Tuesday 9 February 2016

Top Trends for Biometrics in Financial Services

Biometrics is certainly a technology that is rapidly being adopted by the Financial Services industry and this is not just confined to mobile deployments. Mobile is a growing channel for the delivery of financial services and will start to dominate most financial sectors over the next five years but other channels are still a vital part of any delivery strategy.

This is an important message that I have learnt after spending the second half of 2015 researching how biometrics is becoming an important tool within the security toolbox that can be utilised in the fight against financial fraud and identity theft.

In a series of analyst reports that I authored in 2015 that were published in June, October and December 2015 by Goode Intelligence, I was able to carry out a deep-dive  into the adoption of biometric technology in financial services. This included banking, payment and mobile-based biometric services.

In the reports I identified five key trends that are currently shaping this market.

Bye Bye PINs for ATM Security

ATMs are unattended and when I type in my PIN I am always uber-aware of who is standing behind me in case they may be attempting to steal my PIN. Being a paranoid sort of person I go through a series of checks that includes checking for ATM skimmers or evidence that a camera may be pointing at the keyboard. Banks have installed awareness notices and stuck-on mirrors to help me protect my PIN but it shouldn't have to be like this. 

Things are changing and banks are modifying their ATM technology to phase out PINs and to embrace biometrics. There is also choice in the biometric deployment method; a bank can either integrate a biometric sensor into the ATM itself (fingerprint, palm-vein, finger-vein and Iris are being used) to go either cardless (my biometric replaces the plastic) or keep the card (the biometric is stored on the card and a biometric is captured at the ATM and then matched against the stored template on the card). There is also a mobile biometric solution that also replaces the need for a plastic bank card or integration of specialist sensors at the ATM; Hoyos Labs has a neat solution where the mobile device interacts with an ATM using a combination of barcode and mobile biometric authentication technology.  And if you like plastic cards then there are solutions as well; a number of vendors, including Zwipe, have integrated a fingerprint sensor into plastic cards to replace PINs. The plastic bank card will only work if the authorised user's fingerprint is first placed on the sensor. 

Authenticated Contactless Mobile Payments

One of the more visible success stories for biometric adoption in financial services has been the development of mobile biometric contactless payments. Apple Pay and Samsung Pay both use integrated fingerprint sensors to secure contactless mobile payments in physical locations. The PIN was adding friction to the physical payment experience so you can either forget about user authentication and limit the transaction amount (tap and pay for low value payments) or replace the PIN with a method that doesn't slow down the experience but still adds a level of security. 

How to tackle rising levels of Card-Not-Present Fraud?

Technology does reduce fraud. The deployment of EMV chip cards has led to a reduction of fraud at the physical point of sale. This has led criminals to move online and attack commerce channels that the EMV chip cannot protect. The rise of Card-Not-Present (CNP) fraud, especially for eCommerce transactions, and the movement towards mobile commerce has created the need for secure and convenient user authentication and transaction verification. Biometrics offers a viable solution. Expect to see the payment networks start to roll-out mobile-based biometric solutions that aims to tackle the CNP fraud problem and even support in 3D Secure 2.0. 

Wearable Payments to support Biometric Authentication 

It is early days for wearables; the market is too fragmented and there are too few devices currently being used by consumers. This will change and as more and more apps are developed to support the delivery of financial services to bands and smart watches then the need to validate identity and to protect commerce will become critical. For wearables, it is important to pick a biometric modality that suits the device and the application so expect to see technology such as heart-rate (ECG), behavioral and vascular being integrated into the next generation of wearable devices. Biometrics that can be captured when a device is close to the skin of its wearer. Brainwave for Glass perhaps?

Financial-Grade multi-modal biometric authentication to become de-facto for mobile banking apps

The final trend that I am pulling out of these reports is part of a movement to increase security of mobile-based biometric solutions without adversely effecting convenience and ensuring that financial services providers maintain ownership of identity. The industry needs to ensure that the biometric technology is hard to spoof, that the protocols cannot be compromised and that the vulnerabilities seen in existing 2FA solutions (including replay and man-in-the-middle attacks) are not introduced. And at the same time being easy to use, scalable and fit into existing identity lifecycle management tools (can I revoke a credential?). The use of more than one biometric modality, face and voice for instance, in a banking app can increase security and also provide choice for consumers. A service provider can also match the right biometric modality to the context of the login or transaction attempt; fingerprint may open the app but a challenge using another modality may be needed to send a payment to a new beneficiary. 

To conclude; both established financial services organisations, challenger banks and the emerging FinTech providers now understand the importance of choosing the most appropriate user authentication and transaction verification technology that can work across all finance channels and can meet the needs of convenience and security. Biometrics certainly ticks the boxes for convenience with millions of customers around the world paying for products and accessing mobile banking with the touch of the finger or by taking a selfie. A number of biometric platforms are also being introduced that also tick security, regulatory and privacy boxes including IEEE's Biometric Open Protocol Standard (BOPS)

What is exceptional about this market is the sheer scale of deployment that has already taken place and the enormous potential that is yet to come. From millions of Brazilians daily withdrawing cash from biometrically-enabled ATMs, to mobile banking customers accessing their accounts with the touch of a finger or by taking an image of their face, the use of biometrics for financial services is improving security, reducing financial fraud and removing the need for cumbersome authentication solutions that are not fit for purpose in today's hyper-connected world.










No comments:

Post a Comment