Some banks and credit unions are using biometric traits to identify customers at the branch, but critical issues, such as what happens if a fraudster steals that data, have prevented more widespread adoption.
The traits themselves — fingerprints, retinal patterns, or the shape of a hand — cannot be misplaced or scribbled on an automated teller machine card, so they are inherently more secure than personal identification numbers and passwords.
But a biometric system does not actually record an image of the trait used to identify the customer. Instead, it uses a mathematical formula to describe the trait. That formula generates a data record, which is as vulnerable to theft as a customer account number. Then the great strength of biometrics becomes a great liability, because an account number can be changed, but a fingerprint cannot.
International Business Machines Corp. of Armonk, N.Y., says it has addressed this problem by developing cancelable biometrics — an interpretation of a biometric trait that can be discarded and recreated as easily as a password or PIN. No bank has bought the technology, but at least 10 have seen it, IBM executives said Tuesday at a demonstration.
Mike Feehan, the senior vice president of customer contact at First Horizon National Corp. of Memphis, said such technology would be welcome.
“Biometrics obviously has a lot of potential applications, both inside and outside the branch,” he said. “With any biometric, there’s always data behind that stored somewhere, so the criminal always has the opportunity to find it and steal it.”
Since 2002 First Horizon has installed biometric handprint scanners from Diebold Inc. at 17 of its 145 branches with safe deposit boxes. Mr. Feehan said he does not know whether First Horizon talked with IBM about cancelable biometrics.
First Horizon says its security concern is minimal, because the scanners are on a closed system under the branch’s control.
But Mr. Feehan said theft would be a bigger issue if the same biometric trait was used widely as an authentication tool, he said. “If somebody steals your fingerprint or eyeprint, you can’t change that. You can change your password, but you can’t change your fingerprint.”
Charles Palmer, who manages the security, networking, and privacy departments at IBM’s Thomas J. Watson Research Center in Hawthorne, N.Y., said his company’s software uses cryptographic math to distort the trait. By using different calculations, the same trait can be made unique for each company that uses it.
More importantly, the distorted trait cannot be reversed to obtain a copy of the original one, he said. IBM says it made the distortions irreversible just three to four months ago.
If a criminal gets into the system where the distorted traits are kept, that company could dump the old calculation and start using a new one, Mr. Palmer said. Other companies that use the same trait for authentication would not be at risk, because the criminal could not reverse the distortion to use the trait against them, he said.
The technology addresses a specific security concern, and its effectiveness depends on its implementation, he said. It is most effective in branches and retail stores.
But Mark Greene, the general manager for global business at IBM, said the technology can be used to bring biometrics to home banking. “It speaks to the phishing problem and the identity theft problem.”
Christine Barry, a senior consultant with HighQuest Partners LLC of New York, said that the idea that some will steal a database of traits is “the biggest fear of consumers” who resist biometrics. IBM’s development of cancelable biometrics “is a positive for the industry, and it can only help adoption.”
Guillermo Kopp, the director of the cross-industry practice at TowerGroup, the Needham, Mass., unit of MasterCard International, said IBM’s software is a breakthrough.
“It’s not ready for prime time in financial services today, but watch this space, because the potential is huge,” he said. “The financial services industry is in desperate need for a strong authentication instrument. … The ID and password are no longer secure enough.”
Dan Schatt, a senior analyst for the Boston market research firm Celent Communications LLC, said companies like BioPay LLC and Pay By Touch Networks Inc. are already easing consumer concerns about biometrics. Those companies sell retail stores fingerprint scanners that consumers can use to authorize payments.
The scanner data in these situations is just computer data, not an actual fingerprint image, so it may already be hard for a fraudster to reverse a distortion, but IBM’s method is more secure, Mr. Schatt said.
