Tuesday, July 18, 2006

A Touch of Money

A Touch of Money By: Anil K. Jain and Sharathchandra Pankanti

Biometric authentication systems for credit cards could put identity thieves out of business

He stole the identities of the world’s rich and famous—Paul Allen, Oprah Winfrey, Steven Spielberg, Warren Buffett, and Larry Ellison, to name a few. Until the New York City police busted 32-year-old Abraham Abdallah, it seemed that a diabolically gifted hacker, not a busboy at a Brooklyn restaurant, had masterminded this multimillion-dollar caper.

However, a tattered copy of a Forbes magazine featuring America’s 400 richest people found in Abdallah’s possession—along with 800 credit cards—exposed the thief’s simple modus operandi.

Here were his targets, listed in order of their net worth, some with Social Security numbers and credit card information scrawled right next to their names. Investigators soon discovered that Abdallah had obtained most of this information from the Internet, as well as from credit bureaus Equifax, Experian, and TransUnion, by sending queries on the forged letterhead of several top investment banks.

With birth dates, addresses, and Social Security and credit card numbers in hand, Abdallah would use a computer at a public library to order merchandise online, withdraw money from brokerage accounts, and apply for credit cards in other people’s names. Things started to unravel when he tried to transfer US $10 million from the Merrill Lynch account of software entrepreneur Thomas Siebel. Someone at Merrill Lynch noticed that the same two Yahoo e-mail addresses, both Abdallah’s, had been used in connection with five other clients. Soon after, on 19 March 2001, two New York City detectives wrestled Abdallah out of his car, ending one of the most sensational identity theft sprees in history.

Catching ID thieves is like spearfishing during a salmon run: skewering one big fish barely registers when the vast majority just keep on going. According to data from the Aberdeen Group, Boston, the cumulative losses suffered by tens of millions of individuals and businesses worldwide registered at an estimated $221 billion in 2003. Aberdeen, which assumed an enormous 300 percent compound annual growth rate, projected that losses would rise to an almost unfathomable $2 trillion in 2005. More recent numbers from Javelin Strategy and Research, based in Pleasanton, Calif., indicate a much lower growth rate, at least in the United States, where total losses rose from about $48 billion in 2003 to $56.6 billion in 2005.

Clearly, it is far too easy to steal personal information these days—especially credit card numbers, which are involved in more than 67 percent of identity thefts, according to a U.S. Federal Trade Commission study. It’s also relatively easy to fake someone’s signature or guess a password; thieves can often just look at the back of an ATM card, where some 30 percent of people actually write down their personal identification number (PIN) and give the thief all that’s needed to raid the account. But what if we all had to present our fingers or eyes to a scanner built into our credit cards to authenticate our identities before completing a transaction? Faking fingerprints or iris scans would prove challenging to even the most technologically sophisticated identity thief.

The sensors, processors, and software needed to make secure credit cards that authenticate users on the basis of their physical, or biometric, attributes are already on the market. But so far, the credit card industry hasn’t seen fit to integrate even basic fingerprint-sensing technology with their enormous IT systems. Concerned about biometric system performance, customer acceptance, and the cost of making changes to their existing infrastructure, the credit card issuers apparently would rather go on eating an expense equal to 0.25 percent of Internet transaction revenues and the 0.08 percent of off-line revenues that now come from stolen credit card numbers.
Indeed, only a few companies worldwide have even experimented with biometric credit cards. The best known is the Bank of Tokyo–Mitsubishi. Since 2004, it has issued Visa cards embedded with chips that identify a customer according to vein patterns in the palm. All of the bank’s ATMs have palm scanners that match the imaged vein patterns to a digitized copy of the customer’s vein patterns—called a biometric template—that is stored in the card. But because merchants lack the requisite palm scanners to go with this technology, customers still sign receipts or enter PINs when making purchases with the card.

All biometric systems recognize patterns, such as the veins in your palms, the texture of your iris, or the minutiae of your fingerprints. As researchers who have investigated and engineered numerous biometric devices, we want to propose the broad outlines of a new authentication system for credit cards, based on biometric sensors that could dramatically curtail identity theft. Our proposed system uses fingerprint sensors, though other biometric technologies, either alone or in combination, could be incorporated. The system could be economical, protect privacy, and guarantee the validity of all kinds of credit card transactions, including ones that take place at a store, over the telephone, or with an Internet-based retailer. By preventing identity thieves from entering the transaction loop, credit card companies could quickly recoup their infrastructure investments and save businesses, consumers, and themselves billions of dollars every year.

If credit card issuers don’t act soon, customers, many of whom are becoming increasingly comfortable with biometric technologies, might just force the issue.

In the United States, millions of people at hundreds of supermarkets have already given the thumbs-up to services offered by
BioPay LLC, Herndon, Va., and Pay By Touch, San Francisco, which let shoppers pay for their groceries by pressing a finger on a sensor mounted near the cash register—no card necessary.

Millions more, mostly in Asia, have fingerprint sensors built into their cellphones to act as locks and into their laptops to replace text-based log-ins. All of this activity translates to 29 percent annual growth for a worldwide biometrics market that’s expected to reach $3.4 billion in 2007, according to Research and Consultancy Outsourcing Services, a market research organization based in New Delhi, India. Finger-scanning technology made by companies like Atmel, AuthenTec, Digital Persona, Fujitsu, and Identix will account for almost 60 percent of the total market, the organization estimates. And that market will greatly expand if and when credit card companies get serious about combating ID theft [see photos, “
Scanners Galore”].

Current credit card authentication systems validate anyone—including impostors—who can reproduce the exclusive possessions or knowledge of legitimate cardholders. Presenting a physical card at a cash register proves only that you have a credit card in your possession, not that you are who the card says you are. Similarly, passwords or PINs do not authenticate your identity but rather your knowledge. Most passwords or PINs can be guessed with just a little information: an address, license plate number, birth date, or pet’s name. Patient thieves can and do take pieces of information gleaned from the Internet or from mail found in the trash and eventually associate enough bits to bring a victim to financial grief.

Besides trawling the Internet and diving into dumpsters for personal data, thieves exploit people through various cons known collectively as social engineering. A smooth-talking grifter can sometimes get a customer service representative to part with a PIN or reveal other things about an account, such as a mailing address or a phone number. The bank makes it easier for thieves if its authentication protocol is riddled with exceptions. For instance, if you don’t know the PIN, you might be able to provide a mailing address, mother’s maiden name, phone number, or Social Security number to get access to—or at least information about—a particular account. Sometimes those bits of data can be harvested from other sources.

Furthermore, customer service representatives and their managers can usually override authentication procedures when they deem it necessary. A caffeine-addled agent working a double shift may be only too eager to use her override privileges to let you—or your would-be doppelgänger—make a purchase.

To ensure truly secure credit card transactions, we need to minimize this kind of human intervention in the authentication process. Such a major transition will come at a cost that credit card companies have so far declined to pay. They are particularly worried about the cost of transmitting and receiving biometric information between point-of-sale terminals and the credit card payment system. They also fret that some customers, anxious about having their biometric information floating around cyberspace, might not adopt the cards. To address these concerns, we offer an outline for a self-contained smart-card system that we believe could be implemented within the next few years.

Here’s how it would work. When activating your new card, you would load an image of your fingerprint onto the card. To do this, you would press your finger against a sensor in the card—a silicon chip containing an array of microcapacitor plates. (In large quantities, these fingerprint-sensing chips cost only about $5 each.) The surface of the skin serves as a second layer of plates for each microcapacitor, and the air gap acts as the dielectric medium. A small electrical charge is created between the finger surface and the capacitor plates in the chip. The magnitude of the charge depends on the distance between the skin surface and the plates. Because the ridges in the fingerprint pattern are closer to the silicon chip than the valleys, ridges and valleys result in different capacitance values across the matrix of plates. The capacitance values of different plates are measured and converted into pixel intensities to form a digital image of the fingerprint [see diagram, “
Fingerprint Matching”].