Would you use biometric technology at an ATM?

No way I would use a biometric ATM.

It's said that biometric ATMs are proving popular in Japan and elsewhere but actual performance figures are still hard to come by.  The vendors' marketing claims for false positives (must be low for security) and false negatives (must be low for customer convenience) border on the hyperbolic.

Hitachi claims "there's only a 0.0001% chance of someone passing off their vein patterns as yours".  But that's only half the story.  What is the corresponding false negative rate when the system is tuned to be so ultra discriminating?  Well, the only independent testing I have managed to find for finger vein technology shows that at a False Match Rate of 0.0001%, the False Non Match Rate can deteriorate to 20%.  That is, one in five times the customer will have to try again.  I suspect that to keep the retries down, the systems are de-tuned in practice to be rather less accurate than 0.0001%, but exactly what the accuracy and overall security are in practice, we just don't know.

Meanwhile the FBI urges caution because lab testing doesn't translate to real world experience:

For all biometric technologies, error rates are highly dependent upon the population and application environment. The technologies do not have known error rates outside of a controlled test environment. Therefore, any reference to error rates applies only to the test in question and should not be used to predict performance in a different application.

Yes, there are major privacy concerns. At present, no chip-and-PIN card is going to have the biometric template stored on the card, much less matched on the card, because of the cost of the extra memory and software.  So the templates must be stored centrally, and each time you visit an ATM, your biometric data will be sent out for matching.  I agree with Lachlan Gunn's concerns over the ability to safeguard thiese data stores.  If they can't stop card data today being stolen en masse, then we have to assume that stolen biometric data too will one day be in circulation amongst organised crime gangs.  And then what?  At least when my card is stolen, I can have it revoked and re-issued.  But with biometrics that's impossible.  They leave no room for error.

And when the thieves of tomorrow's brave new world steal my biometric template, lord knows how many other accounts they will also automatically have the keys for!

Stephen Wilson, Lockstep.

I'm not keen.

My own experience of biometric access control at my HQ in New York was that I had to register both thumb prints and yet my aggregate error rate was 20% - being blamed for not putting my thumb in the right position on the reader - which means to me the design of the reader is at fault for allowing me to place my thumb in the wrong position.

If my PIN is stolen (and I'm not a fan of CHIP n PIN either), then I can change it and ask for another one. If someone is able to present my biometrics as their own - then there's nothing I can do about - I can't change my fingerprints, blood, saliva, retina, veins, voice etc.

Like with DNA matching (see my separate blog on that topic in Aug 2009 - https://www.finextra.com/blogs/fullblog.aspx?blogid=3190), if the technology is just sampling my results, and coming up with a hash equivalent, then its not impossible for that to be impersonated / reproduced.

How much of that data is going to be transmitted around the world, via what routes, is it going to be secure in transit, how long is it going to be held in cached memory, and will it be secure at rest? Will it survive / detect a man-in-the-middle attack?

Whereby, falling back on the good old Signature, when I was transferring £125,000 yesterday via CHAPS, RBS called up my Signature on File, checked my Passport & Debit Card, and recorded me on CCTV. I was happy.

Why is biometric data really any different to a photoID, signature, name and address, DOB ?  Its just a nother way of identifying who you are, but its a lot, lot harder to duplicate(forge) your bio credentials in the real world, compared to forging a signature, knowing your address or PIN etc.   You cannot really change your photo/face, and certainly not your DOB.

Apart from insider fraud or core hacking, the other problem with any system is 'man in the middle' where measured identifing information is exchanged for 'stored' correct information.  This applies to any type of ID system.  That's why the measuring terminal has to have a cast-iron transaction wrapping solution to prevent tampering between there and the backend. (It just means that the 'middle' probably has to be between the measuring instrument (thumb reader) and the thumb).

I draw the line at exposing DNA credentials, but knowing your vein pattern, retina details, thumbprint, face geometry etc - so what?

"Knowing your vein pattern, retina details, thumbprint, face geometry etc - so what?"

Because then they get replayed, that's what. It's simply not true that biometrics are "a lot, lot harder to duplicate". See the Gummy Bear attack on fingerprints for starters.

And even if a particular biometric does prove very hard to duplicate, are we willing to bet the house on it being literally impossible?  Because once compromised, no practical biometric can be revoked and reissued. There is no room for error.

Everyone knows there is no such thing as perfect security, but biometrics are actually premised on the supposed impossibility of compromise.  They defy security logic.

I agree.

The concern to me is my personal biometric data falling into the wrong hands or being misused.  There is a big difference between a compromised PIN and compromised biometric data.  My finger vein patterns and palm vein patterns are not going to change and once taken and stored are out of my control for ever (yes, maybe data protection legislation says that they should be destroyed once an account is closed, but if that is the case how do I know that it actually happened and, even if it did, was it compromised beforehand?) 

As has been said, a compromised PIN can be changed, and is for the sole purpose of authorising transactions for a single card - it is unique for that card, which can be re-issued if compromised.  For online transactions we are told to never use the same password for different purposes.  It also can be changed if compromised.

Yet hypothetically, if I have accounts with several different card issuing banks and they all use finger vein technology for ATM transactions, then I am using the same authentication (admittedly unique to me) for multiple cards (and possibly other future legitimate purposes). 

As Stephen states there is a risk, however small, that my data if compromised could be misused for multiple purposes.  In the ‘technology chase’, the good guys are normally well behind the bad guys! 

Even more worryingly, as with the planting of DNA, is there a remote possibility that one day such compromised data could actually be used to evidentially place me where I wasn’t?

OK, so the topic is sensitive,  but not altogether completely rational.  I was making the comparison with other 'biometric' type data like your DOB, photo, signature.  All are unique and do not change (you could change a signature, or have several, but they are still unique subject to forgery).

So how exactly can your 'vein pattern' be used against you any more than a forged dignature or photoID?  All can be stored digitally.  All can be replayed.  If the receiving merchant is prepared to accept photocopies of a passport, driving licence etc and not really care about due KYC identity, then anybody can register as me.  Its a complete pain to me when I have to prove it was not, but the merchant/bank has to prove they checked the identity of the fraudster. 

Knowing your DNA is a different matter. That contains info which can be used to discriminate (in an even deeper way than just viewing your photo!).

Sorry John, I may have missed your point.

My focus was on automated electronic authentication, where revocability I believe is essential.  Yes today we present handwritten signatures to other human beings as a form of authentication, but the manual decision to accept or reject is subject to all sorts of extra cues and layers of verification, and also forensics.  In contrast, decisions made by machines around electronic biometrics are essentially instantaneous.  The potential for fraud is quite different from traditional in-person presentation of photo IDs, signatures etc.

So we're playing an entirely different game here with electronic biometrics. A forged signature or photo ID cannot be replayed (in person) in the same way as stolen electronic biometrics can.  And a compromised photo ID can always be revoked and re-issued.  Nobody has explained how a compromised finger vein pattern will be revoked.  Vendors will instead try to argue they cannot be stolen.  In principle, that's a bad kind of answer.  And in practice, the likes of the FBI will counsel us to watch this space!  All biometric vendor specs are produced under the "Zero Effort Imposter" assumption, and wilfully ignore the possibility that an attacker might actually make a concerted effort to break the system.

Everyone is talking about security issues, and while these are relevant, there are more practical issues. Most biometrics are not suitable for all environments, cold weather for example makes glove removal impractical; voice reciognition in busy streets with vehicles and ambient noise is also difficult.

However the key issue is registration - many people using self service ATMs or POS do not go near a bank branch. I have never visited the branch that holds my account. The risks of impersonation are huge and fraud could well increase.

Excellent point.  The cost to the issuing banks would be high (certainly higher than just sending a CHIP & PIN).  And we already know that Banks are 'happy' to accept a level of impersonation fraud because they can offset those losses against the savings of convenience.  That counts more than your identity I guess (joking).

I just received a call from my Credit issuer inviting me to become a Debit account customer (with loads of supposed benefits).  Within 10 mins on the phone (divulging lots of data that I had to decide on the fly if it was relevant to the application or not) and a couple of days, I received a Card and then the PIN.  Easy.  I wonder if I will actually use this account.

On the downside of PINs - I was with my father at his bank the other day (in his 80's), and they wanted to identify him - they asked him to type his PIN into the bankers keyboard to do this, to which he stated out loud what it was. Doh!  He doesn't do CHIP & PIN very often, and I bet he doesn't really shield it when he does, but surprisingly he was right and the bank trusted that above his signature.

Please click on the link to see Hitachi's response to this blog post: https://www.finextra.com/blogs/fullblog.aspx?blogid=4498