Buying online: May we have your fingerprint?
By Anne Chen, PC Week
In any given James Bond movie, 007 will be subject to an iris scan, a hand print scan or voice analysis by technology that secures and verifies his identity. All the cool gadgets, fictional or not, make for great entertainment.
For many companies engaging in e-business, however, avant-garde technology that can positively identify individuals would be a lot more than a few laughs. It could be a way to thwart online crime.
ÿ? Unmasking electronic visitors
? Hacker startup joins e-security market
? DVD security hacked?
Just as shoppers are concerned with the legitimacy of sites, e-businesses are concerned with the legitimacy of their customers. As a result, an increasing number of companies are investing in biometric technology as a way to protect both sides.
Companies such as Drug Emporium Inc. (Nasdaq:DEMP - news); ING Direct Canada, a division of ING Group; and Election.com Inc. have begun testing fingerprint scans, among other things, to verify users' identities when prescribing drugs, accessing bank accounts and voting online.
Biometric technology, which digitally encodes physical attributes of the voice, eye, face or hand and associates the ID with biological attributes stored in a file, are commonly used in organizations such as the FBI to allow clearance into a building, for instance. But today, using the technology to secure online transactions is rare. It can be expensive to outfit every customer with a biometric scanner, and it is difficult to convince consumers to supply something as personal and distinguishing as a fingerprint.
But many companies, especially in the financial and health care industries, will deploy biometrics anyway. That's because user authentication is the weakest link in e-commerce, and biometrics could not only solve that problem, it could eliminate online fraud, say analysts. "Biometrics is a foolproof, physical way of authenticating who somebody is in a way much better than passwords, which are easily forgotten or stolen," said Bob Geiger, president of info-defense.com Inc., a security consultancy in Ardsley, N.Y.
Technology trend
To meet the expected demand for biometric equipment and applications, Infineon Technologies AG and Veridicom Inc. have announced plans to ramp up production on their finger-scanning chips that can be embedded into a computer keyboard or mouse. And earlier this month, Keyware Technologies Inc. and Proton World International demonstrated at the Smart Card conference in London an e-commerce smart card that can verify its owner through fingerprint verification or iris recognition. The smart card will release credit card and user information to a Web site only after an identification has been made.
With this kind of progress, the corporate biometrics market, now a paltry $67 million a year, is estimated to grow to $670 million by 2004 as the technology becomes cheaper and more reliable, said Samir Nanavati, a partner in the New York consultancy International Biometric Group LLC (see graphic, right).
And once companies start deploying the available technology and proving its validity, consumers will likely feel more comfortable using it, experts predict.
One company leading the effort is ING Direct Canada, a division of ING Group in Toronto, which will roll out fingerprint biometric security systems to its customers next month. Jointly developed with SecuGen Corp. and Saflink Corp., the system will identify online banking customers by their fingerprint on a computer mouse. ING Direct Canada will deliver the mice to a select group of its banking customers, giving them the option to secure their transactions over the Internet.
Similarly, Charles Schwab & Co. Inc., in San Francisco, is piloting voice recognition technology that will allow the company to authenticate users of its phone banking option with technology from Nuance Communications Inc. While no plans have been made to add biometric technology to the company's trading Web site, a spokesman for the company said Schwab has not ruled it out as a way to protect its online customers.
Outside the financial industry, biometrics as an e-business authentication tool is being pushed into the limelight by lawmakers. In California and Ohio, state legislators are requiring that physicians who want to prescribe drugs online must be authenticated using biometrics.
To meet the demands of new laws, DrugEmporium.com, the e-commerce arm of Drug Emporium, began exploring the use of biometric technologies last February. In November, the company, based in Columbus, Ohio, rolled out various biometric hardware units to 5,000 hospitals and physicians in Ohio. This year, the company will add 5,000 biometric pilot projects in California, said Matthew Erick, director of pharmacy operations at DrugEmporium.com.
"Pharmaceuticals is an extremely private and secure area, and people want to be confident that their information is not going out to never-never land," Erick said. "Biometrics enables us to take security a step further in an efficient and easy-to-use manner."
Using software and services from BioNetrix Systems Corp., in Vienna, Va., the company is testing an application that allows physicians to order prescriptions over the Internet with whatever method of biometric identification the doctor prefers.
DrugEmporium.com is footing the bill for all of the doctors' equipment and sending BioNetrix consultants on-site to each physician's location to install the hardware and conduct the initial biometric scan. Then, BioNetrix's Authentication Suite will manage all authentication processes, including passwords, tokens, fingerprints, retinal scans and voice recognition, from one console through its Authentication Management Infrastructure. All data is encrypted with 40-bit and higher Secure Sockets Layer encryption.
"The system allows us to identify that the prescription was received by a licensed pharmacy and that the doctor is who he says he is," Erick said.
Depending on the success of the pilots, Erick said, by June, DrugEmporium.com might enable its Web site to accept biometric authentication from all shoppers, not just physicians and pharmacists. The company will vary the level of authentication required, depending on what types of purchases shoppers are making.
Invasion of privacy
Getting customers involved is a step in the right direction. For organizations to achieve their dual goals of using biometrics to increase security while minimizing user inconvenience, they will have to overcome customers' fear of privacy invasion. "One factor restraining the growth of biometrics is the public's view of biometrics as intrusive. If you have trust issues with a business, you can change your password or make up a user name. You can't change your fingerprint," said Nanavati of IBG.
To help people become familiar with the technology, Joe Mohen, CEO at Election.com, in Garden City, N.Y., offers hand and fingerprint identification as options for authenticating voters in online elections. Unfortunately, no organization yet has opted to use the technology in their online elections because many think it would make their voters uncomfortable.
"We see opportunity in biometrics but, for now, only in certain situations," Mohen said.
Mohen, whose company will conduct the Arizona state Democratic party primary online, said he sees the usefulness of installing biometric hardware at physical polling places to identify voters. But when it comes to using the technology for at-home online voting, he said a high level of consumer acceptance will need to be achieved first.
And more corporations will have to get on board with the technology to pave the way. However, many companies are not ready to take on the task because it could strain the IT department.
At Equifax Secure, a division of Equifax Inc. (NYSE:EFX - news), General Manager Jeff Johnson physically secures his data centers with biometric palm readers. But when it comes to authenticating e-commerce users, Johnson said Equifax is not interested in building and securing databases full of fingerprints.
"We believe that for certain applications biometrics does make a lot of sense," said Johnson, in Atlanta?for example, "as a way to release a digital certificate that will grant access to private information like credit reports."
Digital certificates are manageable, but having to control the biometric authentication from the corporate side is a huge undertaking. So, for now, Equifax has no plans to begin collecting the fingerprints of the millions of consumers it compiles data on, Johnson said.
Still, when it comes to James Bond-type technologies, he admitted, "Never say never."
------------------------------------------------------------------------
Unmasking electronic visitors
Which biometric security technology is right for your application? IT managers evaluating biometric security measures should consider their organization's needs and how users will react to the technology. Analysts recommend testing the systems under realistic conditions before committing to a particular hardware. Here are some of the options:
TECHNOLOGY HOW IT WORKS CLIENT HARDWARE NEEDED
Fingerprint or palm print Finger scan technology is based on the fact that fingerprints have unique characteristics. Verification systems capture the flat image of a finger and perform one-to-one verification. Scanner
Hand and finger geometry The system takes a picture of the hand and examines 90 characteristics, including the three-dimensional shape of the hand, length and width of fingers, and shape of knuckles. Reader hardware
Voice recognition The user states a given pass phrase and the system creates a template based on characteristics including: cadence, pitch, tone, and shape of larynx. Background noises and voice changes can affect accuracy. PC microphone or telephone handset
Iris and retina recognition A camera captures an image of the eye's iris. Accuracy is high since every individual has unique iris patterns. Camera
Dynamic signature verification The user signs his/her signature on a digitized graphics tablet. Signature dynamics, such as speed, relative speed, stroke order, stroke count and pressure are analyzed. The system compares what the signature looks like with how it is signed. Pad and stylus
Face recognition A camera is used to acquire an image of a face from a few feet away. The system then analyzes the geometry of the face such as the distance between the eyes and the nose. |
