Biometric Security For Mobile Banking 2008

WORLD RESOURCES INSTITUTE

Markets + Enterprise White Paper

March 2008

Biometric Security for Mobile Banking
By Loretta Michaels

Forward

By Dr. Allen L. Hammond

Washington, DC 20002 USA

tel +1 202 729 7600

fax +1 202 729 7610

http://www.wri.org

World Resources Institute gratefully acknowledges generous financial assistance from Vodafone, PLC for the research presented below.

Markets + Enterprise White Paper

Foreword

Innovations in Financial Services for the Poor
Dr. Allen L. Hammond1 Over the past 30 years, the rise of microfinance has helped many Base of the Pyramid (BoP) households to improve their livelihoods and even, in some cases, to climb out of poverty. Microfinance is increasingly becoming a commercial activity with significant involvement by banks. And with an industry-wide client base of approximately 80 million borrowers, it’s clear that Muhammed Yunus deserved his Nobel Peace Prize. But the need for access to financial services by BoP households is both much larger than 80 million customers and more varied than micro-savings and micro-lending. I believe that the next truly transformative innovation in financial services for the poor is now visible. That innovation is mobile phone banking—already fully commercial in the Philippines, in South Africa, and in Kenya, and gathering momentum virtually everywhere in the developing world. While banks may play an important role in this activity, the real catalysts are likely to be technology owners and experts. Specifically, two parties will be key to the coming mobile banking revolution: first, the mobile telecom companies that own the networks capable of reaching several billion


unbanked people and the servers capable of processing many billions of tiny transactions; and second, the startup mobile transaction companies that are figuring out innovative ways to use those networks. The following report, Biometric Security for Mobile Banking, addresses a key barrier to an impending technology-driven revolution in financial services for the poor. This forward provides some context for the report and its findings by describing technology trends and their potential implications for access to financial services. Enabling Technology Trends There are several technology and business trends worth mentioning here. One is the build out of mobile telecom networks, arguably the most remarkable (and largest) recent technological phenomenon on the planet. There are already more than 1.5 billion mobile phones in use in developing countries, and that number is likely to reach 2.5 billion within the next 5 years. More than 80 percent of new customers worldwide will come from developing countries, and since nearly everyone in developing countries who is not part of the

Markets + Enterprise White Paper

Forward: Innovations in Financial Services for the Poor Dr. Allen L. Hammond

BoP already has a mobile phone, that growth will come almost entirely from adding BoP customers. Growth is still explosive—in India, mobile companies are adding more than 8 million new customers a month and plan to build more than 30,000 additional cell towers in the coming year. Mobile companies in Africa plan to invest $50 billion to expand their networks in the next five years2—double the rate of investment of the past five years. Impending privatizations of government-owned phone companies in countries with large, unserved rural populations, such as Vietnam, are attracting many interested bidders. A recent empirical study of low-income consumers’ spending patterns showed that the share of BoP household expenditures on ICT services (largely mobile telephony) rises 8-fold between the lowest and the highest income segments of the BoP. This is a far more dramatic increase than any other sector and a clear preference that underscores the huge latent demand remaining to be tapped3. This is especially the case in Asia and Africa, where BoP populations and markets are dominantly rural and not yet well served by mobile networks. A second trend is the increasing technological sophistication of mobile handsets, even as prices decline. Virtually all basic handsets now include voice and data capability and significant memory; many are multimode (capable of working over more than one frequency band); cameras are increasingly a common feature, even for low-end handsets. Some high-end handsets include Wi-Fi capability, and there appears to be no technological reason why Internet-enabled mobile handsets (e.g., multimode handsets with a Wi-Fi radio) cannot easily be made available to lowend customers as well (one estimate is that the cost, in quantity, of adding a Wi-Fi chip to a handset will be less than $5 per phone). Moreover, costs of entry-level handsets continue to decline: $30 GSM phones are common, and a $20 handset is planned for release in India later in 2008. The processing power of handsets is also increasing


rapidly, and is expected to equal that of today’s PC within about 5 years. Thus, mobile phones are becoming inexpensive, Internet-enabled, multimedia-capable computing devices—with a replacement market approaching 1 billion phones per year. So it’s not hard to think of them as portable banking terminals. Of course, conventional mobile phone networks don’t yet cover many rural parts of developing countries, and may never do so. The costs of installing a mobile network (usually more than $100,000 per cell tower, including diesel generators) may simply be prohibitive, especially where sparse populations and low incomes mean that a positive return on investment will be a long time in coming. Such high costs lead us to a third technology trend, which may prove important, especially for BoP financial services—the growing capability and very low costs of advanced fixed wireless networks—especially Wi-Fi or WiMax networks4, but including advanced VSAT networks. These technologies are based on open standards, attract many manufacturers, and hence have declined in cost very rapidly. They also are optimized for data—they are broadband networks capable of carrying a much higher volume of Internet or data traffic than are the proprietary cellular networks commonly deployed by mobile telecoms. That makes them ideal for a wide range of services, including Voice over Internet Protocol (VOIP), commonly called Internet telephony—and it may turn out that these advanced networks are especially well suited as a way to extend mobile telephony into more remote, rural areas. Trends in Action: The Case of Vietnam World Resources Institute, in partnership with USAID and AUSAID, a provincial government, and a mobile telecom company—as well as Intel and other equipment vendors—has recently deployed just such a Wi-Fi/VoIP network in a poor, rural part of Vietnam5. The pilot uses advanced mesh Wi-Fi technology to link together a group of rural villages, and advanced Wi-Fi backhaul technology to link those villages to existing optical fiber. It provides voice service using VoIP on Wi-Fi-enabled phones and Internet access to telecen-

Markets + Enterprise White Paper

Forward: Innovations in Financial Services for the Poor Dr. Allen L. Hammond

ters or individual computers. The structure of the network makes it possible to provide local calling—within a group of villages—at no cost (in effect, these villages are all within a large Wi-Fi hotspot), while charging normal prepaid tolls for calls to more distant locations. Since about half of the phone calls in most local networks stay local, free local calling is a powerful incentive to own a phone. But the most interesting characteristic of the network is its low cost: we estimate that the capital investment required to build this network to cover every rural village in a million-population, mountainous province is about $3 per person ($15 per household)—between one-fifth and one-tenth the cost of a conventional cellular network in the same terrain. An additional characteristic of the Wi-Fi networks is their low power requirements, such that they can be powered with solar cells instead of diesel generators, when no reliable access to the electrical grid is available—making these networks more environmentally benign as well. Thus we believe that mobile telecom companies will be able to profitably provide service even in remote rural areas. With Wi-Fi-enabled mobile handsets, the phones will work on either the village Wi-Fi network or the urban cellular network. In fact, most users won’t know or care which network the phone is using. It may seem strange to suggest building a modern, broadband network with cutting edge technology in the world’s poorest areas. Yet the justification, I believe, is that the technology (or rather the services it enables) is simply more valuable for rural BoP communities than in more developed, urban locations that already have a variety of options for connectivity. When you have no phone service and no Internet access, your first connection makes a huge difference—and it may only be affordable with the very latest technology6. The demand for affordable phone service and for Internet access in BoP markets is, as pointed out above, very large and largely unmet. As it turns out, more than half a dozen of the world’s leading mobile phone companies active in developing countries have expressed interest in this approach and in visiting the Vietnam pilot to see for themselves both how it works and the extent of


customer acceptance. Mobile Banking for the BoP What are the implications of these broader technology trends for mobile banking, and especially for extending banking services to low-income, rural areas? Let me start with an example from my recent work in Vietnam. If you are out on the streets around midnight in Hanoi, Vietnam’s capital, you cannot miss the thousands of motorbikes streaming into the city, so loaded with produce that the driver is nearly invisible. These farmers are taking their produce to wholesale markets that operate at night, so that the products reach stores and restaurants in time for the next morning. The farmers, however, don’t stay—they turn over their crop of flowers or vegetables to the owner of a market stall, and then start the (often long) journey back to their rural village. How do they get paid for their crop? Usually, not until the next time they come back into the city— which might be a month or more later, when they return with their next load of produce. Suppose they could get paid the next morning, as soon as their crop is sold by the market stall, on their mobile phone? That mobile phone banking will benefit rural BoP families seems clear. The continuing rapid growth of mobile telecom networks and customers provides an enormous potential market for banking services—the 2.5 billion people in developing countries expected to be mobile phone customers within 5 years. The growing processing power and sophistication of mobile handset technology will make possible a wider range of services such as advanced transaction security and voice recognition/voice synthesis that could benefit BoP customers, (for example by coaching illiterate customers through a banking transaction), while decreasing costs place mobile handsets within reach of a wider market. Extending mobile networks with Wi-Fi or other fixed wireless technologies and with Internet telephony can provide coverage in more remote or sparsely-populated areas, as well as lower costs for local calling. Therefore, conditions are favorable for extending financial services to the vast number of people in developing countries that are now unbanked.

Markets + Enterprise White Paper

Forward: Innovations in Financial Services for the Poor Dr. Allen L. Hammond

Two basic kinds of mobile banking models have been deployed: bank-centric models that work under the banking license of a single bank and will work on one or frequently multiple mobile telecom networks; and telecom-centric models that work on a single telecom network but are compatible with multiple banks or banking networks. Wizzit (a start-up company) in South Africa uses a bank-centric model that can work with multiple mobile networks; the Smart money network in the Philippines is also bank-centric, but works only on the Smart Telecom mobile network; and m-Pesa in Kenya is bank-centric, but works only on the Vodafone (Safaricom) mobile network. G-cash, deployed on the Globe Telecom mobile network, is a telecom-centric model that works with multiple banks. These models have been discussed elsewhere and I will not elaborate on them here. But it is perhaps useful to note that Vodafone expected some 200,000 customers at the end of the first year of operation of its m-Pesa system in Kenya, but found itself dealing with long lines of eager customers that resulted in 200,000 customers in 2 months and more than 1 million customers in less than a year. There is no shortage of demand for mobile banking services. These models may well be rapidly replicated. Globe is franchising G-cash to other mobile companies; Wizzit plans to do the same; Vodafone is planning to replicate m-Pesa on other Vodafone networks in developing countries. Other models will appear. All Mexican banks, for example, have signed onto a common platform for m-transactions and will shortly begin deploying mobile banking services. There is movement toward mobile banking in Nigeria, Pakistan, and a number of other countries. We are probably entering an era of rapid experimentation and competition, from which the winning models will emerge. I believe that it is plausible that the next 5 years will see 1 billion unbanked people gain access to financial services via mobile phone banking. Mobile telecom companies in developing countries already understand that their growth is dependent on serving BOP customers,


and they are eagerly looking for value-added services to offer those customers. From that perspective, mobile banking looks like a killer application—one that will drive phone usage and increased individual phone ownership (you might share your phone, but you are less likely to share your wallet). Mobile Transactions Mobile banking provides a way to offer a wide range of financial services. In addition to cash management, loan and bill payments, direct deposits of salaries or of receipts from retail sales or other commercial transactions, mobile networks can also offer remittances and money transfers and, either directly or via a linked debit card, facilitate cash-less consumer purchases. In Kenya, Vodafone found that some m-Pesa customers were using the system to provide a safe way to carry funds from one location to another—they would deposit cash to the system, and then draw it out again upon reaching their destination. Typically, both bank branches and a wide range of retail shops provide cash-in and cash-out locations, where mobile banking customers can exchange cash for digital credits or viceversa. In the Philippines, Smart money customers are notified of a remittance from a relative overseas via a text message and can pick up their cash at any McDonalds or at a large number of small convenience stores or kiosks or have it credited directly to their debit card. Given the large and rapidly growing volume of both international remittances (estimated at $300 billion/ year) and domestic money transfers, and the hazards of carrying cash in many parts of the developing world, this broad range of services will find ready markets. In addition, mobile phones can provide a marketing and sales platform for additional financial services, such as insurance (life insurance, health insurance, and crop or weather insurance), since they can readily provide information on or answer questions about specific products, in local languages. (Such information is especially easy to provide with the VoIP systems described above as part of village Wi-Fi networks, since they can be programmed into the VoIP switches—e.g., they are automated software-based products, even if delivered as voice). Moreover, the transaction

Markets + Enterprise White Paper

Forward: Innovations in Financial Services for the Poor Dr. Allen L. Hammond

records including payment or remittance records of a customer’s mobile phone account may prove a kind of substitute credit rating that could qualify a mobile banking customer for a micro-loan—applied for, approved, paid out, and eventually repaid over the mobile platform. Both of these (still hypothetical) examples illustrate how mobile transactions could dramatically lower transaction costs, compared to conventional banking methods, thus making BoP financial services more affordable to customers and more profitable to banks. Barriers to Mobile Banking A key barrier to the rapid expansion of mobile banking is lack a familiarity with the technologies and business models on the part of both banks and telecom companies, and the necessity of establishing partnerships that involve both kinds of companies. As awareness spreads of the success of mobile banking efforts and of the details of specific models, however, these hesitations are beginning to disappear. Competition and the fear of being left behind will increasingly spur innovation. A more significant barrier is regulatory approval, especially by central banks and sometimes by telecom regulatory authorities7. Central banks – along with the U.S. Treasury Department – are concerned that mobile banking provides adequate protection to customers and to the banking system itself against fraud, money laundering, and other criminal activities such as transfer of funds by terrorist organizations. At present, security for mobile banking transactions rests on several parallel approaches: device-based security, such as the unique SIM card within each mobile handset that identifies the customer who owns the phone; know-your-customer requirements, especially for the retail cash-in/cash-out points that are usually required to have a traditional bank account and establish their identity to the bank in order to open the account; and pattern recognition software that tracks transactions to ensure that limits on the size and frequency of transactions does not exceed regulatory limits that might suggest money laundering activity. The weakest link is device-base security.

Many central banks in developing countries have yet to establish rules for mobile phone banking, nor have they set in place some version of the transaction security system described above. And because mobile banking is still in its infancy, serious criminal attention to defeating these systems, for example by hacking SIM cards so as to “establish” fake accounts or take over legitimate accounts, has probably not reached the levels likely to occur eventually. Building capacity in central banks and spreading awareness of safeguards and how they need to be implemented is important to accelerate the spread of mobile banking. Biometric ID and Enhanced Transaction Security There may also be a significant role for technology in improving mobile transaction security, as the following report makes clear. There has been a lot of work on biometric identity systems in recent years. The report surveys that work and assesses its relevance for mobile banking. In particular, it identifies a biometric technology approach that has already been incorporated in some mobile handsets—a sophisticated, but low-cost, fingerprint sensor. Use of this approach for mobile banking would work something like this: When a customer initiated a mobile banking transaction, the handset would request that the user register his or her fingerprint on the sensor, and the handset would compare the fingerprint to the one already stored in the phone (and, as a backup, also stored on the bank mobile transaction server). The handset would then send the transaction request and the result of the fingerprint comparison—in effect, a biometric ID authentication—to the bank server for approval and execution of the transaction. That would replace the device-based security safeguard (the SIM card) with something much more robust and harder to defeat. As the report makes clear, the technology to implement such a system is available now. In summary, there is a confluence of technology trends leading to viable solutions that can enable very widespread access to financial services. Demonstration of these technologies and the related service models will help to accelerate commercial adoption, overcome


Markets + Enterprise White Paper

Forward: Innovations in Financial Services for the Poor Dr. Allen L. Hammond

regulatory hesitation, and empower the unbanked billions. We therefore invite widespread discussion of these solutions, in the belief that as they become better known, acceptance of mobile banking as a viable commercial enterprise by banks, telcos, and regulatory authorities will accelerate.
FOOTNOTES 1)Dr. Allen L. Hammond is Vice President for Innovation and Senior Fellow, Markets & Enterprise Program at the World Resources Institute. 2)Tom Phillips, GSM Association, cited in Balancing Act, Issue # 378 (London, 2007). 3)The Next 4 Billion: Market Size and Business Strategy at the Base of the Pyramid (International Finance Corporation and World Resources Institute, Washington DC, 2007). 4)Wi-Fi is the wireless standard already widely deployed employed in hotspots and in homes and offices; WiMax is its more sophisticated (and expensive) cousin, designed to handle the multiple reflections of wireless signals encountered in urban environments and to provide slightly longer range. Its complexity and cost are at present a disadvantage in rural areas of developing countries, compared to Wi-Fi, although costs are expected to continue declining. 5)The pilot referred to here is one of several similar pilots in Vietnam; other similar models have been deployed in Mongolia and Sri Lanka. 6)The advanced mesh WiFi access points being used in the Vietnam pilot can connect at high speeds to a normal laptop within a “cell” extending at least 1 kilometer from the access point, except where line-of-site is blocked by hills or tall buildings; with a small extension antenna plugged into the laptop, the cell radius is 2 kilometers. This range often makes it possible for a single access point to cover a village or a rural neighborhood extending over several square kilometers. With the appropriate antenna, the units can connect to the next cell—e.g., the next village coverage zone—located between 1 and 10 kilometers away. As many as 10 such cells can be linked together in a chain, sharing a single fiber link or VSAT connection to the Internet. Such advanced technology thus facilitates affordable connectivity for rural BOP populations--connectivity that may otherwise be prohibitively expensive. 7)CGAP, Regulating Transformational Branchless Banking: Mobile Phones and other Technology to Increase Access To Finance, Focus Note 43 (cgap.org/portal/site/ cgap/BranchlessBnaking/FN43).

8

Markets + Enterprise White Paper

Biometric Security concerns of the financial sector in trying to reach the unbanked for Mobile banking Biometric authentication for mobile banking addresses key
Loretta Michaels8 The provision of basic financial services to unbanked populations, and the growth of mobile phone networks, are both widely acknowledged as having broad economic benefits. The logical extension of these growth areas is to converge the two to allow innovative approaches to rural banking and payment systems. In order to do so, countries need to pursue both broader coverage of cellular networks, and better connectivity in the form of affordable mobile phones and easier access to financial and other types of services. The economics of extending high-cost cellular networks into rural areas cannot usually be justified without high voice and data traffic forecasts. One way to address low-cost coverage is via WiFi technology, which is the subject of another WRI project9. Beyond basic coverage, however, is the need to link users to useful financial services via easy-to-use handsets and simple applications. For the banking sector to provide financial services in rural areas, the issues they face include not just coverage and connectivity, but also basic familiarity with banking systems, from training and education in the use of bank accounts to the provision of adequate security measures for users unfamiliar with PINs and passwords and who often have few formal identification documents. It is the security issue that is of particular importance to financial institutions, not just in developing countries but worldwide, led by growing concerns about money laundering and terrorist financing, fraud and consumer protection. An area of rapid development in security systems is the use of biometrics. While fingerprints have long been used in law enforcement, other types of biometrics have largely been the stuff of research and science fiction. However, rapid advances in biometric technology, largely driven by national security concerns, have brought several biometric solutions to the mar

ket, especially for border control, physical access and fraud prevention. To date these biometric systems have largely been complex and expensive to build and operate, and have thus been limited in their implementation. As technology improves, the ability to use biometrics for individual applications, particularly in mobile banking, is of great interest to financial institutions seeking secure means of signing up rural customers. The purpose of this document is to provide an introduction to biometric technologies, and in particular look at those biometric technologies that would be portable to mobile platforms. The intention is to understand and evaluate how biometrics might be used for mobile banking and payment systems, and to identify the best approach to take given the current state of the technology and the nature of most rural markets in the developing world. The Biometric Process Biometrics is typically defined as a means of uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. Physical traits refer to what you are, as opposed to what you know, and include such things as fingerprint, face, retina, iris, hand geometry, and DNA. Behavioral traits reflect what you do, and include such actions as signature, gait, and keystroke. One biometric trait that is considered both physical and behavioral is voice. Regardless of the type of biometric that is used, the process involved when conducting biometric authentication is generally uniform (see figure below). The user will first enroll themself in the system by providing multiple samples of the relevant biometric, which are then converted to digital, mathematical “templates” and stored for future reference. Once the user is successfully enrolled, they’ll gain biometric access to the system by presenting a “live scan” of the biometric

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

trait, which is then compared to the reference template. The comparison of templates takes the form of either identification, which means that the live scan is compared to many templates to ascertain who the user is (aka a 1:N comparison), or authentication, where the live scan is compared to just one template to confirm that the user is indeed who they say they are (a 1:1 comparison). The determination of whether or not the two templates match will depend on the levels of accuracy demanded by the system administrator (the threshold level). This may seem oddly flexible for a security system, but in fact no biometric system is completely foolproof in returning a 100% total match. Rather the systems will indicate that the templates correspond to a certainty level of, say, 95%. It’s up to the administrator of the security system to decide how accurate they demand the match to be, and set the system accordingly via the threshold level. The distinction between identification and authentication is important when evaluating biometric systems, as the systems will require different threshold levels, not to mention vastly different storage and processing systems. After all, confirming that I am who I say I am is very different from trying to determine who I am in the first place, and the former should be easier than the latter. It’s also important to understand the different performance metrics of a biometric system, as these will impact what sorts of threshold levels are needed depending on the purposes of the security system. As their names imply, the False Match Rate (FMR, also

known as the False Accept Rate, or FAR) measures the percentage of invalid users who are mistakenly allowed into the system, while the False Non-Match Rate (FNMR, or the False Reject Rate, FRR) measures the percentage of valid users who are mistakenly rejected by the system. While it would seem intuitive to set both measures as close to zero as possible, in reality there are tradeoffs made depending on the purposes of the biometric system. For example, access to a nuclear weapons site would demand absolutely no false matches, but will correspondingly result in a higher number of false rejections of valid users, which will then need to be resolved via other means of verification. While military authorities will probably deem this type of inconvenience to valid users an acceptable price to pay for nuclear security, other organizations may demand more user-friendly systems for their employees or customers, say for access to an office building elevator or all-day passholders at a theme park10. Because the levels determined for both FMR and FNMR involve a tradeoff in the system design, most scientists who are looking to compare biometric verification systems will in fact look at the level at which the FMR equals the FNMR, otherwise known as the Equal Error Rate (or EER). Other measures that are looked at when evaluating biometric systems are the times required for enrollment and verification, and the Failure to Enroll (FTE) rate, which would reflect how often users are unable to enroll at all due to any number of reasons, including illness and physical injury.

Figure 1. Comparison of Biometric Templates
10

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

Another element to consider when designing a biometric system is whether the template comparison, or matching, will occur locally, for example on the mobile handset or the door keypad, or centrally using a separately located database. The obvious implications of this choice are the need for storage capacity and communications links between the biometric scanner and the host system. Local matching will require less processing power, but will also mean a limit to the number of reference templates that can be stored for comparison purposes. As a result, local matching is generally though to be better suited for 1:1 authentication, requiring a yes or no decision about a single template match. Depending on the type of system being implemented, some experts also believe that local storage and verification of reference templates are better for preserving the privacy of personal data. The fact that many biometric systems use each successive live scan to enhance and improve the reference template on the local device is another reason to consider local matching systems. Larger, centralized matching systems have their own benefits, of course. For one thing, they will have greater storage and processing power available to the system, and are therefore able to provide both 1:1 and 1:N authentication, which is necessary for some systems such as law enforcement and surveillance. This greater capacity and capability, however, will necessarily involve the storage of multiple reference templates, which will impact system hardware and software needs. There is also the need to constantly monitor the host and its communication with scanner units such as mobile handsets, plus database management and backup requirements. To date, no research testing has been done to compare accuracy levels between local and centralized biometric matching systems, although there’s little reason to believe that there would be major quality differences. Rather, biometric experts agree that the performance of any system will depend more on the quality of the scans that are taken, which in turn depends upon environmental issues such as noise, illumination or dirt, and on usability issues, which in turn will depend
11

on system design and user training. Decisions about which type of system to build should be based upon what types of authentication will need to be done, 1:1 or 1:N, how the system will be used, what level of backup and communications links can be built, and how the entire system needs to integrate into existing information management systems. For purposes of replacing PINs and passwords for mobile banking transactions, biometric authentication via local matching should suffice in terms of security, as the bank’s purpose will be to verify whether the user is who they say they are rather than identify them in the first place. In keeping with the latest financial security standards, banks may want to employ two-factor identification, whereby two criteria are used to verify the customer’s identity, but this is entirely feasible with the mobile phone. One solution is to register the handset, usually via the user’s cellphone number, and link it with a particular individual account holder, and then send this information along with the biometric confirmation to the financial institution’s processing systems. Many Kinds of Biometrics There are many types of biometrics being studied today, some of which are already being commercially implemented in certain applications. Physiological traits that are used for validating a person’s identity include fingerprints, faces, retina and iris, voice, hands including knuckle, palm and vascular patterns, DNA and other more experimental traits such as odor, earlobes, sweatpores and lips. Behavioral traits include signatures or specific signs, keystroke patterns, voice, and gait. While fingerprints have been in use by law enforcement for more than a century, the rest of the biometric traits listed here are far more recent and in some cases still considered very experimental. An indepth review of all the various biometric technologies is beyond the scope of this paper. Rather, what we are interested in is which of the biometrics can be considered portable to some type of mobile device, specifically a cellphone. The biometrics that lend themselves most to the small form-factor inherent with a cellphone are facial recognition, voice recognition, iris recognition and fingerprints. (Signatures and sign rec-

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

ognition are proving to be reliable authentication tools, but they require larger and more sophisticated screens than would be found on most cellphones nowadays, so they are excluded from this analysis.) The issues to consider in evaluating these measures include accuracy, reliability, acceptability, susceptibility to fraud, ease of enrollment, usability, environmental effects, hardware and software size, and cost. Facial Recognition A facial recognition system uses a computer algorithm to identify or verify a person from a digital image or a video frame. This is done by comparing selected facial features from the image and comparing them against a

neuronal motivated dynamic link matching. However, in recent years, a newer facial technology has emerged, 3D facial recognition, that isn’t affected by illumination and is showing accuracy rates up to ten times better than older algorithms11. Facial recognition is cheaper and easier to use than iris or retinal scans, in part because it’s less invasive and can generally use low speed, low resolution cameras, but it gives a higher false negative rate than other biometric technologies because of the need for tightly controlled environments. A facial recognition system is sensitive to such criteria as head position and angle, movement, lighting and other factors, including the use of different cameras for enrollment and verification. In addition, facial recognition has certain weaknesses that limit its usefulness for fraud prevention. It cannot distinguish identical siblings, it can be defeated by pointing the camera at a high-resolution video monitor playing a video of an authorized user, and can also be defeated by the use of a severed head. And of course there may be religious or cultural prohibitions against facial photographs in some regions of the world that will limit its voluntary uptake by target users. As a result of the environmental issues noted above, facial recognition’s reliability is still lower than other technologies, and usually returns a list of “close matches” rather than a single definitive match, as do iris and fingerprint systems. For the time being, facial recognition is most often deployed in 1:N environments for large-scale identification opportunities, surveillance and law enforcement.

reference template usually stored in a facial database. While it’s much newer than fingerprint technology, it’s gained wide usage in some security applications, particularly CCTV systems and some border crossing controls. Facial recognition emphasizes features that are less susceptible to alteration, like eye sockets, cheekbones, and the sides of the mouth, and as such is resistant to many of the changes associated with most plastic surgery and to changes that come with aging. Traditional facial recognition algorithms include Eigenface, Fisherface, the Hidden Markov model and the
12

A basic facial recognition system can probably use a standard camera phone of 1 Mg or more, while template size can range from 1000 to 2000 bytes. (See chart on page 8 for comparison of biometric templates.) Voice Recognition Virtually all North Americans are familiar with speech recognition, having come across it when trying to phone most companies nowadays. Voice recognition differs from speech recognition, in that voice recogni-

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

tion analyzes how you say something, versus what you say in speech recognition. Each person’s voice is unique, due to differences in the size and shape of their vocal cords, vocal cavity, tongue and nasal passages. The way an individual speaks is also determined by the complex coordination of their lips, jaw, tongue and soft palate. Voice and speech recognition can in fact function simultaneously using the same utterance, allowing the technologies to blend seamlessly: speech recognition can be used to translate the spoken word to an account number, while the voice recognition verifies the vocal characteristics correspond to those associated

mance can also vary according to audio signal quality as well as variations between enrollment and verification devices, and with variations in environments (inside versus outside, variations in background noise, etc.). Voice changes that occur as a result of time, injury, cold or illness can also be an issue. Finally, voice recognition can be defeated by playing back a high fidelity recording, which would obviously be of great concern to financial institutions. While voice recognition benefits from ease of usage, high user acceptance, and no need for new hardware, the impact of environmental issues upon performance renders it of low to medium accuracy, which is not likely to meet the security needs of most financial institutions. Iris Recognition Iris recognition is a newer method of biometric authentication than analyzes the features that exist in the colored tissue surrounding the pupil, such as rings, furrows, freckles and the corona. Iris patterns possess a high degree of randomness, with each iris having 266 unique identifiers as compared to 13-60 for other biometrics. These iris patterns, which differ even between identical twins, are apparently stable throughout ones life (although they will change within hours of death, preventing the use of dead eyes). The iris features and their location are used to form what’s called the IrisCode T, which is the digital template of the iris, with an average template size of 512 bytes.

with that user’s account. Considered both a physiological and a behavioral biometric measure, voice recognition has good user acceptance and requires little training to use. However, while popular, low cost and capable of working over any phone, it’s less accurate than other biometric systems and can entail lengthy enrollments requiring multiple voice samples to attain a usable template. Spectrographic voice images are used to create a relatively large template, between 2 and 10 kilobytes. There are many vendors of voice recognition systems, along with many proprietary technologies, and though no systems have been commercialized on handheld devices, processing can be done on a central server that is easily accessed via a mobile phone, so no new hardware should be needed. One of the biggest weaknesses of voice recognition is that it suffers from a high reject rate in noisy environments, which is a problem for outside usage. Perfor1

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

Iris recognition is proving to be a highly reliable technology, offering excellent performance with a very low false match rate, while being less invasive than the older retinal scans. However, for the time being, real-world efficacy rarely matches the performance achieved under laboratory conditions. An iris scan involves a small moving target, located behind a curved, wet, reflecting surface, which is obscured by eyelashes and lenses, and partially occluded by eyelids that are often drooping. As a result, using the system effectively requires tightly controlled environments and a very high level of training. Iris scans require hardware that is not usually found on today’s average cellphones. Typical cellphone cameras are still too low in resolution for accurate iris scanning applications, and a proper iris scan requires a near-infrared illumination filter instead of the more common visible light filter found in cellphone cameras. Additionally, to prevent a picture from being able to fool the system, advanced devices may vary the light shone into the eye and watch for pupil dilation, a feature that is not currently viable on small devices like cellphones. In terms of user acceptance, the fact that iris scans are not invasive is helpful, assuming the training issues can be properly addressed. Of course there remain some negative, Orwellian connotations to the use of iris scans, but whether these concerns would also apply to developing country users is unclear. Fingerprints The use of fingerprints to identify people has been around for over a century. It ’s the most mature biometric technology out there today, with accepted reliability and a well-understood methodology. As such, there are many vendors of fingerprint recognition on the market today, although not all of them employ compatible equipment or algorithms. Three of the traditional means of fingerprint recognition employ Optical, Captive Resistance/Pressure, and Thermal scanning technologies. While all three have been in use for years, with good reliability and accuracy, they do have weaknesses when faced with today’s demand
1

for better fraud prevention in the face of more sophisticated biometric applications, not to mention more sophisticated criminals. Specifically, all three of these types of fingerprint scanning can be defeated in various ways, such as using dead fingers or copying the last print used with adhesive film and re-presenting it to the scanner. Additionally, testing has shown that the elderly, manual laborers and some Asian populations are more likely to be unable to enroll in some of the traditional fingerprint systems. A newer fingerprint technology, employing RF Imaging, uses ultrasonic holography of the outer layer of dead skin as well as the inner layer of live skin to create the template, rendering it nearly 100% accurate, not to mention resistant to the use of fake or dead fingers, or dirt and oil. In addition, the newer fingerprint systems use each new scan of the finger to enhance the existing template, thus making it more accurate with use over time. While fingerprints have proven to be highly reliable and accurate over the years, particularly now using RF imaging, they’re not completely infallible. They can be affected over time by such things as years of manual labor or physical injury, so there would probably be a desire to update the reference templates as and when necessary for commercial and financial applications. Other factors that can cause failure in a fingerprint scan are cold and humidity (particularly in the older types of fingerprinting), and location, angle and pressure of placement on the sensor (known as a platen). Other issues to consider are that the use of fingerprints requires physical contact, which can be a problem in some cultures, and the fact that fingerprinting’s long association with criminal justice lends itself to some privacy resistance, although this will probably ameliorate over time with increased use of biometrics and updated privacy laws.

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

Fingerprint capture technology is easily accommodated on a cellphone, with sensor sizes ranging from 12 mm x 5 mm to about 1.5 cm x 1.5 cm, and low power and processing requirements. The fingerprint template itself ranges in size from about 256 bytes to 500 bytes. Chart 1. below summarizes the main characteristics of the biometric technologies discussed in this paper. Market Activities in Mobile Biometrics Currently, most biometric applications around the world tend to focus on national security and law enforcement activities, as well as physical access to sensitive or restricted facilities. As understanding of the technologies and their performance levels has improved, more sectors of the economy are looking at the use of biometric systems for identification and authorization. The technology and financial sectors in particular are interested in the use of biometrics, partly to improve their customers’ user experience by saving them the hassle of having to constantly re-enter pins, passwords and account numbers. For those parts of the financial services world who are seeking to expand their customer base into previously unserved areas, inconsistencies in the availabilities and types of official identification present challenges to opening up new accounts. Biometric identification is one way of addressing those challenges. Asia is leading in the use of mobile biometric activity12. Most current cellphone-based biometric applications are being seen in Japan, South Korea and, increasingly, China, where biometrics are used to unlock handsets and/or applications on the handset. In all these cases,

though, the biometric is used to supplement, rather than replace, the normal security systems already in place for online and mobile banking. In Japan, Softbank Mobile (formerly Vodafone) and NTT DoCoMo both offer Sharp handsets that use Face Recognition, from biometric vendors such as Oki and Neven Vision. Several handsets on offer at all the mobile operators have Fingerprint sensors, including those from LG, Fujitsu, Samsung, Panasonic and Sharp, using fingerprint technology from AuthenTec and Atrua. In addition, Oki Electronics has come out with a proprietary cellphone that contains Iris Recognition software that uses the phone’s own camera. (Whether this phone has had to be retrofitted with infrared filters is not clear.) In China, handset vendors are starting to introduce handsets with fingerprint technology, including Yulong and Qiao Xing Mobile (CECT). And in Korea, KTF has introduced several phones using AuthenTec’s fingerprint solution, including those from Pantech, Motorola and LG. While Europe hasn’t been as active in this area, there was an EU collaborative research program started in 2004 called SecurePhone that produced a high-end PDA prototype using face, voice and signature-based biometric authentication systems on a SIM card. More recently, Swisscom Mobile has embarked upon a trial using Atrua’s fingerprint sensors on a Toshiba phone. In India and parts of Africa, governments and financial institutions have started using biometrics to enroll rural populations for social benefits and banking applica-

Chart 1. Main characteristics of biometric technologies
1

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

tions. In these cases, the reasons for the use of the biometrics are to provide identity verification and prevent fraud. While these applications are generally being provided via mobile ATMs, smart-cards and “roving” service agents, rather than via cellphone, the concepts are similar and proving usable in these markets and, critically, acceptable to financial regulators. In India, the government has embarked on a rural employment guarantee program, guaranteeing people 100 days work a year if they are poor. However, the system, which uses job cards and involves many intermediaries, has been rife with fraud. In the Indian state of Bihar, a project has begun to set up a biometric system of identification for job cards, after which all payments will be deposited directly in the bank accounts of the poor, thus checking leakages. One challenge to this scheme is that banks have been notoriously reluctant to open small accounts for illiterate users who cannot handle paperwork; and many poor people have to travel 50 miles to get to a bank branch. In response, a few major Indian banks (Canara, Andrha, ICICI), as part of a mandate by the government to address the vast unbanked populations in the rural areas, have recently introduced fingerprint-enabled ATMs, both mobile and low-cost fixed. Customers are enrolled and given a smart-card that holds their account information as well as their biometric identification. They then swipe their smart-card on the ATM, and present their finger or thumb, which is compared against the information contained on the smart-card for authorization. Simplified voice instructions and color-coded touchscreens walk the user through the various banking transactions, while a service representative is always on-hand to provide additional support if necessary. While these trials were introduced to much fanfare in early 2007, and appear to be working well according to preliminary press, there have not yet been follow up reports indicating whether the banks themselves consider the trials to be commercial successes. However, such efforts are not just a response to the government’s mandate, as Citigroup has launched a similar project in India, making clear that they intend to make a profit doing so.
1

In South America, Bolivia led the way in the use of biometric ATMs, having been introduced in 1999 by the Prodem FFP bank. Targeting low-income communities and entrepreneurs offering a wide range of savings, credit and money transfer services, Prodem rolled out a large urban and rural network of branches and smart ATMs (now at 90 branches and 52 ATMs). To overcome barriers such as illiteracy, they created a solution employing smart cards, fingerprint recognition technology and smart ATMS, as well as stand-alone, voice-driven ATMs in local languages with color-coded touchscreens. In fact, Prodem was a finalist for the 2005 Gateway Development Prize for its innovative approach, which went on to provide the framework for later initiatives in India and elsewhere. South Africa is another place where the use of biometrics is growing, largely for identification purposes (having started in the mining industry years ago). Capitec Bank is using biometrics for providing lowcost banking services to unserved populations, largely via kiosks and smart-cards, while the government is using fingerprint recognition for the delivery of pension benefits to its citizens. As the use of biometrics grows in South Africa, so does the number and size of South African biometric vendors designing solutions specific to African needs. One such vendor, Net 1 Technologies, designs smartcard and banking systems aimed specifically at unbanked populations. Their system uses secure smartcards that operate in real-time but offline, unlike traditional payment systems offered by major banking institutions that require immediate access through a communications network to a centralized computer. This offline capability means that users of Net1’s system can enter into transactions at any time with other card holders in even the most remote areas so long as a portable offline smart card reader is available. Net1 was recently chosen by the Central Bank of Ghana to develop biometric smart-cards for use in that country’s ATMs and POS. Conclusions As biometrics continues to advance scientifically and technologically, its use and acceptability as a means of

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Loretta Michaels

security and authorization across various sectors also grows. In particular, the financial industry is increasingly interested in the use of biometrics to help in the ongoing fight against money laundering and terrorist financing, fraud and consumer protection. At the same time, as the provision of standard infrastructure lags far behind the rollout of cellular services in most developing countries, interest in the use of mobile phones to access rural populations and provide banking and information services is exploding. Biometrics would be a useful solution to the issue of security for mobile banking in developing countries, particularly to address the unique needs of the unbanked in rural areas. Technically, the use of biometrics is entirely feasible in mobile applications. The accuracy of biometric identification systems is as good if not better than most traditional banking security systems, and the software and transmission requirements of several biometrics technologies are certainly within the realm of possibility for most of today’s cellular networks. The main issue to address with any biometric system is that the performance will only be as good as the quality of the data captured, so that environmental controls and user training are of paramount importance. For purposes of mobile phone banking, fingerprint recognition appears to be the best technology to use today. Fingerprints are already being used for several rural banking applications around the world, with acceptable performance and security results. And while there is a requirement for incremental hardware and software to accommodate fingerprint sensors on the handset, the use of fingerprint recognition technology is being used in several mobile phones today by a wide range of handset vendors. As for use in cellular networks, the size of fingerprint templates, which can range from 250 to 500 bytes, can easily be transmitted via today’s GSM and CDMA data networks, allowing for systems that can provide matching both locally and centrally, depending on the application requirements. In terms of how it would work, fingerprint recognition security could either interface directly with a

bank’s online banking system, an approach that will often require costly systems integration (and result in an undesirable one-off solution), or it could interface with a separate mobile banking platform. The mobile banking platform would act as a “black box” intermediary between the cellphone and the bank, receiving the identity and biometric authorization data from the user’s handset and, once verifying the information, sending a pre-authorized signal to the banking system, using standard ISO banking protocols, telling the bank to go ahead with the transaction at hand. In fact this is how many mobile banking systems work today, taking information from the handset and translating it in one form or another for use by banks and payment processors. As is often the case with new technology applications, the biggest issue facing mobile operators and banks when trying to evaluate biometrics for mobile banking will not be the technology, per se, but rather the business case around building the technology into the application13. Questions such as who owns the customer, who builds and operates the mobile banking platform, who pays for the cellphone, and who handles all the implementation, training and customer-service related issues all need to be addressed to understand the overall attractiveness of a biometric mobile banking application.
FOOTNOTES 8)Loretta Michaels is a consultant with extensive experience in telecoms and mobile payments, particularly in the developing world. 9)See Forward. 10)Disney World was, until 2007, the largest user of biometric systems in the US. It used fingerprint scanners from Lumidigm, a company set up with financial backing from the CIA, NSA and DOD. 11)National Institute of Standards and Technology (NIST) 2006 Facial Recognition Vendor Test (FVRT). 12)Appendix A: leading vendors addressing mobile phone biometric technologies. 13)Appendix B: issues for consideration when designing a mobile banking system.

1

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Appendix A: Biometric & Handset Vendors

Appendix A. Biometric & Handset Vendors with Mobile Products in Market
Fingerprint Recognition Vendors AuthenTec, Inc. Melbourne, Florida, www.authentec.com. With over 25 million sensors in use worldwide, including in 7 million cellphones, one of the leading suppliers of fingerprint sensors for PC, wireless device and access control markets; AuthenTec has issued 33 patents on its technology, the largest patent portfolio in its industry, and is listed as one of the fastest growing technology companies in America. Atrua Technologies, Inc. Campbell, California. www.atrua.com Leading provider of fingerprint solutions to the mobile, consumer electronics, computing and mass storage markets, as well as a leading provider of joysticks and touchpads to the computing and gaming markets. Of the 12 new fingerprint mobile phone models announced in the first half of 2007, 10 had Atrua’s fingerprint solution. Currently in a mobile payments trial with Cellular South and Kyocera. Other leading fingerprint recognition vendors (currently without cellular solutions): L-1, CrossMatch, Lumidigm, SagemMorpho, Digital Persona, UPEK Face Recognition Vendors Omron Corporation Kyoto, Japan. www.omron.com A global leader in sensing and control components, Omron operates in a wide variety of fields such as industrial automation, home appliances & office equipment, automobiles, social & financial systems, and healthcare. In February 2005 it introduced the Okao Face Recognition Sensor, for use in PDAs, mobile phones and other mobile devices containing a camera. The Okao Vision line consists of a range of facial-recognition technology, including identification technology, which can recognize individual faces; the ability to estimate gender and age based on facial characteristics; a tracking technology that can detect and track the movements of a human body; and the ability to estimate where a person is looking based on the orientation of their face and gaze. Oki Electric Industry Co., Ltd. Tokyo, Japan. www.oki.com OKI is Japan’s first telecommunications manufacturer, and is now focused on three main businesses, the “infotelecom system” business, semiconductors and printers. It has been providing facial recognition software, the FSE (Face Sensing Engine) middleware for embedded systems, as a security product to various government agencies, financial institutions and other enterprises, along with its iris recognition technology. In late 2006 OKI introduced it’s new Iris Recognition Technology for Mobile Phones, which is able to use a standard camera that is embedded in a mobile terminal. Neven Engineering, Inc. (trade name: Neven Vision) Santa Monica, CA. Neven Vision was founded in 2003 by a group of people who had worked together on a biometrics company

18

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Appendix A: Biometric & Handset Vendors

(Eyematic Interfaces, Inc.), but in the last few years had changed their focus to applying that technology to mobile visual search. Their service offerings include image-driven mobile marketing services, visual mobile search, comparison shopping and m-commerce, enhanced photo messaging, secure data access and field identity verification. Customers include NTT DoCoMo (for authenticating transactions), the U.S. government (including the LAPD for identifying gang members), and Coca-Cola (for mobile marketing campaigns). Neven Vison holds a number of patents on face recognition, image recognition and video recognition, including the “image base enquiry system for search engines for mobile telephones with integrated cameras,” image-based search engine for mobile phones with camera,” and “single image based multi-biometric system and method.” In August 2006, it was purchased by Google, to be incorporated into Google’s Picasa product line to improve organization and search of personal photo albums. Google hasn’t made any specific announcements on how it intends to use the mobile technology it acquired with the purchase, although the fact that Google will be participating in the FCC’s spectrum auction indicates that it does plan some type of mobile offering. Other leading face recognition vendors (currently without cellular solutions): L-1, Bioscrypt, CrossMatch, SagemMorpho, Datastrip, Labcal Iris Recognition Vendors Oki Electric Industry Co., Ltd (see above) Other leading iris recognition vendors (currently without cellular solutions): Irisguard/Iridian (now owned by L-1), LG Iris, Panasonic Mobile Handset Vendors with Biometric Solutions in the Market Fingerprint Samsung, LG Electronics, Fujitsu, Hitachi, Motorola, Pantech, Toshiba, Panasonic, Kyocera, CECT, Yulong Face Sharp Iris Oki (proprietary)

1

Markets + Enterprise White Paper

Biometric Security for Mobile Banking Appendix B: Key Issues to Consider

Appendix B. Key Issues to Consider in Designing a Biometric Security System in Mobile Banking
- Who does customer belong to - mobile operator or bank? - Who builds, operates and owns the mobile banking platform? - Who pays cost of new and/or upgraded cell phone hardware? How are cell phone batteries kept charged (solar?) - How will customers enroll in system? Physical presence required, plus processes for verifying initial identify claims - How will customers be trained in use of system? - Should debit cards be issued in conjunction with service for use in urban ATMs? - Need exception handling for both enrollment and verification; 1-800 # for problems, with secret questions for when customer can’t verify biometrically? - To what degree will biometric match decisions be incorporated into existing interfaces for banking, payment and clearance systems? - How many identifiers - handset ID, bank account #, biometric ID - What are the threshold (accuracy) requirements? - Location of biometric data storage and processing for maximum availability - Administrative and auditing functionality to manage biometric accounts and transactions - How much personal data resides on handset? - Cash handling network and use of field agents, retail agents, mobile ATMs - Software requirements for cell phones not prohibitive; software and backup requirements for mobile banking systems and linkages to bank network to be determined - Processing requirements - need basic data network (shouldn’t need 3G as long as you’ve got a secure tunnel to the bank)

20