June 25, 2013 - Biometrics: What are you all afraid of?

In early June this year, we conducted a survey of banking and financial professionals, asking whether it seems appropriate for banks to use biometric data as a means to more accurately verify identity of customers. Particularly, we were focused on those instances where a BSA-compliance “red flag” transaction is occurring.

Examples of red-flag rule transactions are detailed in one of our previous blog-articles, here: http://www.fraudfighter.com/counterfeit-detection-id-verification/bid/80625/Bank-Secrecy-Act-The-10-000-Rule

Response to the survey was very high, and the comments made by both participants and non-participants in the survey was – active – to say the least.

So many people seem to have such volatile opinions on this matter.

Now, in the light of recent debate raging across not only the United States, but the globe, regarding the recent revelations about NSA data-tracking programs for cell phone and internet usage, it seems particularly poignant to raise the question.

What are you all afraid of?

I have an honest disconnect here. 

Say I have a big chunk of my life-savings in your bank.  I am planning to retire someday, and I am working towards my goal by saving out of my paycheck every week by direct deposit.  I don’t even look at the statements or check my balances every month, because I sort of want to “forget” about this money.

I absolutely WANT you, as my bank, to protect my assets.  Part of this protection has to be securing the access to these assets so that only those individuals that have permission to do so actually do. 

If you have the option to use an encrypted fingerprint, facial recognition, or iris-scan identity authentication on any person who attempts to conduct a “Red Flag” type transaction out of my account, why wouldn’t you, as the bank, want to implement that, and why wouldn’t I, as the customer, want you to do that?

Why not make it voluntary?

Some respondents did provide intelligent and reasonable objections to the concept.  For example, large banks, with millions of accounts will face a core-data issue. If each biometric signature occupies a significant amount of storage, and you have tens of millions of customers, then this quickly adds-up to unmanageable. 

Two responses to this: first, why not make participation voluntary? This would reduce the number of customer accounts using the data, and lessen the burden on core banking.  Second, an encrypted fingerprint requires less than 5Kb of data, since it is, essentially, only a 128bit encryption string plus a binary file with less than 500 characters.

I would amend the first point by saying that you have to make any customer that conducts Red Flag transactions enroll in the fingerprinting program.

What about my privacy?

We could summarize the majority of the objections to the concept of biometrics at the bank as falling under the category of: I don’t want my biometric data managed by someone else.

Our rebuttals to this objection are many:

1. The biometric information is encrypted the moment it is captured.  In the case of fingerprints, an individual fingerprint is used as the “key” to create a string of random characters, which can only be unlocked if the same “key” (i.e. – your fingerprint) is used to unlock it. This means no one in the bank has access to a file with your fingerprint image stored in the way that the FBI or other law enforcement agencies do.
2. Just how private is your biometric data?  The human body is leaving behind personal information everywhere it goes.  Hair follicles, skin cells, fingerprints, and more.  We would argue that it is safer for you to control your personal biometrics by utilizing these encrypted log-in processes than it is to not use them, and leave your DNA everywhere you go, unprotected.
3. The technology doesn’t work.  In some cases, this can be true, particularly regarding fingerprints in places where the population may do a great deal of manual labor and, thus, might damage the skin so that fingerprints cannot be read.  Our response is – choose another technology.  Facial recognition is already commercially developed to very high accuracy levels.  Similarly, iris scanning will be here within a year or two.  Also, finger vein-reading is a usable alternative to fingerprints.  A small scanner similar to a fingerprint pad can read the magnetic signal of the vein in the index finger. This is as equally unique to each person as the fingerprint is.
4. Finally, inevitability.  Does anybody REALLY believe that this isn’t coming?  It may seem like science fiction, but the truth is, the age of biometric identification is upon us.  It is simply a matter of time before we see it cropping-up in more and more places.  We fervently believe that financial services and banking will be among the early adaptors.

A minority perspective?

We felt that our viewpoints were in the minority.  After speaking to dozens, even hundreds of bank security, asset protection and operations managers, we kept hearing that they are not ready to do this, yet.  But the survey results were quite clear.  Bankers believe that biometrics are coming, and that they are appropriate for the industry.