A number of recent articles indicate that illegal technology can easily be purchased that can allow criminals to “steal” biometric information at ATMs.
The implication is that biometric technology is not as secure as previously thought. Nothing could be further from the truth, provided the right scanning technology is used, says Nick Perkins, divisional director: identity management at Bytes.
Perkins explains that the banks have successfully used biometrics inside branches to reduce fraud by providing assurance that those applying to open accounts are who they say they are. With that avenue closed to them, fraudsters are now targeting ATMs.
“Because ATMs are unmanned, there is no doubt that the technology is being subjected to a tough test–but the correct biometric technology is up to the job,” says Perkins.
For banks, the key issue is to be certain that the person presenting him- or herself at the ATM is the accountholder in person. Biometrics such as fingerprints, face or iris, provide a unique physical identifier. However, it is true that technology is available that can steal the biometric data and use it to produce a facsimile.
“This type of fraud has actually been around for a long time–remember the movies in which the spy uses sticky tape to lift a fingerprint from a glass, and using it to create some sort of facsimile to gain entrance to the secret laboratory. The technology is a bit more sophisticated, but the idea is still very much the same,” says Perkins. “A basic optical scanner can be fooled by these facsimiles because it works simply by matching one image with another. However, different scanning technologies have been developed to combat this kind of attack.”
Multi-spectral fingerprint scanners are designed for ATMs and Point of Sale (POS). They have built-in protection against fraudsters, and also offer a much lower incidence of failed scans as well. Three capabilities they offer are critical, Perkins says. One is liveness detection, which enables the scanner to detect whether or not the fingerprint is that of a living body. This means that a fingerprint image, no matter how accurate, will not work.
The second, related capability is the ability to detect spoof fingerprints or other biometrics constructed out of artificial substances like silicon or glue.
Finally, these scanners must be able to operate in what is called secure endpoint mode; this means any information is encrypted and the device itself is designed to resist tampering and intrusion, just as ATM keypads are currently.
“South African banks have been doing their homework and some are already piloting biometrics at ATMs using multi-spectral technology, with other banks about to begin pilots,” Perkins concludes. “The principle that biometrics offer an accurate way to confirm identity remains true, and biometric technology has evolved to overcome the challenges posed by criminals.”
