The
European ATM Security Team (EAST) is asking this question in its latest on-line research poll. Well would you? Such technology, both palm vein and finger vein is relatively common in Japan and also in use in Brazil. Other countries such as India are
apparently looking to roll it out. Hmm. To date only 24% of the respondents would be happy to use such technology in place of their PIN, and 47% would not use it due to concerns about personal data privacy.
This technology means that after feeding your card into the ATM, you place your hand or finger over a scanner which recognises your unique data to authorise the transaction. From a security point of view I can see that if you do not need to enter a PIN
when making an ATM transaction, then your card is less vulnerable to compromise - the magstripe data can still be skimmed, but trapping your card for fraudulent subsequent cash withdrawal would no longer be viable (unless the fraudsters keep you with it, in
which case it becomes a duress attack). It would be really interesting to know what the fraud stats show for ATM skimming, when comparing ATMs before and after the introduction of such technology.
Poland is the first country in Europe to trial this technology, with BPS Bank running a trial using a system developed by Hitachi and Wincor Nixdorf (see picture).
My concerns lie in the area of personal data privacy and protection. I live in the UK where the relevant government agency three years ago 'lost' the personal data (names, dates of birth, bank and address details) of around 25 million adults receiving financial
benefit for a child under 16 - potentially putting them at risk of identity theft! From time to time financial institutions and other organisations lose laptops containing personal information relating to customers..........and it is possible to buy such
information, fraudulently obtained, on the internet.
The European Union has fairly robust data protection and privacy legislation when compared to other parts of the world, partly due to the fact that many member countries have had fairly recent history of abuse of personal information by fascist or communist
regimes and their acolytes. Yet this legislation is far from perfect. Last year the Information Commissioner's Office in the UK published a
Review of EU Data Protection Directive which highlighted some areas of concern; among them the fact that its international data transfer rules are unrealistic against a backdrop of high-volume globalised data flows, and the fact that the role of Data Protection
Authorities in accountability and enforcement is inconsistent.
From a security perspective, I am an enthusiastic supporter of EMV or Chip and PIN technology, for which the holy grail would be the introduction one day of chip-only cards. Do we really need biometrics for ATM transactions? Something in me is uncomfortable
with the thought of entrusting any form of my biometric data to organisations that may lose, misuse, or otherwise fail to properly secure and control it. Am I being paranoid, or is keeping such biometric data private one of the last frontiers of individual
personal privacy in a world where it is becoming increasingly impossible to remain invisible, and where virtually every phone call, email, website visited, electronic payment transaction and journey made is monitored, recorded, processed and stored by others?