranoid sort of person I go through a series of checks that includes checking for ATM skimmers or evidence that a camera may be pointing at the keyboard. Banks have installed awareness notices and stuck-on mirrors to help me protect my PIN but it shouldn't have to be like this. 

Things are changing and banks are modifying their ATM technology to phase out PINs and to embrace biometrics. There is also choice in the biometric deployment method; a bank can either integrate a biometric sensor into the ATM itself (fingerprint, palm-vein, finger-vein and Iris are being used) to go either cardless (my biometric replaces the plastic) or keep the card (the biometric is stored on the card and a biometric is captured at the ATM and then matched against the stored template on the card). There is also a mobile biometric solution that also replaces the need for a plastic bank card or integration of specialist sensors at the ATM; Hoyos Labs has a neat solution where the mobile device interacts with an ATM using a combination of barcode and mobile biometric authentication technology.  And if you like plastic cards then there are solutions as well; a number of vendors, including Zwipe, have integrated a fingerprint sensor into plastic cards to replace PINs. The plastic bank card will only work if the authorised user's fingerprint is first placed on the sensor. 

Authenticated Contactless Mobile Payments

One of the more visible success stories for biometric adoption in financial services has been the development of mobile biometric contactless payments. Apple Pay and Samsung Pay both use integrated fingerprint sensors to secure contactless mobile payments in physical locations. The PIN was adding friction to the physical payment experience so you can either forget about user authentication and limit the transaction amount (tap and pay for low value payments) or replace the PIN with a method that doesn't slow down the experience but still adds a level of security. 

How to tackle rising levels of Card-Not-Present Fraud?

Technology does reduce fraud. The deployment of EMV chip cards has led to a reduction of fraud at the physical point of sale. This has led criminals to move online and attack commerce channels that the EMV chip cannot protect. The rise of Card-Not-Present (CNP) fraud, especially for eCommerce transactions, and the movement towards mobile commerce has created the need for secure and convenient user authentication and transaction verification. Biometrics offers a viable solution. Expect to see the payment networks start to roll-out mobile-based biometric solutions that aims to tackle the CNP fraud problem and even support in 3D Secure 2.0. 

Wearable Payments to support Biometric Authentication 

It is early days for wearables; the market is too fragmented and there are too few devices currently being used by consumers. This will change and as more and more apps are developed to support the delivery of financial services to bands and smart watches then the need to validate identity and to protect commerce will become critical. For wearables, it is important to pick a biometric modality that suits the device and the application so expect to see technology such as heart-rate (ECG), behavioral and vascular being integrated into the next generation of wearable devices. Biometrics that can be captured when a device is close to the skin of its wearer. Brainwave for Glass perhaps?

Financial-Grade multi-modal biometric authentication to become de-facto for mobile banking apps

The final trend that I am pulling out of these reports is part of a movement to increase security of mobile-based biometric solutions without adversely effecting convenience and ensuring that financial services providers maintain ownership of identity. The industry needs to ensure that the biometric technology is hard to spoof, that the protocols cannot be compromised and that the vulnerabilities seen in existing 2FA solutions (including replay and man-in-the-middle attacks) are not introduced. And at the same time being easy to use, scalable and fit into existing identity lifecycle management tools (can I revoke a credential?). The use of more than one biometric modality, face and voice for instance, in a banking app can increase security and also provide choice for consumers. A service provider can also match the right biometric modality to the context of the login or transaction attempt; fingerprint may open the app but a challenge using another modality may be needed to send a payment to a new beneficiary. 

To conclude; both established financial services organisations, challenger banks and the emerging FinTech providers now understand the importance of choosing the most appropriate user authentication and transaction verification technology that can work across all finance channels and can meet the needs of convenience and security. Biometrics certainly ticks the boxes for convenience with millions of customers around the world paying for products and accessing mobile banking with the touch of the finger or by taking a selfie. A number of biometric platforms are also being introduced that also tick security, regulatory and privacy boxes including IEEE's Biometric Open Protocol Standard (BOPS). 

What is exceptional about this market is the sheer scale of deployment that has already taken place and the enormous potential that is yet to come. From millions of Brazilians daily withdrawing cash from biometrically-enabled ATMs, to mobile banking customers accessing their accounts with the touch of a finger or by taking an image of their face, the use of biometrics for financial services is improving security, reducing financial fraud and removing the need for cumbersome authentication solutions that are not fit for purpose in today's hyper-connected world.

The Impact of Privacy and Data Protection Legislation on Biometric Authentication

As more and more biometric solutions are deployed to mainstream digital services, questions surrounding the privacy and security implications of biometrics are increasingly being asked.

With the growth of biometric technology and its expansion on to consumer digital services, privacy and security concerns are correspondingly growing.

As biometric data is being captured and stored on a wide range of smart mobile devices (SMDs) including Apple’s iPhone and iPad, Samsung Galaxy and Huawei smartphones, or stored in cloud-based biometric databases there are inevitably questions as to how this incredibly personal data of ours is being protected.  

There is much debate about the relative merits of these two trust models; is the device-centric approach that Apple and FIDO employed too restrictive a model? And can I trust the security of a database (cloud-based) biometric solution?

How, and where, is my biometric data being stored? Who has access to it? How well is it protected? When I enrol my fingerprint on my smartphone, is it stored in secure hardware and does it ever leave the security enclave? What legislation and regulation is in place to cover the privacy and security aspects of biometric technology?

These are all valid questions that citizens, service providers, biometric technology vendors, governments and hardware manufacturers need to answer.

Regulation is still playing catch up with the proliferation of biometric authentication and identity systems and in many regions there is little control on how biometric data is captured, stored and accessed. This is an alarming situation.

In a number of regions including the European Union (EU), biometric data is beginning to be considered as personal data and as such, is governed by data protection and privacy legislation.

In the case of the EU, protection of privacy and personal data is covered by the Data Protection Directive of 1995 (officially Directive 95/46/EC). The directive relates to the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In April 2012, the Article 29 Working Party issued an ‘Opinion’ in biometric technologies with particular attention to fingerprints, vein patterns, facial, voice recognition, DNA and signature biometrics.^[1] The Opinion aims to provide a framework of recommendations and guidelines for the implementation of data protection rules in biometric applications.

The Opinion has a number of recommendations (legal and technical) related to biometric data. These include suggestions on user consent, contract and the concept of “privacy by design” for biometric systems.

In other regions including Australia, Canada and the USA, there is federal and state data protection legislation that could be applied to biometric data but nothing specific (although there have been attempts to integrate biometric data into general data protection legislation in Australia).

In addition to federal and state data protection legislation there must be specific regulation and guidelines from a sector perspective. The financial services market is one sector that has a decent track record on data protection and identity (including authentication) matters and there are references in the EU’s Payment Services Directive II. The Payment Service Directive II regulates payment services and payment service providers such as banks within the EU and recommends “various due diligence procedures in regard to the safety of personalised security features of payment authentication instruments.”

The new Directive on Payment Services II which might possibly be approved in 2015 suggests that a biometric authentication system is deemed secure and advisable. The Directive recommends the use of `strong user authentication’ which is defined by the European Central Bank (ECB) in its “Recommendations for the security of internet payments” document.^[2] The report defines strong user authentication as “a procedure based on the use of two or more of the following elements– categorised as knowledge, ownership and inherence: (i) something only the user knows, e.g. static password, code, personal identification number; (ii) something only the user possesses, e.g. token, smart card, mobile phone; (iii) something the user is, e.g. biometric characteristic, such as a fingerprint".

Fingerprint biometric authentication has been one of the fastest growing authentication technologies ever, offering a convenient method for authenticating users especially on smart mobile devices. It is not the only biometric method that will gain widespread adoption. I am a big fan of behavioral biometrics, especially for financial services as it fits well into existing anti-fraud and risk management solutions that are often used by financial companies. It can also complement existing authentication and biometric authentication solutions in enabling service providers to have a much more accurate mechanism of proving that a particular device or web session is actually being used by the legitimate user; rather than in the hands of a fraudster. 

Behavioral biometrics is based on a behavioral trait of an individual and includes how individuals uniquely interact with a device – be it a smartphone or a laptop accessing a website. Behavioral traits include keystrokes and interactions with a touchscreen.

Goode Intelligence has just published a white paper commissioned by behavioral biometrics specialist, BehavioSec investigating the impact of privacy and data protection legislation on biometric authentication and it is available free to download here.

As always, I welcome your thoughts and opinion on this blog and on the contents of the white paper.

---

[1] Opinion 3/2012 on developments in biometric technologies, 0072012/EN/WP193, 27/04/2014, Article 29 Data protection Working Party: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf

[2] Recommendations for the security of internet payments, European Central Bank, January 2013: http://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf?ea09bd2b9f5008bf6308c8ebd5a74156