By Telis Demos
In 2015, Citigroup Inc. began testing an ATM that would scan a
customer's iris and make four-digit access codes obsolete. Two
years on, Citi has quietly shelved the project.
Among the reasons: the cost and complexity of collecting and
managing millions of customers' biometric data. A large database of
biometric data is also particularly juicy target for hackers.
"If I steal your password, you make a new password," said George
Avetisov, chief executive of HYPR Corp., a banking-technology
startup. "But how do you make a new fingerprint?"
Perhaps as a response to that issue, banks are taking a
different tack on collecting biometric data. They aim to use the
information to replace personal-identification numbers and
passwords, but are relying on customers to store and safeguard it
themselves -- via their own smartphones.
Over the past year, lenders such as Wells Fargo & Co., J.P.
Morgan Chase & Co. and Bank of America Corp. have started to
roll out new ATMs that can link to customers' mobile devices.
Customers will sign in through their phones, potentially using a
fingerprint, and then transmit a code to the ATM.
Though this adds a step to the identification process, customers
are nonetheless eager to ditch the numerous PINs and passwords
needed for transactions. Mobile phones are also one device on which
biometrics has worked, as about two billion units globally can use
fingerprints, pictures of eyes and faces, and voice recognition,
according to HYPR. Those tools are already widely used for signing
in to mobile-banking applications.
Citigroup's apps, for example, use voice, face and fingerprint
recognition, although the bank has yet to roll out cardless ATMs.
As for the iris-reading ATMs, Citigroup has "reasons ranging from
logistical to operational" for not pursuing them at this time, a
spokesman said.
Other banks have shared similar difficulties with how to
approach biometric data. A survey by the U.K.'s University of
Oxford and Mastercard Inc. published in June found that while nine
out of 10 bankers wanted to take advantage of biometrics, only
about a third reported a good experience so far using the
technology.
An added complication is that, unlike some other countries, the
U.S. doesn't have national identification databases. In countries
such as Chile, which does have such a database, banks could tap
into it to enable customers to sign into an ATM with a fingerprint.
So, banks in the U.S. are on their own to figure out how to record
and store customers' biometric markers. That process adds extra
steps, complexity and cost.
Meanwhile, the need for next-generation ATMs is urgent. For one,
card fraud is rising despite new security measures such as
chip-enabled cards. Fair Isaac Corp., a credit-data provider, has
said it detected a 70% uptick in compromised cards being used at
ATMs and merchants in 2016.
Though ATMs -- introduced 50 years ago -- might seem quaint in
the mobile age, their usage remains strong, and banks are still
investing in them. Last year, J.P. Morgan, for example, increased
the number of ATMs it owns by 4%, even as it closed 3% of its
branches. In January, Citigroup nearly doubled the size of its ATM
network with a deal to add 30,000 locations at retailers.
In their quest to use smartphones for biometrics, banks are
relying on processes that are already well established. A customer
using a phone at an ATM would authenticate her identify, using,
say, a fingerprint as is the case with Apple Inc.'s iPhone and
Apple Pay.
The phone would then create an individual digital token and
transmit that to the ATM. That would validate the transaction
without revealing any underlying biometric data to the bank.
That means banks wouldn't have to protect treasure troves of
genetic templates from hackers. This is because the biometric data
would be stored on individual devices, not in a central
location.
"With tokens, there's no use in attacking the bank server," said
HYPR's Mr. Avetisov. Such digital tokens are already widely used in
mobile-payment applications and they are also generated by the
chips now embedded in most credit cards.
That approach does shift more of the security burden to the
user. People must protect their phone from being imitated or
hacked, and will have to be conscious of their phone's security
measures. "Think of your phone as becoming like your house keys,"
Mr. Avetisov said. "But hackers want the biggest payoff and
attacking one person is a more difficult and low-profit
attack."
David Kuchenski, director of business development for design and
new technology at Diebold Nixdorf Inc., which built the eye-reading
ATM that Citigroup tested in 2015, said those units were a few
years ahead of their time.
"People have gotten so used to biometrics on their phones," he
said. "So banks are reutilizing what they learned about biometrics
through mobile."
Last year, Wells Fargo was touting the potential for ATMs with
biometric readers built into them in its annual investor
presentation, among other biometric capabilities. This year, the
same presentation featured biometric authentication on a mobile
device. A spokeswoman said Wells Fargo has "no current plans" to
implement biometrics at its ATMs.
Later this year and in 2018 Wells Fargo will enable customers to
tap their phones at ATMs using apps such as Apple Pay and Android
Pay, from Alphabet Inc.'s Google, which use a fingerprint for
access.
But smartphones may pose a different risk for banks, by
empowering tech companies to compete more directly with them, said
Lex Sokolin, head of fintech strategy at Autonomous Research.
Apple, for example, recently launched a mobile peer-to-peer
money-transfer service that competes with banks' apps.
"If Apple and Google continue to gain share in the physical
world, they will control authentication," Mr. Sokolin said.
--Emily Glazer contributed to this article.
Write to Telis Demos at telis.demos@wsj.com
(END) Dow Jones Newswires
July 09, 2017 07:14 ET (11:14 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Wells Fargo (NYSE:WFC)
Historical Stock Chart
From Apr 2024 to May 2024
Wells Fargo (NYSE:WFC)
Historical Stock Chart
From May 2023 to May 2024