Canadian CU Gets A Hand In Managing Risk
Biometrics still may be a fringe technology to some-but to Credit Union Central of British Columbia (Central), fingerprint recognition is the way to secure high-risk applications.
"With fingerprint scanning and our Central Portal System, we have a mature infrastructure in place," said Jonah Zhao, the Central's associate vice president of Product Innovation and Client Support.
IT advisory firm International Data Corporation, Framingham, Mass., projects that the market for the most commonly used biometrics will grow to $75 million in 2006 from $36 million in 2001. Yet biometrics remains a "niche market," according to Charles Kolodgy, research director at IDC. Kolodgy added that challenge-reply and USB hardware tokens currently top the list for two-factor authentication.
Despite its outsider status, fingerprint scanning has proven itself at Central. The $3.7-billion CU trade association uses Santa Clara, Calif.-based Secugen Corp.'s fingerprint recognition scanners to verify the identity the internal users of its money transfer system, which sits behind Central's portal on the web.The Central Portal System is the gateway to an array of financial applications provided by Central to member CUs. Zhao labels the money transfer application as "high-risk." Each month, Central processes more than 12,000 payments within three Canadian provinces, including British Columbia, Manitoba and Nova Scotia."What really drives the biometric usage is the money transfer system, which is basically a wire transfer utility," he said. "The traditional user name and password authentication isn't secure enough for the purpose of transferring millions of dollars in a couple of seconds."
Biometrics seems to be enough, however. In the more than two years that the money transfer system has been protected by the biometric security, Central "hasn't had a single security incident," said Zhao.
And a recent annual internal security audit delivered a clean bill of health for the money transfer system.
Central employs 1,300 of Secugen's Eye-D Hamster scanners, enough to cover the 4,000 active users of the money transfer system, said Zhao. "In most cases, each user shares a single device."
To log on to the money transfer system, a user places his or her fingertip on a playing card-sized peripheral plugged into a USB port.
The sensor then matches the fingerprint scan against a stored mathematical equivalent.
High-risk money transfer capabilities will soon be extended to business members of Central's 65 independent credit unions.
"Money transfers are part of the new business version of our Internet banking product, which is geared to small to medium sized businesses," Zhao explained. "We will require the business members to use the fingerprint scanner to identify themselves."
The biometric devices were originally part of a bigger plan to save on networking and support, while increasing security, said Zhao. To carry out the plan, Central installed a new version of the money transfer system.
Previous client-server versions of the money transfer utility burdened Central's IT staff with software reinstallations.
With the newer web-based version, reinstallations are a thing of the past. And security is ensured by biometrics.
Zhao said that credit unions needn't worry about legislative roadblocks when considering privacy issues and biometrics. "Our employees didn't want to give up their fingerprints at first."
Central reassured employees that the recognition system doesn't store a copy of the user's fingerprint, Zhao said. "It just stores a mathematical equivalent that is not reproducible."
Biometrics have their foibles. Whereas users used to forget their user names or passwords when entering the money transfer system, users now sometimes forget which fingerprint they originally scanned and have to call Central's support desk.
"Particularly if the scanner is used by multiple users or if people move it around, infrequent users sometimes forget which finger they're supposed to use," Zhao said.
Biometric security costs are "quite acceptable," said Zhao.
Each device was priced in the "low hundreds-of-dollars range," he said. Given the choice of three types of fingerprint peripherals, Central chose the playing card-sized peripheral because "we thought it wouldn't wear out as easily."