Biometrics: The next step forward in ATM security

What if you didn't have to remember a PIN or worry about someone skimming your card every time you went to use an ATM? 

Passwords are easy to forget, and they can be a pain to recover, especially if you are in a hurry. The idea behind biometrics is that they only rely on some measure of your body, which is unique to each person. If implemented correctly, you don't need a password or even a smart card to access cash.

Biometrics promise a smoother customer experience and reductions in fraud. The technology is big business, too. The biometric market is expected to be worth $32.7 billion by 2022. 

What follows are the basic types of biometrics that are being used or piloted on ATMs today and a few of their drawbacks.

Fingerprint scanners 

Most people are already familiar with fingerprint sensors. When Apple first introduced Touch ID on the iPhone 5S in 2013, it paved the way for other businesses to explore biometrics as a solution to widespread security issues. For Apple, the simplicity of Touch ID was critical to Apple Pay's success.

The problem with fingerprints is they can be faked. For years, researchers have shown that fingerprint sensors can be fooled sometimes using a lifted print or a person's digitized fingerprint data. And last year, researchers from New York University used a neural network to create synthetic fingerprints that have the same ridges visible when rolling an ink-covered fingertip on paper.

Another problem is that after years of certain types of manual labor, some fingerprints can be hard to distinguish. The technology also requires you to physically touch the scanner, which brings up hygiene issues. 

Finger, palm vein readers 

Fortunately, there is another way to read fingers that includes reading the veins in the fingers. You can also read palms this way. 

A vein scanner illuminates the finger or palm with near-infrared light, which is absorbed by the hemoglobin in the veins to capture a unique profile of an individual. This method of capturing fingerprints is thought to be more secure, because it uses a "liveness" detector to make sure the finger — or palm — is real. 

Most Japanese ATMs already use some type of fingerprint reader, finger-vein or palm-vein reader, biometric security expert Douglas Russell, director of DFR Risk Management, told Infosecurity Magazine. 

In 2014, Poland became the first country in Europe to introduce a network of "finger vein ID" cash machines, with 2,000 of the new ATMs opening in bank branches and supermarkets across the country, backed by a campaign that promised "cash within your finger." 

Two years later, to combat ATM fraud, Fiserv introduced its Verifast palm authentication reader based on Fujitsu's PalmSecure palm-vein technology. And early this year, Fiserv introduced what it's calling a "super ATM" that integrates with the solution. 

Facial recognition 

By detecting data points on your face and comparing the information with a database of known faces to find a match, facial recognition software can identify who you are.

In February, Spain's CaixaBank claimed that it was the world's first bank to use facial recognition to allow customers to withdraw cash at ATMs. The lender developed the technology in partnership with IT services provider Fujitsu and face recognition developer FacePhi. 

Through a camera, which can identify up to 16,000 points on a user's face, the ATM recognizes the customer and validates the transaction. Six months into the pilot, CaixaBank is reporting success, and says it plans to implement the biometric service at even more of its ATMs. 

Iris scanners

If you are okay with having your eyeball scanned at close range, iris scanners promise another form of biometric security. The technology identifies mathematical patterns on video images of one or both of the irises of an individual's eyes, whose complex patterns are unique and stable over time, unlike fingerprints and facial features.

In 2009, IrisGuard, an electronic payment solutions company, deployed the world's first operational iris-enabled ATM at Cairo Amman Bank, allowing users to withdraw cash without a bank card or PIN but simply by presenting their eye to the iris recognition camera on the ATM. 

In 2015, Diebold (now Diebold Nixdorf) teamed up with Citigroup to test Iris scanning at ATMs at Citibank's innovation lab in New York. The re-design of a traditional ATM machine dubbed "Irving" featured no PIN pad, card reader or screen. Instead, all transactions took place via a mobile app on the user's smartphone.

A few of the shortcomings of iris scanning technology include — many commercial iris scanners can be easily fooled by a high-quality image in place of the real thing. The scanners are often tough to adjust and can become annoying to use if several people of varying heights are all using it in a row.

Obstacles to adoption 

On the surface, biometric security sounds like a brilliant idea. It is being used in Japan, India and countries in Europe. So why don't we see it even more widely deployed? A few reasons. 

Some consumers are uncomfortable with having parts of their bodies scanned, and trusting that information with numerous financial services companies. In the U.K., especially, data privacy is a big issue, so there are legal and ethical ramifications to overcome. 

Second, the technology needs to function smoothly. ATMs are self-service devices. If biometrics are any more complicated than simply tapping in a PIN and using a card, people aren't going to want to use it. 

There is also the question of how secure is the data? 

A few years back, Kaspersky Lab experts warned that despite promises, biometric ATM authentication is not immune to skimming.

"The problem with biometrics is that, unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," said Olga Kochetova, a security expert at Kaspersky Lab, said in a statement. "Thus, if your data is compromised once, it won't be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way.

Despite the obstacles, biometrics still holds promise as a secure and easy way to access cash. And quite possibly, one day soon, we will see passwords go by way of the rotary phone.