Tuesday, December 5, 2006

ZDNet Asia On Citibank/PBT Partnership

Biometrics' answer to identity verification
By Lynn Tan, ZDNet AsiaTuesday , December 05 2006 05:25 PM

The million-dollar question: How secure is fingerprint authentication?

Those that have implemented the technology, however, emphasize there is little cause for worry.

According to M.N. Rangaraj, senior country operations officer of Citibank Singapore, the Pay By Touch fingerprint authentication system that the bank uses does not capture images of the fingerprint. Citibank launched in November
the world's first biometric cardless payment service for credit card transactions.

Instead, the system looks for certain aspects of the ridges on the finger, also known as
minutiae points, and encrypts them in numerical format--in a series of numbers that cannot be used to reverse engineer and recreate an image, Rangaraj explained in a phone interview with ZDNet Asia.

To safeguard customers' information, "neither biometric nor financial information is stored at the retail location, and fingerprint [data] is not transmitted back and forth to the point of sale", according to Krista Thomas, vice president of corporate communications at biometric authentication vendor Pay By Touch, in an e-mail interview.

All the encrypted data are stored at "secure IBM data centers, which abide by financial industry security standards", in a completely separate database from all other personally identifiable information--such as name, address, and financial account information, Thomas explained.

"In fact, these IBM servers are located in fortress-like facilities with security guards, bulletproof glass, mantraps, biometrics, video cameras and alarmed doors--like in a scene out of Mission: Impossible," she said.

According to Thomas, Pay By Touch also performs security audits and vulnerability tests with external security experts routinely to ensure security on an ongoing basis.

"Our encryption is better than--the security used to protect your ATM PIN code, which has been seen as the model to strive for in the industry," Thomas said.

According to Thomas, the fingerprint authentication system also helps to deter fraud. Writing checks, for instance, creates multiple opportunities for fraud because it lets "as many as 10 people view the information on a check before it is processed".

In contrast, she explained, the Pay By Touch system does not even let the cashier see a customer's payment information as the data is encrypted. "If you write just five checks in a week, that creates 50 opportunities for fraud," Thomas noted.

Is it foolproof? The biometric system authenticates the transaction by matching the data captured from the user's finger ridges at the point of the transaction to the encrypted data stored in the secured database, Rangaraj explained.

Before the transaction is approved, the user would also be required to key in a seven-digit "Personal Search Number" after pressing their finger to a biometric scanner as an added layer of security.

However, a replicated copy of the fingerprint image will not work as fingerprints do not carry minutiae points. Rather, the system requires the actual finger to be on the authentication device so that the sensor can detect certain unique characteristics of the finger, Rangaraj said.

On top of that, the sensor will also automatically check for moisture and warmth of the finger, he added. As such,
prosthetic or fake fingers will also not work, Rangaraj said. ZDNet Asia understands from Pay By Touch that while some finger sensors detect pulse and heat, the sensors that the company is presently using do not have these functions.

Consumers' choice

According to Thomas, a recent study conducted by IT services vendor Unisys revealed that consumers around the world are becoming more comfortable with biometrics.

Results of the research released in April this year indicated that "70 percent of consumers worldwide support the use of biometric technologies to verify their identity, while 66 percent [of consumers] favor biometrics as the ideal method to combat fraud and identity theft as compared to other new payment methods such as smart cards and tokens", Thomas said.

Pay By Touch launched its fingerprint authentication system in Thriftway Supermarket in Seattle in 2002. To date, the San Francisco-based company has worked with several retailers, including a small grocery chain in the United Kingdom and larger brands such as Albertsons' Jewel Osco chain in Chicago, SUPERVALU's Farm Fresh in the Southeast, and Lowes Foods in the Midwest, to use biometrics as a form of authentication commercially.