Fingers, veins, eyeballs … we know who you are

I blogged the other day about knowing where customers are, but knowing who they are is always a challenge.

Banks continually talk about fraud and the lack of dependable identification and authentication methods.  We talk about things you know (a PIN number), things you have (a card or phone), but things you are (blood, DNA, fingerprint, etc) will be the ultimate authentication method eventually, when it's affordable and reliable.

Biometric authentication in other words.

I haven’t talked about biometrics for a while now, and that's because there hasn’t been a whole lot of new biometrics to talk about.

We all know that fingerprints, iris recognition, palm and vein readers and more are out there, becoming more robust and that they work ... just that they don’t work well enough for mission critical banking applications in high volume environments, where false positives and false negatives mean that customers become dissatisfied.

False positives are where the system recognises you as you, but it’s not you. It’s someone pretending to be you.

For example, someone puts a sellotaped version of your fingerprint over theirs and gets away with being read as you, because the fingerprint matches. Even worse, the fingerprint is accepted even thought it doesn’t match.

Historically, these false positive rates have been too high for ATM or other high volume transaction systems, where 1 in 1,000 acceptances would cause high losses.

Even worse, and more likely, are false negatives.

This is where the system says it’s not you, even though it is you.

A fuzzy fingerprint, a sweaty palm or difficulty aligning your eyes to the reader mean that you get rejected for a transaction. That’s ok if it’s once a year, but many systems reject once a day and that’s not good enough.

This is why biometrics is yet to be seen in widespread use in banking, and that's even after seven years since Minority Report came out (remember the bit with the eyes?).

Sure we see biometrics at airports with Americans asking foreigners to stick their fingers up at border crossings – not the middle one thank goodness! – and other airports offering iris machines for fast track through the gates, but there’s little of this in banking.

In banking, most usage of biometrics is for internal purposes to ensure only the right staff sign-on to branch and bank databases with fingerprint controls or access head office through a facial recognition system.

Biometrics for end-users and customers in real world, mission critical, scalable volumes?

No really.

The only place you see such usage is in countries where identification is hard as most of the population do not have passports or driving licenses. For example, ICICI Bank use fingerprint cards with their rural population for identification purposes, as does Banco Azteca in Mexico.

But a big time, heavy duty bank in a developed economy using this to authenticate customers?

Nope … except, of course, in Japan.

Completing this week’s discussions of Japanese and Asian innovations, Hitachi presented an overview of the use of biometric ATMs in Japan.

These ATMs use palm and vein recognition, rather than fingerprint, as it is more hygienic because you don’t have to touch your finger to the grubby terminus that the last person swiped their fingers over. You just hold your hand over the terminal and it recognises the blood pulsing through your unique map of arteries and veins in your hand (double-click the picture to see a larger version):

Now this may seem like small beer, but it’s not that small when over half of all major bank ATMs use such authentication, and it works with false positives down at 0.0001%, one in a million, and false negatives at 0.01% or one in ten thousand.

Tohshiya Cho-san who heads up Hitachi’s Financial Practice in Japan talks about how this works:

We were also joined by Professor Stan Li, an expert in biometrics in China, who showed how biometrics had been used for facial recognition at the Beijing Olympics last year:

Maybe that's a sign of things to come although the privacy lobbyists will fight against face tracking up and down main street I reckon.

Anyways, that’s it for now.

I’ve tried to summarise some of the many presentations delivered in Hong Kong by selecting the ones that may be more surprising for the non-Asian readers of this blog, and maybe for the Asian readers too!

There were many other insights during the course of the week from Asian payments infrastructures for low and high value payments through changes in clearing and settlement; and from the major contactless card and chip programs across subway and bank systems through to the role of the Hong Kong Monetary Authority as a major processing hub for all of Asia.

There's far too much to talk and blog about but, if you have any specific interests in what’s going on in the area, give me a shout as the presentations and videos are now in the library.