More Biometrics for Banking on Development

Taking Banks to India’s Poor

Award: Start Up of the Year
Name: Manish Khera, CEO, FINO
Age: 41
Why He Won: For setting up the largest banking correspondence network in India and bringing financial inclusion to millions of people across 26 states, and using mobile tech in a smart way. It is poised to become the country’s largest banking correspondent.

You can make a lot of money catering to the poor.

It had invested in technology, had the sales force on the ground, and was flush with money. FINO’s custom-built devices went a long way in ensuring that its customers stayed connected to the grid. Their ‘pod machines’, hand-held biometric devices that recorded customer fingerprints, reduced the risk of fraud to a great extent. Its machines function both online and offline, so money still got transferred in areas without any network. By January 2010, it had 10 million customers (across 15 banks). It added another 15 million in the next year and doubled the base to 50 million by August 2012, two-thirds of the clientele base in the sector. It’s eyeing 100 million by 2015.

See also our post from earlier today:
Biometrics + Banking → Rising incomes in Malawi which describes more of a pilot project and study, but the numbers are also very impressive.

Argumentum ad Verecundiam

NFC to stick finger in biometrics banking: Expert (ZDNet)

While Australian banks have been elusive about plans to implement customer-facing biometrics technology, its use in banking will become mainstream in the near future, and may even be used in conjunction with other technologies, like NFC, according to Dr Ted Dunstone.

Since the release last week of a study suggesting that 79% (background here & here) of Australians are open to fingerprint biometrics for banking, the topic has garnered a lot of interest.

Much of the recent press analysis on the subject has taken the form of Argument from Authority (argumentum ad verecundiam for you Latin speakers out there) i.e. talking to experts and writing down what they say.

This type of argument, in itself, is neither good nor bad but it can be done well or poorly. The article linked above is a good example of the former.

Challenge!

Theft of fingerprints easier than cutting off a finger, security experts warn (News.com.au)

Associate Professor of math and geospatial sciences at RMIT University, Dr Asha Rao told News Ltd that a cyber criminal wouldn’t need your finger or retina in order to steal the stored data.

”When you watch political or forensic dramas, they show you the fingerprint but that’s not really what is stored as it would take too much time to cross reference,” Dr Rao said.

”To complete the biometric scans you don’t need my finger, you need the hash of the biodata.”

A hash is like an algorithm or template that can be used to decode your data. ”If you steal the template, then you’ve basically lost your fingerprint,” she said.

”It’s actually easier to break than cutting off people’s fingers.”

Oh, yeah?
Challenge!

Step one.Have the experts in question turn this into a fingerprint. Yes, it is a real fingerprint template; no hacking required.

2aba08229b3b2a44e72c8f14da168a560a3caf2257add068a7fc1636215bff53152546da3fc8071ea84433a42261f4ff7bc3b455199be8980eea2bb1e922f18aa309e050130d72ca124ecd6e9e86459e60858ff44f71d0c1c4e23b97a9a6554619543e8d347f79ea8fa70db87eaea7f37bf2cac4e697d5525479cc72fb653b5d32089e7b3cbcd01f8dba60eda95a50a31b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c 

Step two.Have the experts in question cut off someone’s finger.

Step three.Have them explain which task they’d rather repeat.

“You want a toe?”



[I’ll bet both tasks are much more difficult either from a technical or humane point of view than stealing and using a password. I assume that’s why they are hackers instead of, well, you know – “hackers.” And while, at least according to Walter Sobchak, “I can get you a toe,” fingers are a little harder to come by. After all, people are going to need them to get at their cash.]




Bonus:Explain why any of this should cause any of the reported 79 per cent of Australians who would be comfortable using fingerprint biometrics to verify identity to change their mind (background here & here).

Customers Embrace “Controversial” Technology

Fingerprints the new ATM PINs (The Daily Telegraph – Australia)

The bank has revealed it will explore introducing controversial technology that stores biometric data, replacing the need for PINs, after research suggested customers were willing to embrace it. [emphasis mine]

What percentage of people must embrace something before it ceases to be “controversial”? The article’s implicit answer is “more than 79%.”

The article is only five sentences long, so I’m not cherry-picking an odd sentence from a long article. The whole set of the article’s facts is that a bank’s study found that a Pareto of people are totally OK with fingerprint biometrics, which pretty much means that they’re the opposite of controversial.

Biometric deployment winners and losers

This article describes a fingerprint system implementation that isn’t going too well.

Northtown is one of 20 child-care centers in central Mississippi taking part in a Mississippi Department of Human Services pilot program. DHS administers the state’s child-care assistance, or certificate, program for poor families and pays providers like Kay who accept the certificates. Starting Sept. 4, parents and guardians of children receiving a subsidy must scan their finger when dropping off or picking a child up from day care.

Kay and other child-care center operators say implementing the new system has been nothing short of nightmarish and that the problems are eating into revenues. Although DHS trained workers on how to use the machines, training parents is left up to the individual centers, meaning that a member of Kay’s staff must remain on standby at all times to help people work the machine. Also, because the system relies on unique finger scans, staff members cannot override the system or check the kids in and out when parents forget. When that happens, providers might not get paid.

No analysis of why state subsidized day care centers are being asked to prove that they are actually providing the service for which they are paid (using a parent fingerprint). No analysis of why it is a burden to have someone on standby to facilitate/control/monitor who picks up and drops off children. No explanation of how or why parents are allowed to forget to check their children in and out of the child care facility.

A system as lax as the one obliquely described in the article is, of course, likely to become a magnet for fraud. That’s bad. What is much worse is that a situation where no one is keeping track of who is taking children away from a child care facility is a tragedy waiting to happen.

If the subsidized day care system in Mississippi was ticking along flawlessly, it’s hard to imagine someone deciding that it would be a great idea to implement more rigorous identity management measures. That’s just not the way things work. Frequently, biometric systems are brought in to shore up flaws in a system.

The costs and benefits of shoring up flaws in a system, however, are unlikely to fall upon/accrue evenly throughout an organization. For example: The return on investment of a biometric time and attendance implementation is paid by those who benefited from a more lax system and accrues to the firm’s owners. The people who lose out in the transition aren’t necessarily right, but they aren’t necessarily without power, either.

Without significant insight, it’s easy for managers to get caught off guard by push-back from those whose interests are undermined by more efficient operation. This is where a good biometric system integrator can really do themselves and their customers a favor by understanding their customer’s business and helping the customer to anticipate and mitigate obstacles to a successful implementation. It’s not enough that a solution succeed on its technical merits as if deployed in a vacuum, though it must do that. It must also succeed operationally in support of the people who carry out the organization’s objectives. Successful integrators meet customers where they are and leave them better off than they found them.

South Africa leading the way on government payments to individuals

Social Security And Welfare Payments Go Biometric (Fast Company)

In order to receive government aid, South Africans now have to get biometric finger and voice scans. It’s high tech, cuts down on fraud, saves the government money… and is coming to the United States sooner than you’d think.

MasterCard is playing a large role in the South African effort…

Poland’s Supreme Administrative Court rules against fingerprint biometrics for Time-and-Attendance

Poland: May An Employee Request Biometric Data? (Mondaq)

Poland’s Supreme Administrative Court (SAC) has recently ruled that an employer is not entitled to collect employees’ biometric data in the form of fingerprints in order to record employees’ entrance and exits times, even if the employees consent.

There’s that word again: consent.

But if the article is accurate, Poland’s Supreme Administrative Court actually seems to be saying that, technically, worker’s can’t consent to fingerprint time-and-attendance in much the same way that children can’t legally consent to certain acts.

I wonder what they would say if a firm wanted to raise wages with the money they saved by implementing a biometric time-and-attendance system.

US: Border biometrics make a difference

US-VISIT Proves That Biometrics Make A Difference (Homeland Security Today)

On February 6, 2012, a man we’ll call “Walter” arrived at the George Bush Intercontinental Airport in Houston, Texas after a trip to Panama and applied for admission as a returning lawful permanent resident. He presented a valid Mexican passport and a valid US Permanent Resident Card. Everything seemed to be in order and the young man breathed a little easier.

But when the Customs and Border Protection officer directed “Walter” to place both of his hands on the US-VISIT Automated Biometric Identification System (IDENT) so all ten of his fingerprints could be scanned, “Walter” knew in his gut that he was in for a long day.

The full article is available here in HSToday’s magazine viewer.

Technology to thwart fingerprint fakers

Clarkson professor develops fake fingerprint finding technology (Watertown Daily Times – New York)

“People can take materials and make a fake finger and pretend to be someone else,” she said. “We have a piece of software that determines whether the fingerprint is fake or not.”

There’s also some good stuff about convenience, security and trade-offs at the link.

This post from February highlights an application that detects altered fingerprints: App Helps ID Altered Fingerprints

The security and ID management race continues.

No biometrics in iPhone 5

Critics take bite out of Apple over missing features (The China Post – Taiwan)

Other widely expected features that were missing included wireless charging and biometric unlocking, which uses facial recognition or fingerprints as found on many phones running the latest version of Google’s Android operating system. Two other popular features included on the latest Android and Windows Phone 8 devices but absent on the iPhone are enhanced widgets and notification tiles that let the user see information such as emails, weather, stock prices, tweets and Facebook updates right on the phone’s home screen.

Law Enforcement fingerprint biometrics data quality and ROI

Anonymous donation puts biometric scanner in LPD’s tool box (Laurel Outlook)

This is another one of those occasions where a local newspaper — this time in Laurel, Montana — provides great insight into the real contributions biometrics can make to an organization’s efficient operation.

It’s not CSI television magic. The machine doesn’t analyze and match prints backed by a catchy electro-industrial soundtrack as seen in prime-time police investigation shows. But, it does dramatically reduce processing time, helps to eliminate human error by comparing the slap to individual prints and offering prompts for correct information, and electronically transfers the file. “It allows us to capture all the prints and information we’d put on a fingerprint card,” said Wells.

Part of the scanner’s appeal is its ability to capture prints under less than ideal conditions. The scanner glass platen is topped with a patented silicone membrane. This allows the capture of high-quality images from a wide cross-section of people, including those with very fine, worn, scarred or cracked fingerprint ridges and varying degrees of skin moisture content, with minimal pressure. The result is less distortion and more accurate, high-quality images.

“As good as our officers are — and we print a lot for the public and criminal processing — the fingerprint cards do get sent back,” said Musson. “There are so many things that go on with fingerprinting: too darkly inked, too oily, too dry. This should alleviate that.”

Are laptop fingerprint sensors about security or convenience?

Popular fingerprint reader stores Windows passwords unencrypted (TechSpot)

ElcomSoft, a Russian digital forensics firm, has revealed a major vulnerability in UPEK Protector Suite, a popular biometric security solution that has shipped on machines from practically every large PC vendor, including Acer, Asus, Dell, Lenovo, MSI, Samsung, Sony and Toshiba. According to the researchers, the flaw makes UPEK’s fingerprint reading software less secure than using Windows’ standard password option.

Read the whole thing.

I haven’t used the service in question lately, but the last time I used the UPEK setup, it was pretty clear that it was a biometric password manager. Until and unless a particular web service uses biometric authentication with authentication taking place on their own servers (and astonishingly few do), the fingerprint reader on a laptop is only ever going to be controlling a password management program.

Still, a fingerprint password manager can make better password habits more convenient, making it easier for users to cope with longer, more complex passwords and change them more frequently. But the UPEK setup described in the article meant that the passwords were stored in such a fashion that they weren’t necessarily bulletproof.

As the article points out, if you’re already encrypting your hard drive, this security situation may leave you more vulnerable than you thought. If you’re not, this method of managing passwords seems much more secure than storing them in an unencrypted text or Excel file.

Recent SEC Filings Reveal More on AuthenTecApple

Apple may put fingerprint scanners in future products (V3.co.uk)

Among the technologies Apple now owns is a type of fingerprint scanner designed for mobile products with Near Field Communication (NFC) built in. AuthenTec’s AES2750 product is a fingerprint scanner that can interact with NFC applications to offer a secure way to log in to various systems.

AuthenTec says the technology can lock and unlock a phone, authorise mobile banking transactions and replace website user names and passwords, all with a fingerprint scan.

SEC filing fans rumors of mobile wallet for iPhone 5 (COMPUTERWORLD)

But how quickly these elements are introduced depends on Apple’s long-range plans for iPhone, and iPad, as well as the maturing of the mobile payments industry infrastructure, a big jump in consumer acceptance and — most of all — trust in the new technology, and how quickly Apple can phase these particular technologies into its supply chain and manufacturing processes.

The fingerprint sensor, many speculate, will be a key part of a full-fledged mobile “digital wallet” using a near-field communication (NFC) radio link to trigger purchases by simply waving the handset over an NFC reader. AuthenTec, an established vendor of a range of smart sensors, identity management (including PC/laptop fingerprint sensors), and embedded security products, announced the deal on July 27. At $365 million, it’s Apple’s biggest buy.

It’s worth pointing out that Josh Franklin at Seeking Alpha predicted the broad outlines of this whole thing a couple of months ago.

NFC + Fingerprint Biometrics = Cha-ching?

Apple wanted AuthenTec’s “new technology” ASAP for future products (Ars Technica)

There’s a hint that, whatever the tech involved, we won’t have long to wait. According to AuthenTec’s account, Apple wanted to hurry the buyout deal due to its own plans. “Representatives of Apple also noted Apple’s desire to proceed quickly due to its product plans and ongoing engineering efforts,” reads the SEC filing. “As a result of its focus on timing, Apple’s representatives also informed the Company that Apple would not participate in an auction process and would rescind its proposal if the board decided to solicit alternative acquisition proposals for the Company.”

Fingerprint Sensor Innovation

Worlds First Non-Optical, FBI Certified Four-Finger Scanner (Press Release)

The [Thin Film Transistor] TFT sensor has an active image area of 3.0 x 3.2, a resolution of 500dpi, and is less than 1mm thick. Ultra-Scan has begun miniaturization of the sensor control electronics to a single Application-Specific Integrated Circuit (ASIC) that, when complete, will result in an integrated sensor and control electronics package measuring 3.5 x 3.5 x 0.25, powered by USB, and suitable for a variety of mobile fingerprint collection applications.

In the business, we call a multi-fingerprint reader a “slap” reader — well, some of us do anyway.

For now, the least costly single print readers, and all the slap readers I know of, are optical readers with a glass platen and some sort of internal light source for capturing an image of a fingerprint. This form factor dictates a certain hardware depth dimension, usually two inches or more. As for the single print readers, in many many applications a two inch hardware depth isn’t a deal-breaker and price is an object. With the slap readers, even though they’re expensive and heavy there are enough applications where only a slap reader will do.

So for a single print reader, if a customer can accept the depth, price comes down.  If a customer has to have a slap reader, they have to accept the depth associated with optical sensors.

As mentioned above, there are a whole lot of applications where optical sensors make the most sense. Mobile, however, isn’t one of them. In mobile hardware, two inches of depth is a deal breaker at any price. Mobile devices will definitely be integrating these thin film transistor-type sensors (I’ve also seen non-optical hardware called semiconductor scanners, and capacitive readers).

Shrinking the depth of a slap reader while increasing the maximum size of a capacitive reader opens up all sorts of possibilities for mobile devices such as the capability of having the back of a mobile phone recognize users’ partial palm print as they hold the device naturally.

This seems like a pretty big deal but my guess is this type of fingerprint sensor is going to be hugely expensive for a while. But that’s the way these things go. They’re expensive before they’re cheap.

Another Tablet with a Fingerprint Reader

Lenovo confirms full Windows 8 ThinkPad tablet (electronista)

The display is a 1366×768 IPS display, with a front-facing 2MP camera, and a rear-facing 8MP camera. Video output is provided by a micro-HDMI port. Wireless connectivity is provided by integrated 802.11n and optional 3G or 4G. A near-field communication (NFC) radio is installed, with biometric security provided by a fingerprint reader.

I think we’ll be seeing more of this. Password technology is already a bit of a nuisance even when a fully functioning keyboard is attached to the hardware. Tablets don’t have keyboards and the virtual keyboards they use are a big step down from their hardware cousins in terms of usability.

I think manufacturers are coming around to the idea that, for tablets, fingerprint readers are more convenient than passwords. Another fact of the mobile computing device market seems to be that convenience trumps security every time.

Is Apple going to take biometrics mainstream?

Coming To An iPhone Near You: Apple’s New Fingerprint Key For Mobile Payments (Seeking Alpha)

With the purchase of biometric company AuthenTec (AUTH), Apple (AAPL) is opening the floodgates on biometrics. No more remembering alphanumeric password on a digital touchscreen. In the future, fingerprint, palmprint and voice-ID will allow you to log into your iTunes, Facebook (FB), or GMail account with the press of a finger.

Here comes the iWallet.

Fujitsu Releasing Windows Tablet with a Fingerprint Reader

Updated and bumped…

Fujitsu Is Bringing New Tablet to Legal Market (Law.com)

Because of its computer-level power, the Stylistic Q702’s battery life is a fraction of the iPad’s; however, an optional attachable keyboard dock bumps the battery up to about nine hours. Meanwhile, it comes with a number of security-related features, including HDD and BIOS password protection, an embedded TPM (Trusted Platform Module), and a biometric fingerprint scanner.

Tablets are working their way into business process in several large sectors of the economy. Typical username/password authentication is even less convenient on tablets than computers with keyboards.

UPDATE:
Fujitsu, DoCoMo and NEC: let’s go and get some chips (Mobile Entertainment)
Japanese giants form JV to make processors and reduce dependency on third parties. Fujitsu says its new LTE hardware will offer near field communication (NFC) and biometrics.