Finger on the pulse

If you’re talking about biometric security systems and their development, Hollywood most certainly has a lot to answer for! Imagine, for a moment, that you’re a high-tech criminal, and that you urgently need to break into a highly secure building rich in biometric access control systems... In the celluloid world you’d have several options open to you. You could use candle wax to copy the security officer’s fingerprint(s)… Or, if you are particularly vindictive and have neglected to pack any candles, you can simply look to sever one of the officer’s fingers instead...

Security officers and their managers the length and breadth of the UK will be pleased to know that these urban myths simply aren’t true. In the real world, biometric technologies are eminently more advanced than this! Some, for example, will check for blood supply when scanning a fingerprint, preventing any intruders from gaining illegal entry under morbid circumstances.

Many years of development and testing have meant that, at long last, biometrics are finally ‘coming of age’ as a viable and robust security solution. At present, there are three main areas where biometrics are to the fore – iris, face and fingerprint recognition. Facial recognition systems have been under severe scrutiny of late owing to their deployment in trials for biometric passports (a forerunner to the Government’s proposed biometric ID cards, slated to become compulsory by 2009).

There is also a pilot scheme in place that uses a system of electronic embarkation controls at borders in conjunction with biometric ID cards. This will help in providing an efficient computer record of the 90 million-plus travellers who move in and out of the UK each year.

Of course, there are two main applications for biometric technology (with which you will also no doubt be familiar): authentication and identification. The former is concerned with verifying that an individual is who they claim to be when they interact with a given system. Identification, on the other hand, involves recognising an individual as they walk into a bank, for example.

Card fraud: urgent measures needed

On the subject of banks, card fraud is now costing UK businesses millions of pounds every year in lost revenues. According to the Association of Payment Clearing Services (APACS), UK losses attributable to credit card fraud alone soared to a mammoth £504 million in 2004, up 20% on the previous 12 months. This equates to £10.77 for every adult in the UK. Urgent measures are clearly paramount if these losses are to be reduced.

The latest British Retail Crime Survey ('Counting the cost', SMT, December 2005, pp22-24) reported a reduction in card fraud for 2004, but studies just conducted by the University of East Anglia (UEA) cast doubts on any assertion that the problem is regressing.

Investigations led by the UEA’s Emily Finch indicate that criminals have adapted very quickly to the new Chip and PIN environment, and are continuing to obtain money illegally. According to Finch, one of the failings of Chip and PIN technology is that many people neglect to cover their PIN when entering it at the terminals. Thieves ‘shoulder surf’ to learn the PIN. They steal the card. They can then fraudulently obtain money from accounts to pay for goods and services. As is the case with any PIN-based security solution, individuals become complacent. The end result is fraud.

Even prior to the introduction of Chip and PIN, fraud at UK cash machines had already increased from £41.1 million in 2003 to a staggering £74.6 million come 2004, representing a year-on-year increase of 81%. Is there a solution to this?

The UK’s financial establishments could do worse than look to Japan to see if they wish to source a viable and tested solution that will help stem these losses. Japanese banks have embraced biometric solutions as a reliable, accurate and robust security solution to prevent card fraud. Indeed, Japan’s third largest bank – The Bank of Tokyo-Mitsubishi – recently introduced a biometric security system based on vein pattern recognition.

Three stages of security

Unauthorised cash withdrawals using fake ATM cards represent a major problem in Japan, promoting mass investment in secure ATM solutions. Financial institutions including the Mizuho Bank, the Sumitomo Mitsui Banking Corporation and the Bank of Kyoto have embraced both finger and palm vein authentication technologies for their ATMs to create a more secure environment for transactions. In practice, ATM users are required to insert their debit or credit card and use a unique PIN to them. They are then required to place a finger or palm over a dedicated scanner in order to validate their identity before proceeding with a transaction.

The system ensures that users provide something they ‘own’ (the credit or debit card), something they ‘know’ (the PIN) and something they ‘are’ (the biometric identifier) before any transaction may be processed.

The pattern of the blood vessels inside a person’s finger provides a unique feature that can be used as a key in authentication purposes. Finger vein authentication uses near infrared light and a special scanner to capture the unique pattern of the finger vein for use as a biometric key by each person. Using a particular image processing algorithm, this pattern is converted into a format that is readily usable in a systems environment. This repeatable pattern can then be stored in a secure database or a portable device (such as an IC card) as part of a registration process. Each time a user seeks to make a transaction, a scan of their finger vein will be correlated with the database record to check for a match.

The finger vein is one of the most practical constituents of the body to consider for biometric vein pattern authentication. Each finger boasts a unique vein pattern and, dependent upon the application, a user is able to register a number of different fingers with the system. This provides for back-up in the event that one finger is damaged, and allows for the management of ‘duress’ conditions.

For secure applications it may be important to manage the situation when a user is being forced to authenticate their identity against their will. This could be the case whenever someone is being urged to open a door to a secure area or access funds via an ATM. If the user places the finger previously registered as the ‘duress’ finger into the scanner, the authentication system is then able to detect the situation and raise an appropriate alarm.

Applications on a wider scale?

It has been argued by some parties that biometric authentication technologies are too invasive and unreliable for them to be deployed as part of wide-scale applications (including ATM security). Such opinions are all-too-often based on older, less reliable forms of biometric technology or unsubstantiated assertions.

The next generation of finger or palm vein-based authentication solutions are regarded by many as being far more secure than those using voice, face or fingerprint recognition. The false acceptance rates for vein-based biometric solutions are as low as 0.0001%, with a verification time of less than 0.5 of a second. However, if this technology is to be successfully adopted across the UK it is crucial that rejection rates are minimised at all times, and that reliability levels remain extremely high.

Finger vein scanners remain unaffected by factors such as cold weather, or any physical damage to the surface of the hand. That is not the case with fingerprint-based solutions. Voices, facial features and iris patterns have the potential to be copied since they are clearly visible external characteristics. Traditional security features such as entrance keys and cards are easily lost, and may be exploited by others. Password systems can become impractical as more and more passwords are required for different applications (which can make the use of these services less convenient for the consumer).

A major challenge to the full-scale adoption and expansion of biometric security solutions is the need for overcoming interoperability issues. Several competing solutions employing proprietary technologies can only hold biometrics back. Future uptake will also depend on the relationships between solution suppliers and their desire to work together.

While one bank may view the installation of biometrics as a unique marketing tactic, if UK banking systems – such as the LINK network – are to be sustained as viable services then an interoperable solution would have to be rolled-out across the whole UK banking network.

Those with a vested interest in preventing fraud should already be looking at the next generation of security solutions as they seek to reduce losses from the bottom line.

The liabilities merchants accepted with the introduction of Chip and PIN have exposed them to the financial penalties of fraud more than ever before as they are now wholly responsible for the cost of fraudulent transactions (unless they have adopted Chip and PIN and/or can demonstrate that they have taken adequate precautions to prevent fraud).

Longer term, it is vital that members of the general public view biometrics as a valuable asset in the fight against crime. A feature that will ultimately protect their interests as well as their bank balances.