Criminals have always had their eyes on ATMs. In the past, their exploits included cutting, torches, or explosives. With the dawn of the digital age, exploits have become more sophisticated. For example, losses from card skimming attacks were up 70 percent in 2016 compared to 2015; these losses were on top of whopping a 546 percent year-over-year increase from 2014 to 2015, according to FICO data. With card skimming attacks, criminals attach external skimmers to the machine that read data from the magnetic strip on the customer’s ATM card along with a PIN recording device. The rising tide of skimming attacks has caused banks to rethink the way they provide security. For example, Wells Fargo and Bank of America have both recently introduced cardless ATMs that eliminate the risk of skimmed cards. But these solutions still require PINs, and PINs remain inconvenient and difficult for users to remember.
Secure Transactions Without Cards or PINsFIDO-based biometric authentication technology allows users to securely perform transactions on any ATM without swiping a card or entering a PIN. Samsung and Diebold recently demonstrated a solution where users stage their cash withdrawal transactions inside their mobile bank app, and when they are @ the ATM, they initiate the cash withdrawal via a Near Field Communication (NFC) tap on the ATM. The ATM then sends a notification to the users’ registered device and challenges users to authenticate via their registered modality Once authenticated, the ATM dispenses cash and the transaction is completed. This solution eliminates the need for a physical bank card and a PIN.
A More Convenient SolutionAs banks increasingly look for a competitive edge, biometric authentication delivers greater convenience for users. Whether they’re withdrawing money from an ATM or shopping at the grocery store, the phone becomes their ID provider for all their daily actions. Simplified biometric authentication can also make it easier for banks to offer additional services through their ATMs. As customers perform fewer standard ATM transactions, banks can use their existing ATM machines for other types of transactions—and then take a cut. For example, a bank in Puerto Rico allows customers to use its ATMs to pay their utility or credit card bills. As more transactions are supported, biometrics simplifies the authentication process.
Greater Security and Risk ManagementFIDO-based biometric authentication also allows banks to set policies that enable them to better manage risk. For example, security administrators can set policies that assign different risk levels to different types of transactions along with correspondingly rigorous levels of biometric authentication. Logging in to see balances might be a low risk while transferring funds is a higher risk. You can devise policies based on risk levels so that viewing account balances requires only a fingerprint while transferring funds also requires a voice print. Enterprise-grade FIDO-based biometric solutions also offer a higher level of security by taking advantage of a PKI-based infrastructure, which uses public and private key cryptography. The biometric template and the private key are encrypted and stored in the OS of the customer device, where hackers can’t intercept them. The encrypted public key is sent to the FIDO server located behind the corporate firewall. Even if the device is lost, the biometric template stored on it can’t be used because the public key on the server can be deprovisioned. Previous approaches used server-side authentication that stored credentials on servers behind the financial institution firewalls, creating an attractive repository for hackers. With ATM card skimming schemes becoming increasingly common, banks are looking for less vulnerable ways to authenticate users and mitigate security risks. Banks are also constantly looking for ways to add new services and gain a competitive advantage. FIDO- based enterprise-level biometric authentication differentiates the banks that employ it by making the user login process easier, more convenient, and more secure.
Shankar Saibabu is the lead Solutions Architect and FIDO Standard Specialist for the Financial Services Team at Samsung SDS America. Shankar has various experiences in regulated industries when it comes to software solutions and services, including the healthcare industry.