Biometrics becoming the norm for Aussie banking > Biometrics > Biometrics & Forensics > News > SC Magazine Australia/NZ

Log into online banking at the blink of an eye.

Australian banks are taking a closer look at biometric authentication as a means of reducing fraud, thanks to an improved business case, increased consumer concerns about personal data and some impressive breakthroughs in technology.
In June, National Australia Bank became the first Australian bank to roll out a biometric-based solution for customer authentication, implementing a voice-based system for telephone banking customers.
Tim Cullen, head of direct channels with NAB, said the voice authentication has "far exceeded expectations."
"Nine out of ten customers when offered it are taking up the service," he said.
Cullen said the bank initially experienced some technical problems with the biometric-based technology when attempting to enrol users, but eventually managed to iron these issues out. The bank is now hoping to expand the option to mobile phone banking users, he said.
"Expanding voice biometrics into mobile Internet banking just seemed a logical extension from a usability perspective," he said.
Cullen said he would also consider deploying the solution to an online payments environment in a bid to help reduce card-not-present fraud.
As banks around the world gradually deploy chip-based cards with PIN authentication, Cullen points out fraud is simply shifting to card-not-present environments.
"For us it's about real-time monitoring of card-not-present transactions...but we certainly could move to voice and outbound (calls) for certain transaction types."
Beyond voice
Voice is just one of many biometric identifiers that can be used for the purposes of identification and authentication. In the US, biometric security specialist Global Rainmakers has been targeting banks with its HBOX iris scanning system.
Iris scanning is different to retina scanning, which requires the emission of light and close contact between the scanner and user.
Former Bank of America executive Jeff Carter now sits on the board of Global Rainmakers and says by the first quarter of 2010 the company will have the technology deployed in a mobile phone to allow remote authentication.
"It will go into a phone that has a high enough resolution to complete the registration," he said.
Fraud remains a major driver for banks considering the use of biometric-based authentication.
Customers have high expectations of the way banks manage their data said Cullen. "I think while banks are very protective over data, some other organisations aren't. So having a biometric protecting your identity provides added peace of mind."
"One of the questions we ask is what inconvenience are customers willing to accept for peace of mind, and I think tolerance in today's world is reasonably high, especially in terms of online banking" said Cullen.
In this case however, Cullen said the successful acceptance of voice biometrics has largely been as a result of its ease of use.
"There's probably not a lot of new technologies out there that create a safer experience that are easier to use or create a better customer experience."

A National ID card in 2010?

A new attempt at immigration reform may require a biometric ID card for all working Americans. Privacy advocates aren't pleased

National identification cards, long feared by privacy advocates, may soon become mandatory for American workers. In a bipartisan effort to curb the hiring of illegal immigrants, Sens. Charles Schumer (D-NY) and Lindsey Graham (R-SC) have proposed legislation that, if passed, will require all working Americans to carry biometric ID cards containing fingerprint records and other personal information. Sen. Schumer calls the measure "the nub of solving the immigration dilemma." But Chris Calabrese, an American Civil Liberties Union lawyer, warns the cards would be a "massive invasion" of privacy. Are national ID cards the solution to our immigration woes — or an unacceptable intrusion into our lives? (Watch Ron Paul chime in on the national ID card debate)

This is an affront to our freedom as Americans: Not only would this "ghastly" plan be a frightening invasion of privacy, says Alex Nowarsteh in Fox News, it "would treat every American like a criminal by requiring them to enter their most intimate and personal data into a government database." This is a "naked government power grab," and it must be stopped.
"5 reasons why America should steer clear of a national ID card"

The privacy concerns make no sense: If we're ever going to improve our national security, the "infuriatingly nonsensical" hand-wringing over privacy needs to end, says Donn Tennant in IT Business Edge. Many non-criminals, including members of the armed forces and "most public servants," are already fingerprinted, and their liberty remains intact. And having to show "a national ID with your biometric information" at the airport is no more "loathsome" than showing a driver's license.
"National ID cards: Pointless privacy argument is getting old"

Issuing every American an ID card would be wasteful: Instituting the national ID cards now, says Megan Carpentier in Washington Examiner, would add "hundreds of millions of dollars" to the federal debt, and impose painful costs on employers. All that just to keep "less than 4 percent of the total population of the United States from accessing the job market. Apparently, cost-benefit analyses aren’t the rage on Capitol Hill these days."
"The government would like to see your papers, please"

It won't pass, anyway: Privacy advocates aren't the only ones who don't want this bill to pass, says Jack Cafferty in CNN. The aim of worker ID cards is to make it harder for employers to hire illegal immigrants. "If you think the corporations that make huge profits on the backs of an illegal alien workforce are going to let something like that get through, think again."
"Are worker ID cards a good idea?"

Howard Schmidt Dismisses Cyberwar Fears

Howard Schmidt Dismisses Cyberwar Fears

White House Cybersecurity Coordinator Howard Schmidt isn't buying into the grim forecasts that the United States is ill prepared to defend the government's and nation's critical information assets from an immense virtual attack by political adversaries or cyber criminals. 

Schmidt, in a face-to-face interview with GovInfoSecurity.com, said the federal government and the private businesses that control 85 percent of the nation's critical IT infrastructure are better positioned than ever to fend off massive digital assaults.

The Obama administration's top cybersecurity official was responding to questions about recent comments made by former National Intelligence Director Michael McConnell that the United States would lose a cyberwar and a simulated cyber attack known as Cyber ShockWave, aired last month on CNN, that disrupts smart phone service to 20 million customers, shutters an electronic energy trading platform and cripples the power grid along the Eastern seaboard.

"How would we fare in some sort of a massive cyber intrusion and attack like that? I think we're much better prepared now than we were in the past," Schmidt said in the interview held during the RSA 2010 IT security conference in San Francisco.

IT security professionals protecting key systems know of the existence of the vulnerabilities and are taking steps to mitigate them to lessen their impact, he said.

BioVault: biometrically based encryption

BioVault: biometrically based encryption

Article Abstract

	Title:	BioVault: biometrically based encryption
	Author:	B.L. Tait, S.H. Von Solms
	Address:	University of Johannesburg, Kingsway Avenue, Auckland Park 2006, Gauteng, South Africa. ' University of Johannesburg, Kingsway Avenue, Auckland Park 2006, Gauteng, South Africa
	Journal:	International Journal of Electronic Security and Digital Forensics 2009 - Vol. 2, No.3 pp. 269 - 279
	Abstract:	Biometric-based token authentication is an asymmetric (von Solms and Tait, 2005) authentication technology. This means that the reference token generated during the enrolment process and stored in the biometric database, will never match any freshly offered biometric token exactly (100%). This is commonly accepted due to the nature of the biometric algorithm (Wayman et al., 2004) central to the biometric environment. A password or pin on the other hand, is a symmetric authentication mechanism. This means that an exact match is expected, and if the offered password deviates ever so slightly from the password stored in the password database file, authenticity is rejected. Encryption technologies rely on symmetric authentication to function, as the password or pin is often used as the seed for a random number that will assist in the generation of the cipher. If the password used to encrypt the cipher is not 100% the same as the password supplied to decrypt, the cipher will not unlock. The asymmetric nature of biometrics traditionally renders biometric tokens unfit to be used as the secret key for an encryption algorithm. This article introduces a system that allows biometric tokens to be used as the secret key in an encryption algorithm. This method relies on the BioVault infrastructure. For this reason, BioVault will briefly be discussed, followed by a discussion of biometrically based encryption.

New Javelin Study: ID Fraud Hits Record Highs

New Javelin Study: ID Fraud Hits Record Highs

The number of identity fraud victims increased 12 percent to 11.1 million people in 2009 -- the second consecutive annual increase. At the same time, the total amount of fraud also increased by 12.5 percent to $54 billion. These are the headlines of the newly-released 2010 Identity Fraud Study by Javelin Strategy & Research. 

"As the economy gets more challenging and more and more people are out of work, there is more identity fraud," says James Van Dyke, president and founder of Javelin. "[Fraud] is at the highest rate since Javelin began this report in 2003." The good news, Van Dyke says, is "Consumers are getting more aggressive in monitoring, detecting and preventing fraud with the help of technology and partnerships with financial institutions, government agencies and resolution services."

Fighting Back

Van Dyke says other findings in the report reinforce the trend that fraudsters are becoming increasingly technology-savvy and are using personal information stolen in data breaches to open new accounts or to make changes to existing non-card accounts. 

Organizations are fighting back by eliminating the use of Social Security numbers in account information, as well as more proactively monitoring and notifying customers of possible fraudulent activity. Consumers also are monitoring their accounts more frequently, using technologies such as the internet and mobile alerts. 

Despite the number of victims going up, the average amount taken in each fraud incident has gone down, as has the average amount of time it takes for the fraud to be resolved.

Identifying ID Theft And Fraud

Identifying ID Theft and Fraud

ScienceDaily (Oct. 19, 2009) — If the wife of FBI boss Robert Mueller has warned him not to use internet banking because of the threat of online fraud, then what hope is there for the average Jo? 

The results of research published in a forthcoming issue of the International Journal of Business Governance and Ethics suggests that more of us are no longer entrusting our finances to virtual accounts.

---

According to Susan Sproule and Norm Archer of McMaster University, Ontario, Canada, identity theft and fraud are an increasing concern to consumers who interact with online businesses routinely.

Phishing for logins is not the only problem. Credit card skimming, insider theft, and counterfeiting of digital information, and ID "trafficking" are also on the increase. All of these types of fraud are costly for the individuals involved both financially and often in terms of the time needed to clear their name when illegal use has been made of their personal details.

The Canadian team has now created a model of how consumer identity theft and fraud occur and in parallel report on a recent survey of Canadian consumers. In assessing fraud concerning credit cards, existing bank accounts, new accounts, and other frauds, they find that one in five people have stopped or reduced the amount of shopping that they do online while almost one in ten are no longer carrying out banking online, or have reduced the amount of online banking that they do because of fraud worries.

"These findings are of concern to business and government," Sproule says, "since, if consumers stop doing business online, the productivity benefits of e-business will not be realized." Until recently there was little information on the problem of identity theft in Canada, in particular, and there were no coordinated efforts within the academic community to examine the problem. She adds. "It was believed that, if unchecked, the problems around identity theft and fraud could have a significant effect on e-commerce."

Fortunately, since 2005, Sproule and her colleagues have been involved in a multidisciplinary program that has brought together researchers from four universities and subject matter experts from the financial and telecommunications sector. Their research is allowing them to define the processes involved in identity theft and to measure its reach.

The team's model of cyber crimes has now defined ID theft and fraud as two distinct but related problems, which could not only help legislators to develop new laws and law enforcers in the pursuit of criminals, but also help educate an unwary public as to how their personal data might be misappropriated and used fraudulently.

Online Auction Fraud: Data Mining Software Fingers Both Perpetrators And Accomplices

Online Auction Fraud: Data Mining Software Fingers Both Perpetrators And Accomplices

ScienceDaily (Dec. 5, 2006) — Computer scientists at Carnegie Mellon University are using data mining techniques to identify perpetrators of fraud among online auction users as well as their otherwise unknown accomplices.

---

The new method analyzes publicly available histories of transactions posted by online auction sites such as eBay and identifies suspicious online behaviors and dubious associations among users. 

Online auction sites are immensely popular. The largest, eBay, reported third quarter revenues of $1.449 billion, up 31 percent from the previous year, and registered 212 million users, up 26 percent. But the popularity of online auction sites also makes them a target for crooks. Internet auction fraud, such as failure to deliver goods after a sale, accounted for almost two-thirds of the 97,000 complaints referred to law enforcement agencies last year by the federal Internet Crime Complaint Center.

Perpetrators of these frauds have distinctive online behaviors that cause them to be readily purged from an online auction site, said Computer Science Professor Christos Faloutsos. The software developed by his research team -- Network Detection via Propagation of Beliefs, or NetProbe -- could prevent future frauds by identifying their accomplices, who can lurk on a site indefinitely and enable new generations of fraudsters.

In a test analysis of about one million transactions between almost 66,000 eBay users, NetProbe correctly detected 10 previously identified perpetrators, as well as more than a dozen probable fraudsters and several dozen apparent accomplices.

"To the best of our knowledge, this is the first work that uses a systematic approach to analyze and detect electronic auction frauds," said Faloutsos, who noted that NetProbe could eventually be useful for both law enforcement and security personnel of online sites.

The researchers have already adapted the software to provide a trustworthiness score for individual user IDs. Though not yet available to the public, the NetProbe score would complement user reputation scores that many auction sites already provide to help prevent fraud.

"We want to help people detect potential fraud before the fraud occurs," said research associate Duen Horng "Polo" Chau, who developed NetProbe with Faloutsos, undergraduate student Samuel Wang and graduate student Shashank Pandit.

Many auction sites try to avert fraud with so-called reputation systems. In eBay's case, buyers can report whether they had a positive, neutral or negative experience in a transaction, and that report is then translated into a feedback score for that seller.

Unfortunately, a crook can manipulate these feedback scores, obtaining a favorable score by engaging in a number of legitimate sales. But that is costly and time-consuming and, once the fraudster starts cheating buyers, that user identification is quickly red-flagged and shut down.

Perpetrating frauds may be sustainable, however, if a fraudster has accomplices or sets up separate user IDs to serve as accomplices. These accomplice accounts conduct legitimate transactions and maintain good reputations. They also have many transactions with the user IDs of fraudsters, using their good reputations to boost the fraudsters' feedback scores. Because accomplices don't perpetrate frauds, they usually escape notice and can keep working to establish new fraudster accounts, Faloutsos said.

But an unnatural pattern becomes evident when the transactions are plotted as a graph, with each user represented as a node, or dot, and transactions between individual users represented by lines connecting the nodes.

In the resulting graph, transactions between accomplices and fraudsters create a pattern that sticks out like "a guiding light," Chau said. Graph theorists call this pattern a "bipartite core" -- members of one group have lots of transactions with members of a second group, but don't have transactions with members of their own group. One group, the accomplices, also deals with honest eBay users, but most of the transactions are with fraudster groups.

The researchers tested their method, in part, by accumulating transaction histories from eBay and demonstrating that they could detect the distinctive fraud patterns within these massive data sets. Chau reported on an analysis involving about 100 eBay users at a September data mining conference in Berlin. The team has since analyzed about a million transactions between almost 66,000 eBay users, and those as-yet unpublished findings have been submitted for presentation at an upcoming scientific conference. 

"Crooks are extremely ingenious," Faloutsos warned, so identifying accomplices would not eliminate all online auction fraud. But eliminating accomplices would force crooks to resort to more sophisticated, complex schemes. "These schemes will require more effort and cost, so fraud would be increasingly unprofitable," he added.