Understanding the Potential of Biometrics - Europe... · 2017-06-16 · – We need security…we...

The Trusted Source for Secure Identity Solutions

An ASSA ABLOY Group brand

Understanding the Potential of BiometricsBill Spence | 12 June 2017 ATM & Cash Innovation Europe 2017 | Workshop

PROPRIETARY INFORMATION. Do not reproduce, distribute, or disclose. No unauthorized use.

Overview

Why Biometrics in Financial Applications?Biometrics 101Biometric ModalitiesApplicationsSystem ImplementationInstallations

What questions do you want answered today?

Why Biometrics in Financial Applications?Trust, Security, Convenience

Security is the foundation of trustStopping fraud

https://www.theguardian.com/world/2016/may/23/japan-cash-machine-100-thieves-steal-13m-dollars-three-hours http://www.pymnts.com/news/security-and-risk/2016/taiwan-atm-heist-malware/

The Value of Consumer Trust

EY Global Consumer Banking Survey 2014

“Focusing on the customer experience is paramount to establishing complete trust....”

Why use biometrics in financial applications?

§ Convenience– We need security…we crave convenience

• Drives customer loyalty and captures new ones

§ Enhance productivity– Faster transactions

• Up to 70% reduction in cash withdrawal time

– No password for employees

§ Give them choice – multiple strong authentication methods– Mix and match

• Card and biometric• Phone and biometric• “Deviceless” - Account number and biometric

Transaction Security

EMV made cards more secure…

Biometrics is the EMV upgrade for the PIN

Biometrics 101Capture > Liveness > Match

Capture

§ Capture– Image is everything in biometrics

– It has to work• Bad images lead to bad decisions

Liveness

§ Security– Sensor dependent

– Some modalities more resistant than others

§ Privacy– If you can’t use a fake then why

collect the info?

§ A match is the ultimate confirmation of the authorized person proving a live capture

§ Interoperability– Same enrollment template used

in multiple applications

§ Implementation – Where is the match completed

• Privacy• Security – encryption of data• Regulatory

§ Recognizing the good guys is the key (FRR)– It has to work!!!!

• Often incorrectly approached from the fraud perspective (FAR)

§ Biometrics can be adjusted to a point– Think car alarm…more cats or crooks

§ Intuitive use – Reduces error rates– Reduces enrollment training/cost

Your Deployment: The Real World

§ All sensors are not created equal

§ No silver bullet

§ Modality Fusion– Two bad biometrics don’t always make

one good one

§ Geography and culture matter– Convenience is universal

What a lousy cruise ship!!!

Biometric ModalitiesChoices and Considerations

FaceConsiderations§ Ease of use – Depends

– Do I need to look at something?

§ Liveness– 3D harder to fake compared to 2D

§ Many degrees of freedom– Looking at the camera, head tilt, background light, lack of light– Less secure than many other technologies– Deep learning having a major impact

§ Privacy– Can be captured and used without permission, but do you care?– Recognition the way humans recognize each other

§ Can use mobile camera– Ambient light issues enhanced

Considerations§ Highly accurate§ Getting the image can be a challenge

– Head position/Glasses

– Illumination/Ambient Light/Color Variation

§ Interoperability very high§ Liveness

– Some sensors can stop fakes, but can impact error rates– No updating

§ Mobile sensors available – Recently deployed…special illumination on Samsung S8

– Recently hacked

VeinConsiderations § Palm, finger, eye§ Characteristic internal to hand/finger/eye

– Low probability of damage– Cannot be directly imaged– Eye uses ocular characteristics as well

§ Positioning is important– Training can become an issue– Getting the image can be a challenge

§ No interoperability§ Liveness

– Requires trusted enroller– Not active

§ No mobile sensors available

Considerations§ You just need to talk and a microphone

§ Variability can hurt “image” quality

– Ambient noise

– Normal vocal variability

– Microphone characteristics creates noise

§ No Interoperability

§ Liveness

– Not intrinsic, but can leverage pass phase

§ Mobile sensors available

Fingerprint — Conventional

Considerations§ Optical, Silicon, LES§ Image quality impacted by many factors

– Dryness of skin or air

– Water

– External skin damage and aging

§ Interoperability very high§ Intuitive use§ Liveness

– Some can stop simple fakes

– No updating

§ Mobile sensors available – Limited usability and security

Fingerprint — Multispectral

Considerations§ Captures external and internal fingerprint

– Capillaries in fingertip mimic external print – think vein

§ Designed for best possible image quality– Not impacted by dryness of skin or air

– Water enhances images

– Internal info used if external is damaged

§ Interoperability very high§ Intuitive use§ Liveness

– Uses internal finger data

– Field updatable

§ No mobile sensor

ApplicationsCustomers and Employees

Customer Authentication

§ Grow convenience and reduce fraud

§ Multichannel authentication– Online/mobile banking

– ATM transactions

– Teller

– Call center

– Safe deposit box

Employee Authentication

§ Enhance productivity and security– Log In

• Network logon• Call center/remote logon

– Transaction Verification• Customer records• Approvals

– Physical Access• ATM • Branch• Safe Boxes

System ImplementationData, encryption, architecture

Implementation § Where does the authentication take place?

– ATM/Teller – fixed or mobile or both– Bank Employees – fixed

• Citibank uses fingerprint for employee log on • Enhances customer impression that security is taken

seriously

§ Using a mobile phone’s biometric sensors?– Customer is trained…maybe– Major variation in spoof protection, if any– Authentication device is out of the bank’s control– Both authentication channels come from single

device

Implementation

§ Where does enrollment take place?– At the Branch– At the ATM– At Home

§ Where is the template stored?– Templates are like long PINs – its PI– Template on card or phone

• EMVco standard for biometric terminals released in March • Contactless - template on phone • Template on server

Implementation

§ The Backend – Match on ATM PC

– Match on sensor

– Match on server

– Encryption across all• Tamper resistance

– Match on phone

Match on ATM PC

Fingerprint sensor in ATM• Capture fingerprint

• Check liveness

• Generate template

Template in the clear over encrypted channel

Pro’s• Less cost vs sensor match

or server match• Enrollment template stays

inside ATM PC

Con’s• Risk of biometric DB hack• Risk of Man-In-Middle• Risk of ATM PC malware

Match on Server

• Check liveness

Live template sent to server in the clear

Pro’s• Central administration• Enrollment template stays in

the server

Con’s• If user retries at ATM, must

resend template (delay)• Risk of biometric DB hack• Man-In-Middle risk

Match on ATM Sensor

• Check liveness

Live template kept in sensor

Pro’s• Central administration• Match on Sensor avoids

malware on ATM• Only send template once, even

if user retries at ATM

Con’s• Risk of biometric DB hack• Man-In-Middle risk

Match on Server (Encrypted)

• Check liveness

Live template encrypted and sent to server

Con’s• If user retried at ATM, must

resend template (delay?)• Crypto cost & complexity

Pro’s• Central admin & ATM network• Crypto prevents Man-In-Middle• Crypto protects biometric DB• Anti-tamper: zeros crypto keys

Match on ATM Fingerprint Sensor (Encrypted)

• Check liveness

Live template stays in the sensor

Pro’s• Central admin & ATM network• Send template once, even if user

retries at ATM• Crypto prevents Man-In-Middle• Crypto protects biometric DB• Anti-tamper: zeros crypto keys

Con’s• Crypto cost & complexity• Slightly longer process time

Match on Phone

Phone’s biometric sensor• Capture fingerprint

• Check liveness

Live and stored templates stay in the phone

Pro’s• Simplifies backend• User chooses modality and is trained• User controls template

Con’s• Varying degrees of spoof protection• All authentication channels in one

device and beyond control of the bank

• Untrusted enrollment

PANTokenized

Installations

§ Does anyone have a pilot or implementation in progress?

§ Can it really scale?– Pilots are just pilots

• Lots of transactions needed to understand the performance• Need to test over time

Over the Phone: Voice§ Voice recognition replaces passwords

§ Telephone and online banking customers — call centers

§ Example: Barclays – Digital profile of the customer’s voice

created using data from just three phone calls

– “Incredibly popular”, with the time taken to verify identity falling from 1.5 minutes to less than 10 seconds.

– Rolled out to 12m retail banking customers

https://www.theguardian.com/business/2016/feb/19/hsbc-rolls-out-voice-touch-id-security-bank-customers

On the Mobile Device: Face / Eyes

§ Mobile: customer uses their own device

§ Smartphone camera performs biometric acquisition

§ Example: Wells Fargo– Eyes: Customer centers their

eyes on the screen then look to the side to image the veins

– Face + voice: Customers centers their face on the screen then reads numbers

http://www.latimes.com/business/la-fi-cutting-edge-eyescan-20160306-story.html

At the ATM: Iris

§ Iris recognition at ATMs

§ Card and PIN replacement

§ Example: Qatar National Bank– Card and PIN replacement

– Non-contact / sanitary

http://www.gulf-times.com/story/453789/QNB-first-bank-in-Qatar-to-launch-Iris-scan-techno

At the ATM: Palm Vein

§ Palm vein recognition at the ATM

§ Example: Bradesco– 700m transactions in Brazil

https://www.nytimes.com/2017/02/13/business/dealbook/banks-look-to-cellphones-to-replace-atm-cards.html

At the ATM: Finger Vein

§ Finger Vein recognition at the ATM

§ Example: Planet Cash ATM network (Poland)– 1730 Wincor Nixdorf and Diebold

§ Example: Japan– 75,000 finger vein scanners have

been shipped for use in ATMs in the country

http://www.zdnet.com/article/giving-cash-machines-the-finger-new-polish-network-ditches-bank-cards-for-vein-scanning/, http://www.leadersinsi.de/zbiom/

At the Teller/Network: Fingerprint

§ Fingerprint authentication– Access to network for

employees

§ Replaces need for password

§ Example: USA – Major Global Bank– Thousands of sensors deployed

– All branches

At the ATM: Multispectral Fingerprint

§ Fingerprint authentication at the ATM

§ Can be PIN replacement or cardless

§ Example: Brazil– 4 billion transactions a year– 85,000 ATMs– Bradesco is the only bank that

doesn’t use multispectral fingerprint authentication

Summary

§ Convenience can be as valuable as fraud reduction

§ Image capture and liveness are critical for any biometric

§ No silver bullet – give them choice

§ Biometrics are replacing an EPP – make it as secure

§ Pilots need to be large to understand true performance

§ Some technologies have proven they can scale – others have not

Questions?

Bill SpenceVice President of Sales, U.S. and Western Europe — Biometrics

HID Global

Mobile: +1 408 891 4091

bspence@hidglobal.com

Understanding the Potential of Biometrics - Europe... · 2017-06-16 · – We need security…we...

Documents

Transcript of Understanding the Potential of Biometrics - Europe... · 2017-06-16 · – We need security…we...

CRAVE Wedding Menu Collection 9-2018 NP Finalcravecatering.com/wp-content/uploads/2019/07/CRAVE...CRAVE CATERING AND EVENTS cravecatering.com Table of Contents 4 GF – Gluten Free

Crave-full score (redacted)

Crave Bake Shop, LLC v. Crave, LLC

the crave jelly roll morton

Designations You Must Crave For

Crave Series - Coast Fireplacescoastfireplaces.com/Crave Gas Fireplace - Brochure.pdfFinish your Crave with clean lines, or add depth with a convex design. Interior Options The flames

Crave It Catering Brochure

Crave [music] Mag

Why we Crave Time

Why Do Women Crave Chocolate?

Crave Re Branding Etc

NNJO4HH97B CRAVE CONTRACT - NASA CRAVE CONTRACT.pdfb-crew,robotics,andvehicleequipment(crave)- restricted section g - contract administration data g.1 listingof clauses incorporatedby

Crave Brasserie & Wine Bar

caw i used to crave.

Crave Spring Lookbook 2013

Biometrics and soft biometrics for people identificationimagelab.ing.unimore.it/imagelab/pdf/biometrics_Modena.pdf · Biometrics and soft biometrics for people identification ...

Crave Winter

Crave All Lose All

Crave Summer Calendar 2014

CRAVE Franchise Brochure