Physical Security: Making the Case for Biometrics

Technology is Here, But Institutions Don't Yet Embrace It
Physical Security: Making the Case for Biometrics
The move to biometric authentication for customers and internal users is a tough decision for some institutions to make. But at Purdue Employees Federal Credit Union, based in West Lafayette, IN., the move was made more than 12 years ago, and the credit union continues to employ this method with positive results.

Bill Arnold, Vice President of IT at PEFCU, says the $475 million asset credit union's initial driver was a matter of convenience, not security. Students wanted to have a quick way to get money from their accounts, and PEFCU decided to pilot a fingerprint-authenticating cash kiosk in the student center at one of the University's regional campus centers in Calumette, IN.

"The space given to us was just big enough for a kiosk," Arnold says. "The acceptance rate among students was high, so we began rolling out across the credit union's branches in the Tippecanoe county area."

Today, the credit union records an average of more than 100,000 transactions per year on the 5 kiosks in production.

What surprised Arnold and others at the credit union was that the biggest early adopters of the biometric technology were not the students, but rather the older members, 50 years and over. "It seems the reason was they had more assets to protect," he says.

Of the two disparate communities, the older members wanted to protect their assets, and the students wanted the convenience factor. "Most students want to carry around as little as possible, and the thought of not having to carry an ATM card around was appealing. All the students had to remember was their account number, and then their fingerprint authenticated them."

Arnold notes that since debit cards became popular, the use of biometric kiosks, as well as ATM traffic, has dropped. "Everyone is paying for things with debit cards and not using ATMS or the kiosks," he says. "Debit cards are ubiquitous, and students are saying 'I can go to McDonalds and pay for it with my debit card and not have to carry around spare change,'" he explains.

Still, the credit union plans to continue the biometrics program.

Privacy was never an issue when the credit union began the biometrics program. Arnold notes that during the 12 years of the biometrics kiosks on campus and at branches there has not been a single instance of fraud attempted, i.e. trying to spoof a fingerprint.
Arnold brought in Purdue researchers from the university's nationally recognized biometrics lab to test the kiosks before introducing them to the members and students.

Biometrics' Role in Securing Financial Institutions
PEFCU is just one example of how some financial institutions are now - albeit slowly ---- using biometrics technologies to bolster physical security.

The 2006 FFIEC guidance mandating multifactor authentication was seen as a plus for the multiple biometrics offerings that financial institutions can choose to employ to authenticate both customers and employees.

Yet by early 2006, only about 5 to 7 percent of financial institutions in the United States had implemented biometric technologies, according to an Aite Group study. Despite advancements in biometrics technology and the wider use of biometrics in other consumer applications, the arrival of wide acceptance of biometrics for customer transactions in financial institutions has yet to happen. While some institutions - like PEFCU -- are using biometrics to authenticate customer transactions, Aite analyst Christine Barry says that the use of biometrics as an authenticator for employee access to institution's networks is gaining more ground than the consumer applications of the technology.

"While the use of biometrics in financial services industry is increasing, it has been disappointingly slow," Barry says. "Every year since I've been watching the use of biometrics I think, is this the year for biometrics?"

According to the Federal Reserve Board in Philadelphia, fingerprint readers and scanners are used by some of the largest financial institutions for IT security, including Barclays, UBS, American Express, Bank of Montreal, Bank of Nova Scotia, Bear Stearns, Prudential, Bank of Slovenia, Union Bank of California, and Morgan Stanley. The FFIEC has listed administrative and logistical standards for secure biometric systems in its Information Security booklet.

At the customer level, one of the major challenges is the hardware adoption and the use of a finger scanner. "Even though many new laptops are offering this hardware, it is still something unknown to most users," Barry says.

Large commercial use is underway, Barry points to projects such as Key Bank's announcement last year that the bank would offer finger scanning at the point of log-in for their online commercial banking customers. Key Bank has not acknowledged how many of their commercial customers have actually adopted it, she says.

Future of Biometrics
With the growing acceptance of consumers of the biometric technology, as seen at Disney World Orlando theme parks, which use finger scanners to gain entry into the park, Barry is hopeful that biometrics will continue to gain ground in financial institutions. "It is still more what you have, or what you know that has hold on the authentication mechanisms at institutions, but something you are (fingerprint) or something you do (keystroke) will continue to gain interest among financial institutions that want to protect their customers' transactions," Barry notes.

Acceptance rates for finger scanning is higher than other biometric methods, such as voice recognition and retinal scanning. Some credit unions are using finger scanning at their ATM as an option to offer second factor authentication. Typically credit unions are "faster to adopt new technology, and their members tend to embrace change more quickly," Barry explains.

When Barry speaks with institutions, she's found very few are using biometric technology, opting to use other types of security authentication instead -- such as more challenge questions and token keys.

One bright spot: the internal use of biometrics to authenticate institutions' staff to networks continues to gain ground, Barry notes. "Internally, institutions are using it more, and trading desks are using it. There seems to be better acceptance of biometrics in a controlled environment.

"To date, the adoption of biometrics at financial institutions has been disappointing," she says, "but I still have hope."

Question: What's the future of biometrics at your institution? Share your insights with Editor Tom Field.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.