Looking for ways to beef up security in the aftermath of the Sept. 11 attacks, Citibank is putting a renewed emphasis on biometrics as a way to authenticate users of its systems.
John Bree, a vice president and the director of risk control and loss prevention at the Citigroup Inc. unit, says he envisions a system that will be able to recognize anybody, anywhere, any way and authenticate customers and employees at its branches, over the Internet, over the telephone, or even through mobile devices.
Today biometrics are most commonly applied in physical-security environments, where a worker may undergo a palm scan to gain access to a room of computer servers, for instance. But consumer resistance to the use of such technologies has softened, especially since Sept. 11, and financial services companies are taking a fresh look at using biometrics to secure their internal and external systems.
Stronger authentication technologies would allow Citibank to let customers execute higher-value transactions at a variety of touchpoints, such as larger cash withdrawals from automated teller machines, Mr. Bree said.
Citibank has not yet deployed any biometric devices for customer authentication, but we are looking at all the types of biometrics that are available, he said in November during a webcast sponsored by the biometric technology vendor BioNetrix Systems Corp.
Todays security systems and procedures are well-established, but they are not airtight, Mr. Bree said. Biometrics could replace the passwords and PINs used at ATMs or Internet banking services, the signature and drivers license at the tellers window, or the need for shared secrets, such as the maiden name of the customers mother, to conduct business over the telephone, he said.
Strong authentication systems are only now beginning to emerge, but they will be necessary in the future to allow customers to do such things as sign documents digitally over the Internet or the telephone, he said.
Citibank also is considering the use of stronger internal authentication methods to guard customer data from improper access by employees, Mr. Bree said. Customer service jobs such as tellers often have high turnover rates, and a Federal Reserve study found more than 60% of bank fraud cases involved employees, he said.
Biometric devices have been in use at least since the mid-1970s, when colleges, for instance, began using hand-scanners to allow student access to campus cafeterias. The latest generation of devices look at such unique physical characteristics as fingerprints, voiceprints, or even the users iris or retina.
John Ticer, the president and chief executive officer of BioNetrix, said that, in some ways, the devices are not as privacy intrusive as consumers imagine.
For instance, a finger scanner does not capture a full image of the users fingerprint, he said. Instead, the device measures minutiae points the distinctive whorls and ridges of an individual fingerprint then applies a mathematical algorithm that produces a highly unique set of numbers which can be stored in an institutions computer or in the memory chip of a smart card, he said.
Likewise, consumer resistance to such technologies may be less than bankers imagine, Mr. Ticer said. One institution (which he would not identify) brought in a diverse focus group of customers and asked them if they would enroll for biometric verification if it would mean a shorter wait in line at the branches. More than 90% of the customers in the focus group said they would enroll, he said.
Consumers now are more security conscious, said Jeanne Capachin, a senior analyst at the Newton, Mass., technology consulting firm Meridien Research Inc. Consumers now are more willing to give up what they see as their privacy.
In addition, consumers work-life experiences may influence their perception of biometric devices, she said. If Im an employee and Im used to putting my hand on a touchpad to get into the computer room, Im then more likely to carry that over into my financial affairs.
Purdue Employees Federal Credit Union, one of the financial services pioneers in the biometric field, has been pleased with the results.
Almost five years ago the credit union, which serves the Indiana colleges students, employees, and alumni, began offering self-service kiosks developed by Real-Time Data Management Services Inc. of Norfolk, Va. Gail Koehler, vice president of technology/retail delivery for the credit union, called the device a teller in a box.
There are very few financial services institutions that have deployed biometric applications, either for employee or customer applications, said Walter Hamilton, the vice president of business development at Saflink Corp., the Bellevue, Wash., company that provides the fingerprint sensor for the kiosks.
Customers can initiate a transaction through the kiosks by putting a finger on the fingerprint sensor or by inserting a card into the machine.
Today the $300 million-asset credit union operates six such kiosks, and 16,000 of its 60,000 members have registered their fingerprints to use the devices. About 6,000 customers use the kiosks each month, and the credit union has fewer problems such as fraudulent deposits at the kiosks than it does at its network of 27 ATMs, she said.
The fingerprint sensors have never produced a false positive result that gave someone unauthorized access to an account, and its false negatives tend to be among users who have dry skin or who work with chemicals that may affect their hands, Ms. Koehler said.
The credit was surprised to see who was first to sign up to use the kiosks, she said. Our early adopters were not the students. They were our 50-plus members, who probably signed up more readily because they had more financial assets to look after.
The credit union also found that, even though customers seem comfortable using the biometric kiosks, they prefer to sit across the desk from an employee when opening accounts, Ms. Koehler said. People dont want to open an account using technology. They want to deal with people.
Even if consumers are willing to have their hands measured, their eyeballs scanned, or their voices analyzed to conduct business with their financial institutions, questions remain about the cost effectiveness of biometric authentication devices.
According to a report published Dec. 7 by Meridien: Costs vary by device type, with finger scanners being the most affordable (costing on average about $100 per device) and iris and retina scanners, the most expensive (costing as much as $7,000 per device). Even finger-scanning readers are still quite expensive for large-scale deployments.
If corporations are unlikely to spend that much on biometric devices, individuals would probably need even more persuading to bring such devices into their homes. After all, they not only would have to install the devices, but they would also have to work through any compatibility issues with their computers and software.
But vendors say they remain optimistic that falling prices and growing security concerns will eventually lead to the widespread adoption of biometrics for authentication.
Santosh Chitakki, the vice president of marketing at BioNetrix, said some laptop computers already come with built-in fingerprint scanners.
Such devices now cost less than $100 per unit, and when that price falls to $20, it could trigger widespread consumer adoption, Mr. Chitakki said. It may be a long while before that happens, he said, but its only a matter of time.
