Fujitsu: The future of biometrics – Dr Joseph Reger
The future of biometric card security could already be in the palm of your hand - literally. Dr Joseph Reger, chief technology officer at Fujitsu, talks about the applications of the firm's palm-vein scanner and how it could help banks to reduce card-skimming losses.
Future Banking: Fujitsu is addressing the financial market with PalmSecure, a palm-vein scanner for biometric authentication. What are the major benefits of this technology in comparison with other biometric concepts?
Dr Joseph Reger: PalmSecure is a traceless biometric sensor technology. Instead of relying on images of attributes such as fingerprints, iris scans and facial recognition, it uses the palm-vein pattern hidden within the body. This natural protection provides higher security against fraud - it is an important privacy feature for many institutions worldwide.
The detailed biometric information in palm-vein patterns delivers high levels of operational accuracy. The number of false positives is one of the best compared with other biometric technologies.
Which applications is Fujitsu targeting within the financial market?
Banks have started to adopt PalmSecure applications as an additional authentication mechanism for customers withdrawing money at ATMs. ATM skimming and card fraud is a huge problem around the world, generating significant additional costs for banks and their insurance companies. Combining credit and debit card pin numbers with the security of a biometric feature can drastically reduce these costs.
Using PalmSecure technology in ATMs means that banks must make a significant financial outlay. Where do you see the return on investment?
The cost of integrating a PalmSecure solution into an ATM device is at most a twentieth of the unit cost. In many countries, banks take out insurance for debit cards to protect themselves and their customers from losses due to skimming. In a simplified model where the bank has issued five million debit cards and the insurance fee for each is €1, it will spend €5 million annually just to protect against losses due to skimming.
Were the same bank to equip a 1,000-strong network of ATMs with PalmSecure technology, the cost could be approximately €1 million. However, this investment could quickly be recovered through lower insurance fees - thanks to the lower risks that stem from using biometrics - and can rapidly deliver a return on investment.
How can registered bank customers administrate biometric templates?
There are three ways to manage biometric user templates: banks can store them centrally in a database; they can store them inside individual credit and debit cards via an onboard chip; or they can store them together with a matching algorithm on debit and credit card chips.
At present, the database method is not accepted in many countries due to privacy issues. The second method allows banks to authenticate against actual debit and credit cards in many cases, which requires between 1KB and 2KB of space on a card's chip. However, matching is still done inside the ATM itself.
It is likely that most banks will prefer the third method, as once the template is stored inside the debit and credit card chip, matching can also be done within. However, this method requires 10KB to 12KB of space on the card's chip, which means that new cards would need to be issued in many cases. Fujitsu is committed to working on ways to reduce the amount of space required for on-card matching.
How does Fujitsu ensure the security of its PalmSecure technology?
Fujitsu is dedicated to enhancing the security, accuracy and usability of its technology through continuing development. This is carried out in the company's own laboratories, as well as in cooperation with international standardisation committees and international R&D companies.
Fujitsu adheres to legislative requirements and takes into account the views of privacy bodies striving to make biometric technology applicable to all users. This includes the BSI, the German Federal Authority for IT Security, which has the authority to perform security certifications based on international standards such as those of the ISO. PalmSecure technology has been
BSI-certified to ensure that liveness detection works properly and that it prohibits intrusion into the sensor's interfaces.
How many people are already using Fujitsu's PalmSecure technology?
Approximately 11 million people use PalmSecure every day. Six million use it at ATMs to withdraw money, while four million use it to identify themselves in the medical healthcare sector. We estimate that the remaining one million people are using PalmSecure to gain access to restricted buildings and rooms, and to log into enterprise networks instead of using passwords.
What near-future applications do you see for PalmSecure in the financial market?
Fujitsu anticipates growing demand for log-in and single sign-on applications in combination with thin clients, providing bank employees with secure remote access to company servers. In addition, Fujitsu is working on solutions that will allow PalmSecure to be used in secure online banking, instead of chip and pin or a mobile transaction authorisation number.