The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
IMPROVING CUSTOMER AUTHENTICATION David Lott, Payments Risk Expert Retail Payments Risk Forum Working Paper Federal Reserve Bank of Atlanta April 2015 Abstract: Authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of our payment system. As technology has led to new forms of payments and the use of remote payment channels, there has been a growing challenge to modify existing and develop new authentication methods that deliver the necessary levels of efficiency and confidence. This paper examines the evolution of customer authentication methods from the early days of visual identification to the present environment of using physical and behavioral characteristics, known as biometrics. While the authentication of the payment order itself is separate from the authentication of the parties to a payment transaction, the separation of the two can be difficult in various payment instruments. The paper takes a high-level look at the authentication issue from a legal and regulatory viewpoint. Each of the authentication methods are reviewed as to their process, advantages and disadvantages, and applicability to the payments environment. Identification processes have the potential to create conflicts with an individual’s privacy rights, and this conflict is examined. Finally, the paper closes by discussing the key learnings obtained from this research effort. The paper is intended for informational purposes and the views expressed in this paper are those of the author and do not necessarily reflect those of the Federal Reserve Bank of Atlanta or the Federal Reserve System. IMPROVING CUSTOMER AUTHENTICATION TABLE OF CONTENTS I. Background 3 II. Two Faces of Authentication 5 III. Multi-Layered vs. Multi-Factor Authentication 9 IV. Enrollment Validation 9 V. Authentication vs. Verification 10 VI. Person-to-Person Authentication Methods 10 VII. Electronic Customer Authentication 11 VIII. Biometrics 17 IX. Biometric Authentication Methods a. Fingerprints b. Hand/Finger/Palm Geometry c. Vein Recognition d. Facial Recognition e. Facial Thermogram f. Iris Recognition g. Retinal Scan h. Signature Recognition i. Voice Recognition j. DNA k. Soft Biometrics l. Other Biometrics 20 21 22 23 23 25 25 26 27 27 28 28 29 X. Device Fingerprinting 29 XI. Out-of-Band Authentication 30 XII. Major Issues 31 XIII. Key Learnings 35 Page 2 of 35 Working Paper: Improving Customer Authentication In early 2013, the Retail Payments Risk Forum (RPRF) team identified authentication as a critical element in the security of payment systems. The team divided the payment authentication issue into three distinct phases: 1) authentication of the customer/device to access an account and the ability to perform transactions, 2) authentication of the transaction during processing, and 3) secure storage of the authentic transaction record after the transaction has been completed. While this paper focuses on the first phase of authentication, reviewing methods used to authenticate the user and the payment form factor, discussion of the authentication of the payment itself will take place from time to time as separating the two stages can be difficult for some payment forms. The RPRF held a forum at the Federal Reserve Bank of Atlanta in July 2013 on the topic of improving customer authentication. A link to the event can be found here. Keynote speakers and discussion panels provided the audience of regulators, law enforcement, bankers, merchants, and transaction processors with a wide range of information and suggestions as to how to make the payment ecosystem safer. A summary of the forum’s proceedings can also be found on the website noted earlier. Using the information provided at that forum as a foundation and supplementing with additional research, this paper incorporates the RPRF’s continuing efforts of research and discussions with payment security leaders on the topic of improving customer authentication. Since the payments environment is a dynamic one with new payment form factors (such as mobile phones) being introduced and new criminal attack vectors cropping up, our effort is in the form of a working paper with the expectation of providing updates as the payments ecosystem evolves and new customer authentication technologies and processes emerge and mature. Background It is important to define the term authentication and show how it is distinct from the word authorization. The two terms are sometimes interchanged because the two events often occur together, but such usage is incorrect as they are two distinct concepts. Authentication is a process used to verify the identity of the party, basically using different types of credentials to prove the person is who they claim to be. On the other hand, authorization is the association of that identity with certain rights and privileges. For example, a teller can use a driver’s license to verify the identity of the person standing at the teller’s window (authentication). Once the person is verified, the teller then has to ensure that the person is authorized to conduct the desired transaction on the affected account. Page 3 of 35 In the electronic transaction world, the authentication and authorization processes happen almost simultaneously. Once the teller has successfully entered a user ID and password, the teller is shown an online banking tool that has already been configured to provide a listing of accounts that the customer is authorized to use. This tool also indicates the types of transactions the customer is authorized to perform. User authentication is a concept that is as old as humankind. The first methods of authentication were generally based on the unique physical characteristics of the person, such as facial appearance or voice. This method worked well when there were small, isolated communities and everyone knew each other. As commerce expanded outside of these villages where business transactions had been conducted in face-to-face meetings by people who knew each other, the need for other authentication methods grew. Since the vast majority of the population were not literate, was seals or other types of imprinting devices were often used along with a signature to help support authenticity, but the method wasn’t foolproof. One of the first written records of authentication fraud comes in the Old Testament. Queen Jezebel forged her the signature of her husband, King Ahab, on a letter, which led to the king’s confiscating a vineyard.1 In the days of the ancient Roman Empire, the position of a notary public was developed2 to serve as a representative appointed by the government to authenticate people and witness the execution of certain legal documents. In the late 19th century, Alphonse Bertillon, a French police officer, developed the Bertillon System, which used measurements of a number of a prisoner’s physical features (such as middle finger length, foot size, head length and width, eye color) along with a frontal and profile photograph to provide what was thought to be a unique set of identifiers to help police track suspects. While other aspects of Bertillon’s work in establishing principles for documenting crime scenes and victims are still used today, the body measurement system was found to be flawed in the early 1900s. Two inmates at Leavenworth Prison in Kentucky with similar names were found to have the same physical measurements—so they could not be distinguished from one another on the basis of the Bertillon System. This failure of this system soon led to the development of another physical measurement system, or biometrics—that is, fingerprinting. Sir Francis Galton, a British anthropologist and a cousin of Charles Darwin, is generally credited with developing the scientific method of using fingerprint patterns for identification purposes, although fingerprint pattern recognition actually dates back to the 17th century in Europe.3 Fingerprinting exists today as a primary means of authenticating an individual’s identity. The term has become generic, used to describe unique characteristics about electronic items such as magnetic-stripe cards, personal computers, tablets, and mobile phones that can be mapped. 1 1 Kings, Chapter 28, Verse 1, The Bible www.notarypublic.ie/history-of-the-office-of-notary-public/ 3 www.onin.com/fp/fphistory.html 2 Page 4 of 35 For time-sensitive matters, other ways to provide reliable and speedy authentication have been developed, such as verbal passwords. A weakness of the simple mono-password system was that the password provider had no way to authenticate the password receiver. Such authentication was critical in warfare, when a soldier who approached an unknown person could not readily determine if that person were friend or foe. That failure led to the development of the challengeand-response method, whereby one party would provide a challenge word or phrase and the other party would respond with a word or phrase. If either party used the incorrect phrase, it was assumed that person was hostile. Authentication methods can be divided into three groups, also known as factors: Something you are (signature, voice, other biometrics) Something you know (password, challenge question/answer) Something you have (payment card, mobile phone) With the advances in GPS, or global positioning system, technology and its integration into wireless devices, a fourth authentication factor, geolocation—someplace you are—has the potential to be added to the mix. Two Faces of Authentication in Payments: The Parties and the Payment Transaction4 The authentication of the parties is a core element in any transaction from a variety of perspectives. The authentication of a participant in a transaction defines the party’s permission to act as well as the scope of permitted actions. Should a party be admitted who is falsely authenticated, the party who provided that admittance may be liable for the risk to downstream parties. As noted at the beginning of this paper, the authentication of the payment order itself is separate from the authentication of intermediating parties to a payment transaction. Methods such as hashing, seal encoding, or secure electronic signatures can be embedded in a payment order from issuance through every stage of intermediation. These methods can be used to prove that the payment order was properly authorized for a particular amount or date, and that it is payable to a specific beneficiary. This aspect of payment security will be studied in more detail in the next phase of our effort. Checks In the United States, payment law originated with bills of exchange, then checks were included under the Negotiable Instruments Law. Next came the Uniform Commercial Code (UCC). While the UCC defined various elements of a check that were necessary for it to be considered 4 Disclaimer: The contents of this section are provided for informational purposes only. They are not intended as and do not constitute legal advice and should not be acted on as such. The materials and links are also not the legal opinions of the Federal Reserve Bank of Atlanta or any of its attorneys, nor are the materials represented as being all-inclusive, correct, complete or up-to-date. No one should rely on any information in this section and we suggest that you should seek the advice of an attorney with respect to any legal issues relative to this matter. Page 5 of 35 negotiable, the core authentication element was the signature on the check. As the UCC’s Articles 3 and 4 were developed, they laid the groundwork for a system in which each party to the transaction warranted the transaction from the previous party. This flow is illustrated in figure 1. Figure 1: Check Clearing Process Flow Merchant’s financial institution 3 4 8 2 Account holder’s financial institution Network 7 9 5 6 1 Account holder 1. Accountholder conveys check to merchant in payment of goods and services. Merchant Merchant 2. 3. 4. 5. follows internal procedures to verify identity of presenter. Merchant deposits check into business account at their financial institution (FI). Merchant’s FI presents the check to the intermediate clearing network. Clearing network transmits check to account holder’s FI. Account holder’s FI applies the check against the account holder’s account. Under this scheme, if something were wrong with the check in regard to its authenticity (if it’s been altered, counterfeited, forged, or improperly endorsed), there was recourse under the UCC within specified timeframes reversing the original flow all the way back through the process to the bank of first deposit (steps 6–8 in figure 1). Generally, under the customer agreement between the bank and the merchant, the bank would have the right to charge the merchant’s account for any items dishonored (step 9). The paying bank, nevertheless, is responsible if it pays a check not properly signed by the account holder and does not execute a timely return or send notice of dishonor (midnight deadline). In the case when a check is presented directly to the account holder’s (drawee) bank by the payee, it is the responsibility of the drawee bank to verify the authentication of the item. Page 6 of 35 Beginning in the 1970s with the bulk filing of checks—checks were no longer sorted in account order on a daily basis—the signature verification process became the exception. Today, the maker’s signature on individual checks is rarely authenticated unless the check is for a high-dollar amount or there is some type of security alert on the account. To blunt this exposure on commercial accounts, financial institutions have introduced fee-based services such as “positive pay.” Under this service, account holders provide financial institutions with a list of the checks they have created, and the checks presented for payment are compared against that list. If an unlisted check is presented, it normally is returned after the financial institution has performed some level of due diligence to ensure that it is in fact an unauthorized item and not some type of error in the positive pay process. The risk to the check’s payee is the inability to authenticate that the check was made by the account holder, as well as to ensure that there are sufficient collected funds in the account to pay the check. The payee can mitigate these risks by requiring additional identification credentials and by engaging with third parties that provide check guarantee programs. In these programs, the third party reimburses the merchant for any dishonored checks, subject to certain conditions, in exchange for a fee paid for each check accepted by the merchant. ACH and Card-Not-Present Credit/Debit Cards ACH liability for unauthorized transactions is differently aligned, as the originating depository financial institutions (ODFI) is responsible for authenticating that the transaction was authorized by the account holder and, if there is a dispute, is held liable through recourse. Again, through an account holder agreement, the ODFI generally has the right to charge the originating account holder’s account for disputed or unauthorized ACH transactions. This recourse is vital to the financial institution since it is the originator who is required to hold proof of the account holder’s authorization to initiate the transaction. It is similar for credit/debit card transactions made online, over the telephone, or through mail order—transactions commonly referred to as “card-not-present” (CNP). This type of transaction is generally “authorized” through the card networks as to the validity of the account number and sufficiency of available funds, but the liability for unauthorized transactions generally shifts back to the merchant. The reason for the shift is there was not a guaranteed authentication directly between the merchant and the cardholder’s bank. While Regulation Z for credit cards and Regulation E for debit cards limit the cardholder’s liability for unauthorized transactions, it is the card brand’s network operating rules that govern the overall chargeback process. There are some exceptions to this scenario—for example, if the merchant uses a secondary authentication method acceptable to the Issuer’s network (such as with an online PIN), then the issuer bears the liability for the unauthorized CNP transactions. Card-Present Credit/Debit Cards and Wire Transfer Page 7 of 35 Unlike the check, CNP card, and ACH processes, credit/debit card transactions made in person and wire transfer transactions initiated directly by the authorized account holder are nonrevocable once executed from an authentication standpoint. As with CNP credit/debit cards, the customer’s liability is limited by regulation for unauthorized transactions. Generally for cardpresent transactions, the issuing bank is saddled with the financial loss for the unauthorized transaction. In cases when the cardholder acknowledges that he or she performed the credit card transaction but claims there is an issue with the quality of the goods or services received, the cardholder’s dispute falls under the guidance of the card brand’s network dispute process. For credit cards, this is controlled by Section 75 of the Consumer Credit Act of 1974. For both credit and debit cards, the cardholder is required to attempt to resolve the dispute with the merchant before filing a dispute with the financial institution. Wire transfers fall under the scope of Article 4A of the UCC and of the financial institution’s customer account agreement. Article 4A was instituted in 1989 to recognize the difference between paper and electronic transactions, since physical signatures and endorsements don’t exist in the electronic transaction world. Part 2 of the article deals specifically with the customer originating the payment order and the financial institution that receives the order and that will originate the processing of the payment transaction. Section 4A-202 (b) allocates the risk of loss from an unauthorized transfer to the sender and not to the sender’s bank if the following conditions are met: 1) there is a written agreement between the customer and the financial institution stating that the payment request will be verified using a defined security procedure, 2) the defined “security procedure is a commercially reasonable method of providing security against unauthorized payment orders,” and 3) the financial institution accepts the payment request in good faith and follows the defined security procedure. If the financial institution can prove that it has all these elements in place, the customer must accept the loss of any unauthorized wire transfers. However, if the customer can show that the security procedure was not followed, not commercially reasonable, or breached outside the control of the customer, the financial institution must accept the loss. In many cases, disputes over liability for unauthorized wire transfers end up in litigation due to the large dollar amounts. There have been a wide range of results of such lawsuits since each situation is evaluated individually by the courts. Multi-Layered versus Multi-Factor Authentication These two terms are often incorrectly interchanged but they are two separate security concepts. As its name implies, a multi-layered security application uses two or more elements of the same type of authentication factor laid together. For example, the entry of a password followed by the requirement to correctly answer a knowledge-based question (such as name of first pet, or mother’s maiden name) are two types of “things you know.” Page 8 of 35 Multi-factor authentication is the use of two or more separate authentication factor types. An example would be an ATM transaction that requires both a card (something you have) and a personal identification number (something you know) to complete a cash withdrawal. While any authentication scheme that uses more than one layer or factor increases the difficulty of compromising that scheme, it is generally thought that a multi-factor authentication scheme provides a more secure system than a multi-layered system because of the multiple but separate authentication categories required for successful authentication. Enrollment Validation A critical point in any authentication process is when the individual first enrolls as a user or customer. It is then that the individual is required to provide the necessary documentation to prove his or her identity. The number and types of documents needed to authenticate identity vary to a large degree according to the risk level of the program in which the person is enrolling. If it is some type of couponing or loyalty program, documentation requirements are generally minimal, if any. In the case of more sensitive programs, such as opening a bank account, the standard process would require multiple forms of documentation to comply with antiterrorism and anti-money laundering (AML) regulations. To enroll in the Transportation Security Administration’s Pre✓™ flyer program, the documentation and overall enrollment process is quite extensive and includes fingerprinting and verification by the FBI that the applicant has not committed a serious crime. For depository institutions and other covered entities, Section 326 of the U.S. Patriot Act requires the entity opening an account to have in place a customer identification plan (CIP). The purpose of the CIP is to enable the bank to form a reasonable belief that it knows the true identity of each customer within a reasonable period of time after the account is opened. The procedural elements of the CIP are developed individually by each entity based on its own risk model, although the act specifies minimum requirements. As noted above, the most common form of authenticating a person’s identity is through documents, and the most commonly accepted document is a government-issued form of identification that contains a photograph and provides evidence of the customer’s nationality or residence. Examples of such identification include driver’s licenses, state-issued ID cards, or a passports. Since skilled criminals can alter or forge documents, banks are encouraged to use more than a single document and to examine documents closely to ensure that they are genuine. In addition to documentary credentials, nondocumentary methods may also be used. A nondocumentary verification can be accomplished by comparing information provided by the customer with information obtained from reliable, third-party sources, such as a consumer reporting agency, another financial institution, or a public database. Page 9 of 35 Authentication versus Verification Systems An authentication system is a system that determines if the sample authentication element being presented is a match to the element that was captured when the individual was enrolled. This system is also referred to as 1:1 (one-to-one) matching. These types of programs are the fastest and lowest-cost authentication systems. They are typically what customer authentication systems in banking and payments use. In contrast, a verification system has a large database of all the individuals who have been enrolled or whose data has been collected from other sources. This system, also known as a 1:many (one-to-many) system, tries to match the element being presented to the identification of an individual already in the system. For example, law enforcement may try to match a fingerprint taken from a crime scene to its database of fingerprints from individuals with a criminal record. Person-to-Person Customer Authentication Visual As noted at the beginning of this paper, the simplest and fastest method of customer authentication is the visual recognition of the customer. Customers who are frequent visitors to the same banking office often enjoy this recognition and ease in transacting their business without having to show any additional identification. While this method of authentication can be compromised through disguises such as life masks or in the case of identical twins, such scenarios are generally better suited for spy movies than real-life payment authentication. Visual identification represents the fastest and lowest cost method of authentication but lacks documentation Source: Wikipedia Commons, public domain should there be a question of authentication after the event. Paper Documentation Personnel who don’t have that level of familiarity with customers may resort to asking customers for official documentation, such as a driver’s license. In the banking environment, it might be possible for the bank employee to discreetly access the customer account’s signature image from the online terminal and visually make a comparison. While slower than visual authentication, the process is generally handled in a timely fashion if the customer has the required documentation. Should documentation be required, the documentation sources, along with key elements of the documentation, are generally noted as evidence that such documentation was produced. Although identification documents can be altered or counterfeited or signatures can be forged, experienced banking personnel can normally spot such attempts so the risk threat is generally considered to be low. The overall efficiency of this system results in minimal operational costs. Verbal Challenge–Response–Countersign Page 10 of 35 Verbal challenges with password responses and acknowledgements, though rarely used today in public settings, are still used in military and closed social organizations as a way to identify other members. The normal sequence in a military setting is that the guard will speak the predetermined word as a “friend or foe” challenge. The other person then responds with the word or phrase. If the individual fails to provide the proper response, the challenger assumes that he or she is hostile and takes the appropriate action. If the individual provides the proper response, the sentry responds with an acknowledgement word as a countersign, indicating his or her own status as authorized. To be most effective and minimize compromise, the challengeresponse-countersign responses should be changed frequently. This authentication method has been adopted by the information technology industry in various electronic ways to authenticate a user’s access to a network. Electronic Customer Authentication As electronic transactions continue to grow, with the expectation for speedy completion and the customer in a remote location, the process of customer authentication has grown more complex. A number of different customer authentication methods have been developed according to the channel being used and the risk level of the transaction attempted. As these different authentication methods emerge, there is a need to balance the effort required to authenticate the customer with its impact on the customer’s overall payment experience. This is commonly referred to as the “level of friction” encountered by the customer. An authentication method that has a high level of friction can present negative consequences: alienating the customer and creating a feeling of dissatisfaction, slowing down throughput resulting in lower efficiency and a reduced service level, or causing the customer to abandon the purchase transaction altogether. In a worst-case scenario, the customer goes to another merchant who is viewed as providing a better experience. Page 11 of 35 Each of these electronic authentication methods are discussed in more detail below. Passwords The most common form of customer authentication is the sign-on password (something you know). Password authentication is the least expensive to implement and for the customer to manage, which is primarily why its use has become so common. In its simplest form, the password provides little customer friction, especially when the customer is allowed to select it. The most common exception is when the customer forgets the password and has to contact the financial institution to reset it. This is often done through an automated online or voice response system that uses challenge questions to authenticate the customer before the customer selects a new password. The necessity of supporting password resets can result in costly staffing efforts. Unfortunately, since it is the simplest form of electronic authentication, a password is usually the weakest model because, for many users, passwords can be guessed easily or illicitly obtained. A 2013 study by UK-based password management application vendor SplashData5 found that “123456” was the most common password, followed by “password.” A similar study of 1,800 adults found that approximately 25 percent used passwords that were easy to guess, such as birthdays or names. Moreover, more than half (55 percent) admitted that they used the same password for access to multiple websites.6 How do you reconcile such behavior with the consistent research findings that consumers view security and privacy as their primary concerns regarding online usage? Unfortunately, the reality is that while people aspire to protect their security and identity, when faced with a choice that requires additional effort or friction, they most often choose the easier, less secure way. This behavior can be seen in many other forms of human behavior—when someone says he or she wants better health but continues to smoke, or when someone wants to lose weight but continues to eat junk food, or when an individual wants to become more financially stable but doesn’t develop a financial plan with a savings component. Continued education about password security is essential from financial institutions and any other companies that require a password to access their websites or applications. Security experts generally recommend the following password practices to provide more secure password management. Select a strong password that incorporates lower- and uppercase letters, numbers, and special characters and that has an absolute minimum of eight characters. Swap characters or numbers for letters, such as $ for the letter S or 1 for the letter L. 5 www.telegraph.co.uk/technology/news/10587694/Worst-password-of-2013-was-123456-according-to-newresearch.html 6 Ofcom, UK Adults Taking Online Password Security Risks, April 23, 2013 Page 12 of 35 Avoid using the same password for multiple sites by taking a base word and then appending it with some part of the website name. For example, using the base word $anter14, the password would be Tr@il$anter14 for a hiking trails website. Deliberately misspelling a base word also makes it more difficult to crack since password hackers often use a dictionary tool in automated password attacks. Change your passwords frequently, preferably quarterly but at least annually, on any website involving sensitive financial or personal information. Change it annually on nonsensitive websites. You can add the first three letters of the current month to the appended password. In the example above, assuming the month of April, the password could be AprTr@il$anter14 or Tr@il$anter14Apr. Don’t write your password down or give it to others. If you feel you must make a written note, write only a hint or a description of the password structure, and do it in a shorthand that only you can decipher. While enforcing a requirement for strong passwords or password changes is often used to increase the difficulty of a criminal compromising an individual’s account authentication credentials, such a requirement has the potential negative impact of not allowing a legitimate user to access an application when he or she forgets the password. A recent study by the Ponemon Institute7 revealed that 46 percent of U.S. respondents couldn’t complete a purchase or account transaction because of authentication problems, which caused them to view the company negatively. Unless strong password practices are mandated—as is often the case in corporate environments, where such policies can easily be enforced—most industry observers believe that passwords represent a minimal level of security and can easily be compromised. Although they are easy to implement in applications, as noted earlier, there can be substantial support costs related to their management and reissuance to customers. More and more companies are looking to implement additional authentication methods for moderate- to high-value transactions to minimize risk. Knowledge-Based Authentication (KBA) Sometimes referred to as “challenge questions,” KBA is generally used as an additional authentication layer (something you know) when an ID or password is not sufficient or when a user has forgotten the password and has to have it retrieved or reset. There are two classifications of KBA: static and dynamic. A static KBA process requires the user, during the account setup sequence, to select from a predefined list of questions and to provide the answers (table 1). Some programs allow customers to select their own questions. 7 Moving Beyond Passwords: Consumer Attitudes on Online Authentication, Ponemon Institute, LLC, April 2013 Page 13 of 35 Table 1: Sample Static Knowledge-Based Authentication Questions 1. 2. 3. 4. 5. 6. 7. What is the name of the street on which you grew up? What is the name of your favorite book? What is the last name of the best man at your wedding? What airline do you prefer to fly? What was your first pet’s name? What is the name of your favorite sports team? What is your favorite color? The program stores the selected questions and answers and uses them when necessary. The difficulty level in a fraudster compromising a static KBA process depends on the difficulty of the questions. Given the high amount of personal data that is available through government records and social media, questions such as mother’s maiden name, pet’s name, city of birth, and so on provide minimal protection. Any criminal seeking to compromise the account credentials can often find such information easily and can then reset the account password and gain access to the account. For this reason, more static KBA processes are using questions whose answers are not so readily available through other data sources—for example, favorite childhood cartoon character or favorite high school subject. Similar to the implementation of strong password practices, there is always the challenge of balancing the uniqueness of the question with the legitimate user’s ability to remember the answer initially provided. To address these weaknesses, some companies use a dynamic KBA, or “out-of-wallet” questionand-answer process. In this case, users must answer questions not known beforehand but ones to which the genuine user should be able to correctly respond. This information is generally obtained from the individual’s credit report or transaction history file with the company. Sample questions might include choosing from a list an address where you never resided, the approximate range of your current monthly car or house payment amount, or the date of your last bank account deposit. While a dynamic KBA is not foolproof, as the criminal might have obtained the victim’s credit report or account records to provide the answers, the method is considered to provide a higher level of security than a static KBA process. Static KBAs are fairly easy to implement and operate but, again, they require support in the event the user cannot get through this authentication filter. Dynamic KBAs provide a higher level of security, but they are more expensive because generating them requires live feeds to account or third-party databases. They also require a support system in case a customer fails the authentication. Site Keys A number of websites, especially those supporting financial services and transactions, have recently adopted site keys. The purpose of the site key is to provide an electronic variation of the Page 14 of 35 challenge-response-countersign authentication method discussed earlier. In this case, the user enters his or her user ID and before, the user enters the password, the website returns a page that displays a graphic image that the user has preselected. Identifying this image demonstrates to the customer that he or she is interacting with the legitimate website, not a counterfeit. Once the user has seen the site key, the user is prompted to enter the password to complete the authentication sequence. The use of site keys has gained more popularity in recent years due to the increased number of spoofed websites where the victim is tricked into making an inappropriate yet security-relevant decision, such as revealing online banking sign-on credentials or payment card numbers. Site keys can enhance existing logon systems and create little user friction other than asking them to verify the image as correct before continuing to log on. Security Tokens These tokens are referred to by a variety of names: hardware tokens, authentication tokens, USB tokens, cryptographic tokens, one-time-password (OTP) tokens, and more. Security tokens are used as part of a multi-factor authentication environment. The physical token provides the something you have security factor with something you know in the form of a password or ID. The use of a security token that incorporates one-time passwords prevents replay attacks if an intruder has monitored previous sessions and obtained the log-in Source: Cryptocard - Used with credentials since the password changes for each subsequent permission log-in the previous data will not work. The tokens can generally be classified as either disconnected or connected tokens. With a connected token, the user inserts the token into some port on the device and attempts to log in to the network. The user must then enter the token’s password. The token checks the entered password with the password that was encrypted and stored in the token at enrollment. If there is a match, the token passes the appropriate credentials to the network and gives the user access. A disconnected token can be in many different form factors, including key fobs and cards. In general, the token device has been time synchronized with the host computer to generate a distinct code at a specified interval (usually every minute or less). The user must enter that code, along with regular sign-on credentials, to get access to the network. If a token is lost or stolen, the multi-factor aspect of its operation prevents any major risk issue since it is presumed the thief does not have the token’s password. Most token management systems disable a token after a small number of incorrect attempts to prevent a brute force password attack or to keep the thief from guessing the password by trying frequently used password structures. Page 15 of 35 The tokens are durable and cannot be reverse engineered, so they are physically secure. USB security tokens have the advantage of not requiring a battery since they are powered by the device they are plugged into, while a disconnected token does require a battery that generally has a life of approximately 10 years. While security tokens are relatively inexpensive, they do require a token management system with the appropriate level of controls and administration. Some banks outside the United States are piloting disconnected tokens to handle online banking validation or combat mobile commerce fraud when there is no merchant terminal or card interaction to validate the presence or authenticity of a payment card. As with other authentication methods that this paper discusses, the “password” tokens require additional steps for the customer before access is granted and require the customer to maintain possession of this separate device. Although they provide a high level of security in a two-factor configuration, the cost and management of the tokens have discouraged many banks and businesses from pursuing this method. Online PIN/3-D Secure Payment studies have consistently shown that the use of a PIN with a debit card transaction results in a substantially lower rate of fraudulent transactions than do signature debit card transactions. The 2013 triennial payments study conducted by the Federal Reserve found that signature debit transaction fraud was almost four times higher than PIN debit fraud.8 With electronic commerce and its environment of CNP, the payments industry has been searching for ways to improve authentication and reduce fraud. As the United States migrates to EMV chip cards, there is the expectation, based on results of other countries that have migrated to EMV, that counterfeit card fraud will largely shift to CNP transactions. Primary solutions are generically referred to as online PIN and 3-D secure. 8 Randomized online PIN: A solution developed by one vendor, Acculynk, has the customer enter the debit card PIN on the merchant’s shopping checkout screen, which randomizes the placement of the numeric keys to defeat keylogging and other malware programs. The merchant controls whether the PIN entry is required based on their risk management program. 3-D secure: The name comes from the goal of securing electronic commerce transactions among the three stakeholder domains: cardholder, merchant, and the cardholder’s financial institution. MasterCard operates the product under the name SecureCode; Visa, under Verified by Visa; and American Express, under SafeKey. When first introduced in 2010, the product met with poor acceptance by merchants and consumers for a variety of reasons outside of pricing. The method directed the customer to another website for all transactions, which ran counter to general internet security warnings to consumers of https://www.frbservices.org/files/communications/pdf/research/2013_payments_study_summary.pdf, page 35 Page 16 of 35 being leery of pop-up windows or web page redirects. Additionally, all online transactions for that merchant had to be handled through the service. Since the service was restructured in 2014, there has been an expectation for greater merchant acceptance. The feature is more seamlessly integrated into the merchant’s checkout process. The merchant decides whether or not to require the feature’s use on a particular transaction based on the merchant’s own risk management program considering the customer and purchase transaction parameters. Biometrics Biometric authentication uses one or more of a person’s physical attributes to validate the person’s identity. The controlled and validated enrollment of the individual and that individual’s biometrics is absolutely essential. This enrollment is normally conducted in a secure, controlled manner to guard against introducing an imposter into the program. Positive versus Negative Identification Biometric identification systems can be divided into two types: positive identification and negative identification. The positive identification system verifies that the biometrics are from an individual known to the system, preventing multiple users of a single identity. An example of this positive identification system would be a biometric fingerprint system used to control access to a laboratory—an individual requesting access swipes or inserts a card with a fingerprint template, and then places his or her finger on the reader. The system then retrieves the fingerprint template created at enrollment and compares it to the fingerprint template generated from the “live” fingerprint reader. If they match within specified tolerances, the door unlocks, granting the individual access. Such a design uses multi-factor authentication by combining what you have (card) with what you are (fingerprint). To further increase the security level, such a system could add a step—for example, after swiping his or her card, the individual could be required to enter a personal identification number (something you know). The fingerprint template captured at enrollment may be stored in a central database or may reside as a mathematical value on the card. In the central database configuration, the reader must have a connection to the database to match the “live” fingerprint template with the one in the database. But if the enrolled fingerprint template value is stored on the card, there is no need for online access. In this case, there would have to be data storage capability within the reader device to record the entry attempts. Financial institutions use positive identification systems for authenticating users conducting banking transactions. A negative identification system is intended to prevent an individual from creating multiple identities by ensuring that the person’s biometrics don’t match an identity already enrolled in the system. A voter registration program using biometrics is an example of a negative identification system. In such a program, the individual provides the biometrics, like a fingerprint. Page 17 of 35 The system reads the fingerprint and generates a template whose value is matched against all other identities already registered in the system. If no match is found, the enrollment proceeds. If a match is found, the individual is already registered and so the enrollment is canceled. A positive identification system does not require the use of biometrics since other forms of identification can be used to establish the person’s identity, while the negative identification does requires submittal of the biometrics because no alternative methods exist for verifying a claim of no known identity. Biometric System Elements In addition to the classification discussed above, there are other elements that can be used to classify and distinguish biometric systems. These elements include: Overt versus covert: With an overt system, users are fully aware that their biometric data are being collected and used. Conversely, with a covert system, the user is unaware their biometric data is being collected. Public versus private: Private systems include only a limited group of affiliated individuals (that is, employees) while public systems incorporate customers or other members of the general public. Template versus image: A biometric system providing greater user privacy is one that collects the biometric data and then processes it through a mathematical algorithm to produce a template or mathematical value. If the image of the human sample—such as a fingerprint—is retained, it would be possible to reproduce that image and subsequently associate it with a specific individual. Open versus closed: A closed system is one in which the biometric data will not be shared with any other party. A facial recognition system used only in the employee’s building to control physical access is an example of a closed system. On the other hand, if the data are shared with other parties, it is considered an open system. An example would be a fingerprint captured as part of an application for a governmental background check might be shared with other governmental or law enforcement agencies. Optional versus mandatory: If the user is required to participate in a biometric authentication program and refusal to do so results in some sort of punitive action, it is considered mandatory. Employees of a company with restricted-access facilities will be required to provide some biometric sample to be able to work in that facility. Optional programs allow individuals 0 to decline participation although normally some other form of identification will be required. Standard versus noncontrolled environment: A standard environment is generally one that is indoors, where such environment factors as temperature, humidity, and lighting can be controlled to optimize the performance of the biometric data capture device. An Page 18 of 35 exterior or variable public environment is subjected to a much wider range of those environmental elements and may affect accuracy and device hardening costs. Fixed versus indefinite duration: This element refers to whether the biometric data captured at enrollment will be deleted or destroyed after a certain amount of time or in response to an event—for example, at termination of employment—or whether it will be retained for an indefinite period. Frequent versus infrequent usage: This characteristic is based on the frequency with which the user will be interacting with the system. Biometric systems that have infrequent usage may require a simpler user interface since learning how to use the system will not be reinforced with repetitive usage in a short period of time. Supervised versus nonsupervised: While the enrollment process is almost always supervised with some level of human involvement and oversight, the actual use of the system may not require such involvement (nonsupervised). User versus institutional data ownership: A system may be operated whereby the user maintains control and ownership of the biometric data used in the system—for example, the user has ownership of the access card containing his or her biometric template, with no central site storage—or the institution retains ownership. Very few systems are under user ownership, although legal rights governing how the data can be used can be provided through a separate agreement. Biometric System Accuracy It is important to note a key difference between biometrics and other electronic authentication methods such as passwords and KBA. With the last two, if there is not a 100 percent match between the authentication data on file and the data entered by the user attempting to gain access, the request is automatically rejected. While it may be the legitimate user trying to gain access—say the user forgot the password—the system rules prevent access until the user’s identity can be authenticated through some other means. On the other hand, the nature of biometrics is such that rarely is there a 100 percent match between the stored template value and the live template value because of differences in lighting conditions, for example, or angles where the biometric measurement is made, or differences between readers. The manager of each application has to determine the “score” or accuracy level that is acceptable for both false-positives (whereby a party who incorrectly matched is authorized) and false-negatives (whereby the authentic party is denied access). Naturally, the false-positive response poses the greater threat; the false-negatives generally just involve some level of inconvenience until the individual can be authenticated and provided access. Biometric System Characteristics Page 19 of 35 So how do you measure which biometric system is the best one for your application? The ideal biometric system can be determined in the measurement of more than six key characteristics, listed in table 2. Table 2: Biometric Method Characteristics Characteristic Description Quantitative Measurement Robustness Lack of change over time Submitted sample does not match the enrolled template (false non-match) Distinctiveness Large variation over the population Submitted sample matches the enrolled template of another individual (false match) Accessibility Ease in taking measurements Number of individuals who can be enrolled in a given time period (throughput) Availability Entire population should be measurable Number of individuals who cannot be enrolled due to an inability to supply a readable measurement (failure to capture/enroll) Acceptability Population does not object to having the measurements taken Attitudinal research Financial Cost of implementing and operating Acquisition, implementation, and operating costs One other distinction among types of biometric measurements is whether they are physical or behavioral. Keystroke dynamics, gait analysis, gesture dynamics, and handwriting are all classified as behavioral biometrics. With the exception of handwriting, the others are relatively new measurement systems and have not been proven to be as accurate as physical biometric systems. Biometric Methods The primary biometric methods covered in this working paper are fingerprint, hand/finger/palm geometry, facial recognition, iris recognition, retina scan, voice, and signature recognition. We also discuss DNA and other behavioral biometric methods. These technologies are discussed in more detail below. Page 20 of 35 Fingerprints – Fingerprints are truly unique among individuals, including identical twins, and remain constant throughout life. For this reason they serve as a nonrepudiated form of identification and represent the most widespread use of biometrics, especially in criminal justice applications. The FBI claims to have the world’s largest database of fingerprints in its Next Generation Identification (NGI) system launched in September 2014,9 with more than one hundred million records of finger and palm prints. NGI replaced the FBI’s Integrated Automated Fingerprint ID System (IAFIS) that was fully deployed in 1999. The system has also begun adding iris recognition and mug shots to its database. Source: FBI – Public Domain As with other biometric methods, the enrollment process is critical for fingerprint readers encased in devices such as laptops and mobile phones. The process is more of a challenge for these devices as the application provider must often deal with a customer who is remote, so the provider has to employ other authentication methods to first validate the identity of the person and then verify authority to access the designated account. The mildly invasive process involves the optical or electrical capacitance capture of the pattern of ridges and valleys (furrows) on the fingertips as well as points where a ridge divides or ends (minutiae points) by placing fingers on the reader. After capture, a template of the fingerprint is created using mathematical formulas. While an optical image of the fingerprint may be captured, most systems discard the original image for security and privacy reasons and maintain only the digitized fingerprint template, which is further secured through cryptography. It is critical to initially achieve a high-quality capture of the fingerprints to provide more accurate comparisons on subsequent authentication efforts. Studies have shown that obtaining high-quality fingerprints from certain sections of the population such as the elderly and manual laborers can be difficult due to poor fingerprint characteristics. To address that problem, several vendors10 have recently introduced or announced plans to introduce an ultrasound fingerprint reader that creates a 3-D image and then generates a template of that image. One vendor claims a false-positive rate of 1:10 million. Currently available only on external device readers, the vendors plan to integrate it into various mobile phone models in 2015. The 3-D image is reputed to produce a more detailed template as it penetrates the outer layer of the skin, which is what is captured in a two-dimensional capacitive reader on some current mobile phones. While technology advancements continue to provide higher-resolution and higher-quality readers at lower costs, a high-performance commercial system is moderately expensive to acquire and maintain. While rugged, portable readers have been produced, the ideal setup is in a clean, climate-controlled environment. It should be noted that while the Apple iPhone 5s and Samsung Galaxy S5 smartphones introduced fingerprint readers to their users in 2013–14 as an alternative to a password to unlock the handset, the resolution of the reader is not comparable to a commercial system’s in terms of the reliability or accuracy. Apple has stated that the odds 9 http://www.fbi.gov/news/pressrel/press-releases/fbi-announces-full-operational-capability-of-the-nextgeneration-identification-system 10 http://www.cnet.com/news/qualcomm-snapdragon-sense-id-3d-fingerprint-scanner-hands-on/ Page 21 of 35 of someone else’s fingerprint receiving a “match” (false positive) is 1:50,000.11 Since the phone allows only five unsuccessful attempts before requiring entry of a four-digit passcode (which has a 1:10,000 probability of being guessed), this level of resolution is probably sufficient for simply unlocking the phone. However, with the introduction of the iPhone 6 and its Apple Pay mobile payment capability, whereby the phone uses the fingerprint reader to verify the phone owner is performing the transaction (with the passcode as a backup), care must be taken to understand the risk level of granting the wrong person access to the application on the phone. This will become more critical as third-party developers are allowed to create applications that use the fingerprint reader as the sole authentication method. Fingerprint readers on ATMs have failed to gain any traction in the United States but have been successfully implemented in Brazil, where approximately one-third of the ATMs in the country have been retrofitted with fingerprint or palm print readers. Depending on the bank, a customer may not even have to insert a card; the fingerprint is used to access the customer’s authorized accounts. Other banks use the fingerprint template verification in place of the PIN, but the customer still inserts the payment card. Hand/Finger/Palm Geometry – After fingerprinting and handwriting, hand geometry represents the longest-operating biometric system; the first commercial application was introduced in 1981. The 1996 Olympic Games held in Atlanta, Georgia used a hand geometry application to provide access control to the Olympic Village by the athletes and other authorized personnel. Hand/palm geometry applications use features such as finger length, finger width, finger thickness, finger area, and palm width to identify a person. The system is considered only mildly invasive. Since the palm represents a larger area than a finger, it offers the ability to capture more distinctive features than fingerprints. Since finger geometry is not unique, this biometric must be used with Source: FBI – Public Domain another form of authentication in large user populations to properly authenticate an individual. For this reason, developers began to incorporate palm prints into the overall hand geometry system since palms have many of the same pattern determination elements that fingerprints provide. While procedures may vary depending on the specific application, in the enrollment process, individuals are instructed to place their hands on the reader several times so multiple images can be captured and then averaged to form the enrollment template. Usually the enrollment process can be completed in less than 10 seconds. To authenticate users, the users place their hand on the reader. The image is captured and converted to a template, which is compared against the template developed during the enrollment process. The authentication decision can be made within a couple of seconds. Some major advantages of hand geometry systems are that they work well in harsh or dirty environments such as industrial sites, have the ability to capture both finger and palm prints in one scan, and the hand template generates a modest-sized digital data set. Since the process 11 www.support.apple.com/kb/ht5949 Page 22 of 35 does require more expensive, larger reader devices, the system is generally best suited for access control. However, costs have been coming down and a number of banks in India and Brazil have incorporated the readers into their ATMs. . Some banking institutions in the United States are piloting hand/palm geometry readers in their safe deposit box access applications. Like other biometric systems, the enrollment process is critical to ensure the individual being enrolled is authenticated and authorized. Vein Recognition – An emerging biometric first developed in 2005 is that of obtaining an image of the vein patterns in the finger or back of the hand, which are unique to every individual. The image is captured when the individual places the finger(s) or back of the hand above a device containing a near infrared light and a monochrome charge-coupled device (CCD) camera. The hemoglobin in the veins absorbs the near infrared light and creates a pattern of lines that does not change as the individual ages. The camera captures this image, which is then mathematically converted into a template. These patterns are almost impossible to counterfeit since they are located below the skin’s surface and are present only people who are living. As with fingerprint and hand/palm geometry systems, this system is considered to be minimally invasive since it doesn’t require the placement of the hand on the device itself. While this type of biometric system represents only about 5 percent of the overall biometric solution market, it is one of the fastest growing. More than 85 percent of the ATMs in Japan use vein recognition as the primary means for authenticating the cardholder. Facial Recognition – Facial recognition is one of the most flexible and discreet authentication methods in operation as it is often used when the person is unaware of being scanned. It represents a technology solution to humanity’s first authentication system. Facial recognition systems work by systematically analyzing some of the 80 specific features that are common to the face, known as nodal points—for example, the distance between the eyes, width of the nose, position of cheekbones, depth of the eye sockets, jaw line, and chin. These numerical quantities are then converted into a binary code template, known as a faceprint, which uniquely identifies each person. Facial recognition applications can be divided in two categories: random scene and controlled scene. In a controlled-scene environment, the individual’s facial image is captured in an environment where there is controlled lighting and minimal visual complexity in the background, and the individual may have a marked location on which to stand and face the camera for the image to be captured. These applications are clearly overt and generally located in company or government facilities for access control purposes. Random scene applications are used in public locations such as airports, mass transportation centers, and other gathering locations to aid in the spotting of criminals or other individuals of interest. As expected, a random scene application faces a number of challenges due to varied lighting, viewing angles, background complexity, and distance of the subject to the camera. The technology was first used in the 1960s in a highly manual process whereby the operator had to locate and designate key facial features such as the eyes and nose before the system began to take automated measurements. Beginning in 2000–01, the facial recognition system received a Page 23 of 35 lot of attention, with the hope that it would provide a means of identifying terrorists or criminals in public gathering locations. The city of Virginia Beach, Virginia, placed cameras along their beach boardwalk hoping to identify criminals and runaway children. For the 2001 Super Bowl, Tampa, Florida, used the system to try to identify known criminals around the Super Bowl venue. After the Super Bowl, the cameras were redeployed in the Ybor City entertainment district. Following the 9/11 terrorist attacks, the technology gained even greater attention. Boston’s Logan Airport, the airport used by a number of the 9/11 terrorists to board their airplanes, also tested the system. During this period, facial recognition technology used systems that attempted to match a twodimensional (2-D) face with a 2-D image in the database. The systems had poor overall performance as the facial image capture was performed in a random scene environment so the facial image had different lighting, distances, and angles to the camera. In the case of Boston’s three-month pilot program, the system recognized the volunteer targets listed in the database as terrorists only 61 percent of the time,12 so it was scrubbed. The Tampa police department discontinued the Ybor City system in August 2003, citing the ineffectiveness of the system. The Virginia Beach facial recognition system was discontinued in 2005. Police Chief Jake Jacocks Jr. said, "Technologically, it is not advanced enough to be effectively used as we had attempted. It is very effective in casinos, airports, correctional institutions, and other controlled environments."13 The introduction of 3-D camera technology and other technological advancements since 2006 has improved the performance of the system, although it does not function at the speed or accuracy often depicted on criminal shows on television. As with all biometric systems, the speed of validating a user in a 1:1 setting is much faster than in a one-to-many setting, where a large database population has to be checked to determine if there is a match. The authentication of an individual using facial recognition is a six-step process. 1. 2. 3. 4. 5. 6. Detection—the subject’s live image is captured and separated from the crowd. Alignment—the position, size, and camera angle of the face are determined. Measurement—the various facial nodal points are measured. Representation—a template is created through mathematical algorithm. Matching—the template is checked against other templates in the database. Verification/Identification—a decision is made as to whether there is a match to another template already in the database. The newer facial recognition systems have been deployed at casinos, border crossings, and mass transportation locations to help spot known criminals or terrorists. Accuracy results can be impacted by people attempting to disguise their faces with hats, glasses, different hairstyles, and facial hair, all of which make the measurement process more difficult and can lead to a lower confidence level of the resulting facial templates. The unique advantage of a facial recognition system is its ability to be used in a large group setting. Another potential advantage, although it 12 'Face testing' at Logan is found lacking. Boston Globe, July 17, 2002 13 http://hamptonroads.com/node/317161 Page 24 of 35 may lead to lower authentication matches, is the ability to create the template database from existing 2-D photographs rather than through a 3-D camera system. Since most mobile phones are equipped with cameras, there have been some initial efforts to use facial recognition as an additional authentication factor for banking application sign-on, and this biometric method is expected to grow. In January 2015, the financial services company USAA14 announced that it was supporting facial recognition (along with voice recognition) as an optional online banking sign-on method for its members. Facial Thermogram – A thermogram is a display that shows the amount of infrared energy that is emitted, transmitted, and reflected from an object. The varying levels are converted into a temperature and displayed as an image. Thermograms have been used in the construction industry for some time to locate areas in a structure where there are dramatic temperature variations, indicating improper insulation or poor quality construction leaving gaps in heated spaces. Fire departments use thermographic cameras to help detect abnormal temperatures inside closed walls that would indicate flames or embers from a fire that is not directly visible. Due to its noninvasive nature, the technology is also being tested in medical research to determine if it could provide an early indication of certain diseases. In the mid-1990s, scientist Francine Prokoski proved that facial thermograms are unique to individuals. The different heat patterns in the human face are created by the blood vessels branching throughout the facial skin. The technology uses a high-resolution infrared camera to capture the thermograph. While significantly more expensive than a digital camera used in facial recognition systems, the results can be more accurate in places where there are varying lighting and other environmental factors. Like regular facial recognition, people can disguise or alter some of the reading with glasses and facial hair, but these efforts can often be mitigated by “removing” the obstructions with mathematical formulas. Due to the type of camera required and its related expense, facial thermograms are not suitable for consumer authentication applications at this time. Iris Recognition – An image of the iris (the visible ring around the eye’s pupil) also provides unique biometric data elements that are very difficult to duplicate and that do not change after the age of 10 months. A number of advances have been made in iris recognition systems over the last decade, and it is becoming a widely deployed system, especially by the military and prison systems. While the initial iris capture can be difficult to make for children or the infirm, devices have been improved to lessen the capture time as well as measure both eyes at the same time, and they require the subject to blink to prove they are alive. While the term iris “scan” is sometimes used, this is a misnomer since there is no scanning of the eye. The system is considered noninvasive since it does not involve any contact with the measurement device that is taking a video of the iris. From the video captured by an integrated light source in the near infrared wavelength band , a series of frames are obtained to define the up-to-240 measurement points from which the calculations will be made to create the template. 14 https://communities.usaa.com/t5/Press-Releases/USAA-Rolling-Out-Biometric-Logon-to-Accounts-in-Q1/bap/55785 Page 25 of 35 The matching process is considered one of the fastest of any of the biometric systems because of its small byte size (512) of the template. Furthermore, it can provide a decision in less than two seconds. The subject is generally required to be within 10 inches of the video camera. Eyeglasses do not affect the quality of the read. Studies have shown the system has a false acceptance rate of 1: 1.2 million.15 While used today primarily in military and private companies for access control, the technology is expanding into health care Source: FBI – Public Domain and national identification programs in other parts of the world. The challenge in using mobile phones to perform the iris recognition capture is that none of the phones on the market today have the required near infrared light source, although vendors indicated they expect mobile manufacturers to start incorporating them in the near future. Retinal Scan – Like fingerprints, there is no known way to replicate a retina, as the pattern of the blood vessels at the back of the eye is unique and constant for a lifetime. The concept of using the retina as a means of identification was first described in a Time Magazine article in 1935,16 but the first commercial scanner was not developed until 1975 and systems did not begin operating until the 1980s. Despite being frequently shown in high-tech movies and TV shows, retinal scan systems have not achieved widespread use because of system costs, high false-reject rates and, user vision health concerns. The method has found usage as an access-control application for highly secure military and government facilities, where enrollment is mandated. The system is considered moderately invasive since the enrollment and access read require an individual to place the eye on an eyepiece that projects a low-power infrared beam of light to the retina located at the back of the eyeball. The light beam does a complete 360-degree scan of the retina and captures up to 400 measurements. It requires about 10–15 seconds of careful concentration to achieve the necessary high-quality scan. It is not uncommon for the person enrolling or seeking verification to have to undergo multiple efforts to capture an acceptable image. After a successful capture, the image is reduced to about 200 reference points and the resulting template is 96 bytes—one of the smallest template memory footprints among all the biometric systems. Successful retinal scans are regarded as highly accurate, although the quality of a read can be affected by someone having cataracts, glaucoma, or severe astigmatism. While delivering highly accurate authentication rates, the technology is not suitable at this time for payment applications because of its cost and consumer health concerns about its high level of invasiveness. 15 16 http://irisid.com/howitcompares http://content.time.com/time/magazine/article/0,9171,755453,00.html Page 26 of 35 Signature Recognition – A person’s signature is another example of biometric data easy to gather and not physically intrusive. Signature recognition is essentially a subset of handwriting analysis and considered a behavioral biometric in that signatures can be modified by the user over time. To enroll a signature, after a person’s identity has been verified through the use of other authentication methods, the person is asked to execute the signature on a special signature pad or tablet a number (5–6) of times. The electronics in the device measure the amounts of pressure, acceleration, speed, rhythm, and movements of the device used to create a Source: FBI – Public Domain signature template. These measurements are converted into a template and stored to verify future signatures. Some signature biometric systems can continually update the template since it is normal for a person’s signature to have slight variations each time it is executed. Signature recognition systems have not been widely deployed due to a number of disadvantages, the most significant being the variation that occurs in a person’s signature—especially when compared to the physical biometrics that are unique and fixed. Signature recognition systems require specialized, moderately expensive devices to capture the signature, create the template, and transmit to the database. These devices are generally not integrated into the devices used by the consumer, although there have been some signature recognition applications developed for use on touchscreen laptops, tables, and smartphones. Voice Recognition: Like facial recognition, a voice recognition system provides a way to overtly or covertly authenticate the identity of an individual. While sometimes the terms are incorrectly used interchangeably, a speech recognition system is one that recognizes spoken words and converts them into digital data for executing programmed instructions. Voice response units (VRUs) were the most common form of speech recognition hardware for consumers; the customer speaks a number or a keyword instead of pressing the number on the phone’s keypad. Source: FBI – Public Domain Apple’s Siri application is another form of speech recognition software, and voice-to-text applications are now common on laptops and smartphones. The technology for speech recognition systems has improved greatly over the last several years and reached acceptable levels for information applications. Voice recognition systems operate like other biometric systems. The individual’s identity is enrolled and authenticated when the person speaks scripted phrases, numbers, or free text. The resulting audio file is used to create a voice template, or “voiceprint.” The template is then digitized and stored in a database. When the individual tries to access the system the next time, the voiceprint of the current connection is compared to the template on file. There remain concerns about the accuracy rate of this biometric outside of controlled audio environments since there are a number of ways to disguise or alter one’s real voice with software or hardware technology. The accuracy can also be affected by the quality of the connection—background noise, a poor telephone carrier connection, or a low-quality microphone can alter the voice. The Page 27 of 35 threat of a criminal using a recorded voice of the actual individual can easily be thwarted by requiring the individual to speak a random phrase. Due to the accuracy limitations, voice recognition systems are often coupled with other authentication methods. In the case of mobile phones, this could be the phone’s device information as well as geolocation data. In the case of land lines, subscriber information can be used to determine if the number being used could reasonably be tied to the legitimate account holder. As mentioned earlier, USAA announced in January 2015 that it was supporting voice recognition as a way for members to access their mobile banking application. Call centers at banks and other financial services companies have used voice recognition systems, usually covertly, to help authenticate customers. DNA – DNA, or deoxyribonucleic acid, is the hereditary material of life. Nearly every cell in a person's body has the same DNA. Every human’s DNA is unique, except for identical twins. Advances in DNA research have made it the definitive element for authenticating an individual’s identity and heritage. Since DNA is present in all cells of the human body, the ability to match a sample to a verified enrollment is intrinsically digital and foolproof. Obtaining a sample can be as minimally invasive as a mouth swab. One of the primary drawbacks to DNA matching for online authentication is the normal timeframe of 60–72 hours to obtain high-confidence matching. Primarily driven by the FBI’s efforts, a rapid-DNA initiative has been under way to develop equipment to produce DNA results with high levels of confidence and provide initial results within 90–120 minutes. While this timeframe is still not sufficient for real-time payment environments, it works well for law enforcement purposes. Soft Biometrics: Various physical feature elements that are not by themselves distinctive enough nor do they have the permanence to distinguish an individual are known as soft biometrics. Examples include gender, age, eye and hair color, tattoos, and other distinguishing features such as scars, birthmarks, and moles. These elements can be used as supplemental data to increase the confidence level of the accuracy of the overall authentication decision. Another benefit for the use of soft biometrics has been in a one-to-many comparison effort of a large database, where the additional elements can be used to reduce the scope of the overall database. Other Behavioral Biometrics: In addition to handwriting and signature recognition, a new field of biometrics deals with the consistent behavior of certain muscular and skill-based functions performed by an individual, such as typing (keystroke), walking, and gesture patterns. The underlying theory is that a person’s repetitive actions are predictable. Most security experts agree that behavioral biometrics, with the exception of handwriting, are not as reliable as physical biometrics. The walking or gait biometric method is not suitable for banking or payment applications by its very nature of requiring time and space to acquire a sufficient amount of data to form a template. However, typing and gesture biometric authentication applications have been piloted in the banking environment. Page 28 of 35 In the typing biometric, the individual’s pattern of keystrokes is measured in two ways: interkey (flight) and hold (dwell) times. The interkey time refers to the latency period between keystrokes. The hold time represents the amount of time the key is depressed. The biometric calculations can be done so that the overall typing speed of the individual is not relevant. Not sufficiently unique to stand on its own, a typing biometric can be used as an additional authentication factor for a person using an access device with a keyboard. One of the advantages of this biometric is the ability to constantly analyze the patterns created by the user and update the template value. One of the disadvantages is the difficulty of distinguishing between the multiple devices that an individual can use to log in to an account. For example, in this day and age, it is entirely feasible that a user could access a bank Source: EPA – Public Domain account with a desktop computer, laptop, tablet, or mobile phone—which, because of different keyboard ergonomics, would likely result in very different templates for each of those devices. Gesture biometrics applications can be used by an individual with a smartphone that has an embedded accelerometer or a computer with a mouse. In the latter case, the individual is instructed to perform a series of repetitive motions with the mouse. The application measures the angle, speed, direction, and length of the mouse movements. In a test program at the multiple campus locations in the University of Texas system, 99 percent of the participants were able to enroll successfully and be validated; they felt it was an overall positive experience.17 With the smartphone, the user performs one of more specific gestures while holding the phone. Like the computer mouse application, a number of measurements are taken to create a user template. Once enrolled, the user must repeat those gestures as a secondary authentication to gain access to an application or perform certain transactions. Biometric Solutions for Financial Services and Payments Clearly, some of the biometric solutions reviewed above are not suitable for authenticating customers wanting to access financial applications or conduct payments. The suitability of those solutions that are in some level of usage today in terms of the factors detailed in table 2 have been evaluated by the author and are summarized in table 3 below. 17 http://findbiometrics.com/biometric-signature-id-8212-ceo-jeff-maynard-announces-results-of-trial-usinggesture-biometrics-to-authenticate-student-id-with-the-university-of-texas-system-telecampus/ Page 29 of 35 Table 3: Biometric Solution Suitability for Payments Biometric Method Fingerprint Facial Recognition Iris Recognition Hand Geometry Voice Recognition Signature Scan Availability Distinctiveness Accessibility Robustness Acceptability Financial High High High High Moderate Moderate High Moderate Moderate Moderate Low Low High High Moderate High Moderate– Low Moderate High High Moderate High Moderate Moderate High Moderate High Moderate Moderate Moderate –High High Moderate High Low Moderate– High Moderate As the table illustrates, none of the biometric methods evaluated scored perfectly across all the elements, with fingerprinting having the most number of “high” scores. Iris recognition and hand geometry followed closely. Device Fingerprinting This technology combines the physical and biometric worlds for electronic devices such as mobile phones, desktops, laptops, and tablets, which generate specific data and electronic identifiers that allow for the creation of a profile or “fingerprint” of the device. While some of these identifiers, such as caller ID number or IP address, can be altered or spoofed, others are unique to the device. If the application has enrolled the device under a controlled environment, the device print can be used as an additional authentication factor (something you have) in a multifactor authentication program. For example, when a customer communicates with a bank over a mobile phone, programs such as Pindrop Security can measure more than 150 factors18 that are a combination of voice (something you are), device (something you have), and locational (where you are) identifiers to authenticate a caller. Combined with a user ID and password (something you know), such a system should provide an extremely high level of confidence in the authenticity of the user. Since it may take up to 30 seconds to obtain the complete set of identifiers, especially if a voice pattern has to be established, the application of this technology has to be carefully considered so as not to delay the customer’s transactions. While somewhat similar in concept, this method of authentication should not be confused with browser fingerprinting, which companies use to track a person’s web browsing and access device characteristics (for example, screen resolution or fonts used). The subject of some controversy, this covert process is used to avoid the legal requirements related to “Do Not Track” opt-out 18 www.pindropsecurity.com/phone-fraud-solutions/ Page 30 of 35 options. While such tracking could be used as part of an authentication program, it is more commonly used for marketing purposes. The growing inclusion of GPS functionality in electronic devices for mapping, navigation, and marketing applications is also being used for security applications. While not able to operate as a standalone authentication solution since it has information only about the device, which can be stolen, it can be combined with other authentication methods to help validate a user’s location. This is particularly helpful in cardholder-not-present transactions. Out-of-Band Authentication A recent development tied to the widespread deployment of mobile phones in increasing the confidence level that a company is dealing with the authentic customer is the use of out-of-band authentication (OOBA). In such a scheme, the customer is required to have enrolled an e-mail address or a telephone number with the company, information that the company has verified in advance of the transaction. Before a transaction is finalized, the company receiving the transaction request will send a message to the customer through a communications channel different from the one used to initiate the transaction. For example, if the customer is conducting business through an online banking site and wishes to initiate a wire transfer, the bank sends a code through a text message or e-mail that the customer must enter before the transaction is finalized. As expected, the key to the success of this scheme is to have and maintain the correct phone number or e-mail address for the customer. For this reason, extreme care must be taken when enrolling the customer or when accepting any change to this information. Criminals have attempted to defeat OOBA systems in a couple of ways. One is to change the phone number or e-mail address on the account so the OOBA code is sent to the criminal instead of the legitimate customer. This can be done by social engineering techniques to gain initial access to the account to request the change. The most sophisticated efforts come from “man-in-the-browser” (MITB) malware. MITB malware is placed on the customer’s device when the customer sees what appear to be authentic screens from the mobile banking application, but the Trojan installed on the device is intercepting the communication messages and allowing the criminal to execute an illicit transaction. Major Issues Card-Present (CP) versus Card-Not-Present (CNP): In the payment card environment, the current network rules regarding whether the cardholder presents a physical card to an attendant is important in setting the merchant’s interchange rate as well as liability responsibility. CNP transactions are riskier. Because the thief does not have to be physically present to execute a transaction, he or she often uses counterfeit or stolen cards through these merchant channels. Page 31 of 35 The 2013 Federal Reserve payments study19 showed that the number of fraudulent CNP transactions was more than three times higher than fraudulent CP transactions. For this reason, CNP transactions carry a higher interchange rate and the merchant is generally liable for fraudulent transactions. This contrasts with the card-present environment, in which the financial institution issuing the payment card typically bears the liability for fraudulent transactions. The evolving technology of payment form factors will create the need for the networks to examine their definitions of the CP and CNP environment. Electronic wallets have the cardholder load payment card information into an application resident on the mobile phone or tablet. The customer is physically present at the point of sale but uses the application to pay for the transaction. Is this a CP or CNP transaction? Under some of the card network rules, since the physical card was not processed, it is a CNP transaction. Under other rules, it is considered a CP transaction. As discussed above, the mobile application may actually provide more authentication capabilities than the standard card-processing environment, so shouldn’t this additional risk-mitigation capability be taken into consideration? Privacy: While the use of biometrics has a number of clear benefits in authenticating the legitimate user, their use and that of geolocation capabilities create consumer concerns about how the information will be used. Individuals have different privacy needs depending on the circumstances of their activity. In some cases, they essentially throw off any privacy needs when they engage in social media and other activities when their identity is clearly shown. However, even in such environments, there is some level of privacy desired, which became clear with Facebook’s release of its 2013 annual report.20 This report revealed that between 0.5 percent and 1.5 percent of its 1.2 billion active monthly accounts are false accounts established in violation of its service terms. On the other end of the privacy spectrum, there are others who want to remain “off the grid” and disclose their personally identifiable information (PII) to others at an absolute minimum. Their primary concern is that their biometric data may be compromised in some way by criminals, or that their habits and movements will be captured and tracked by government entities, including law enforcement. Since biometric data is unique to the individual, it cannot be changed, so if it is compromised, the individual’s ability to use that authentication method is stopped. In table 4, below, the International Biometric Group (now Novetta Solutions) scored the various biometric authentication methods on their privacy risk level across four key attributes: Behavioral versus physiological: Industry risk experts believe that a physiological biometric such as a fingerprint or iris recognition is more likely to be used in an invasive manner. 19 20 http://fedpaymentsimprovement.org/wp-content/uploads/2013_payments_study_summary.pdf http://investor.fb.com/secfiling.cfm?filingid=1326801-14-7&CIK=1326801 Page 32 of 35 Overt versus covert: A covert system is akin to being under surveillance without the subject’s knowledge and is deemed to be more invasive. Verification versus identification: An identification system searches a large database of biometric templates (1: many), resulting in a greater potential for misuse, whereas a verification system is a 1:1 match decision. Existing database compatibility: If there are existing databases against which the template can be searched, the risk to the user’s privacy is higher. Table 4: Privacy Risk Scoring Biometric Method Behavioral vs. Physiological Overt vs. Covert Verification vs. Identification Fingerprint High Low High High High Moderate High High High High High Low High Low Moderate High Low High Low Moderate Low Low Low Low Low Low Low Low Facial Recognition Iris Recognition Retinal Scan Hand Moderate Low Low Geometry Voice Low Moderate Low Recognition Keystroke Low Moderate Low Scan Signature Low Low Low Scan Source: Novetta Solutions (formerly International Biometric Group) Existing Database Compatibility Overall Risk A biometric authentication program should include the following factors to help ease users’ concerns about the use of their biometric data and their privacy. Transparency: The enrollment process as well as the ongoing operation of the program should be clearly explained to the user and, when appropriate, the user should be able to control the use of the data captured. Appropriateness: The data collected should be appropriate for the purpose intended. Purpose: The biometrics are used only for the purpose given and no other application. Security: The entity operating the program should ensure that careful enrollment and data protection safeguards are in place to prevent unauthorized access or unintentional disclosure. Page 33 of 35 Other Risks and Controls: In addition to the privacy issues discussed above, there are a number of other risk and control issues associated with biometrics. Enrollment: The enrollment stage represents a major point of risk, when the raw measurement data can be compromised or a false identity inserted. For this reason, there should be highly detailed procedures in place to ensure sufficient controls related to personnel and processes. Spoofing Attacks: If a biometric system is too simple, it is vulnerable to criminals who can spoof or fool the system by using artificial methods such as constructed finger or palm prints, photographs, or recorded voices. This risk is minimized by using techniques that verify that the subject biometric is alive—temperature, heartbeat, eye blinks, and more. False Templates: If the biometric templates are stored in a central database, controls must be in place to prevent the insertion of a template under another identity. The templates should be encrypted and there must be strong network and application security controls to restrict and track all changes to the application to ensure they are legitimate Data Interception: Just as in the point-of-sale world, the system must be designed so that the biometric authentication data cannot be intercepted between the reading device and the final creation of the template. End-to-end encryption is a best-practice solution. Component Alteration: Similarly, controls must be in place that will detect any hardware or software effort to modify the system outside the carefully controlled change process. Such alterations could involve the terminal capturing the biometric or an effort to manipulate the data on a template. Similar Template: The value of a biometric authentication system is it helps prevent fraudulent users from accessing the system if they have templates similar to authorized users. For this reason, the biometric system must be tested to ensure that its measurement and template algorithms are sufficiently complex to deliver unique outputs. The false acceptance rate of any biometric system should be less than or equal to 1 percent.21 21 NIST Patriot Act Biometric Standard (http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/200303/March2003-Biometric-Accuracy-Standards.pdf) Page 34 of 35 Key Learnings The research conducted for this working paper shows that there are a wide range of payment authentication methods in the marketplace today. As the number of remotely accessed financial applications increases, the need for additional authentication also increases to ensure the legitimacy of the person accessing the application. Although many say the password is no longer viable, it is still the most used authentication method for access control and appears to be adequate by itself for routine, nonfinancial applications. What many people overlook with a password scheme is the long-term cost of password management in supporting the help desk function for users who forget their passwords. Passwords with additional authentication factors should suffice for the vast majority of financial service applications. There is no single biometric method that is the “silver bullet” for providing a complete authentication solution for all applications. It is clear that multi-factor authentication schemes exponentially increase the confidence level of validating the proper user of an application. However, adding other authentication requirements potentially increases the amount of friction between the user and the service provider, with the possibility of causing the user to be dissatisfied to the point of abandoning the transaction and perhaps future transactions with that service provider. The enrollment stage of the process is the most critical for making sure that the authorized individual is initially added to the application. Additionally, the application must have careful controls to guard against intruders gaining unauthorized access to steal or modify the stored authentication templates. Due to the high penetration of smartphones in the United States, biometric efforts appear to be focused on fingerprint, facial, and voice recognition methods. Although embedded fingerprint sensors have only been introduced in the last few years, virtually all mobile phones contain cameras, and all contain a microphone. While there may be some exceptions in the area of commercial banking, financial institutions will continue to carry the vast majority of the risk related to fraud losses with regards to consumer accounts. Page 35 of 35