Card-based fraud continues to cost South African financial service providers millions of rands, due to card and PIN theft at ATMs, fraudulent online purchasing and basic identity misrepresentation with stolen cards at retailers.
As security becomes an ever-more critical business need, organisations have generally come to accept the necessity of utilising biometric data for this purpose. While far more secure than PIN numbers and passwords, which are all too often forgotten or compromised through sharing or written reminders, biometric data nonetheless has its own potential points of failure. Most notably, the need to send such data to an external server for verification opens the possibility that the data could be corrupted while in transition.
However, Bytes Technology Group (BTG) offers a biometric customer identity verification solution called Match-on-Card, which obviates the need to send the data to an external server. Instead, the Match-on-Card solution involves matching and storing a fingerprint biometric directly on a smart card, making this an even more secure form of fingerprint authentication.
“Obviously, it does mean that the smart card used requires a greater processing power and memory in order to run the algorithm to match the data, and to store the biometric. But this is more than made up for by the fact that the card makes the decision, rather than having to rely on a third party to confirm a match,” says Dave Crawshay-Hall, CTO of Brand New Technologies (BNTech), which was recently acquired by BTG.
“The trouble with standard biometric smart cards is that if a match is done on the PC and then a command is sent to the card to instruct it perform a particular action, there is no way for the card to know that the fingerprint was actually matched. With Match-on-Card, the smart card physically does the match itself, thereby allowing it to decide internally what action to process, such as allowing access to private data.”
The technology allows access to the digital certificates on the card that can then be used for Windows logon, digital signing, file and volume encryption, secure VPN access and other PKI applications, continues Crawshay-Hall.
He adds that the matching of fingerprints involves two stages, namely ‘feature extraction’ and ‘matching’. Feature extraction, he says, requires a lot of computing power, so this is still done on the PC, with only the actual matching taking place on the card. Despite this, he points out, for the card to accurately perform the match in an acceptable time frame, it still has to have a powerful processor with enough RAM.
“A critical element of a Match-on-Card solution is clearly high quality enrolment of the fingerprint itself, which is used to enrol fingerprints and create fingerprint templates which are stored in the smart card, and possibly elsewhere for back up.”
“For this reason, BTG offers a complete end-to-end solution that includes the card, MOC card applet, customised card applet, fingerprint algorithms and fingerprint scanners. While the algorithms, fingerprint scanners and cards are supplied by third party vendors, Bytes provides the consultation, integration, implementation and support,” he says.
Nick Perkins, divisional director, identity management solutions at Bytes Systems Integration points out that by using a Match-on-Card solution, organisations are able to establish the physical presence of the cardholder using two factor authentication, namely fingerprint and smart card. “This can be increased to three factor authentication by adding a PIN.”
Perkins indicates that this technology can be used for a multitude of private sector security issues, from simple customer identity verification before performing a transaction, to internally within an organisation to manage a business solution or ERP login and transaction approval control. It can also be used in retail point of sale terminals, he states, through integration where cashiers can login biometrically to till points and supervisors can approve voids/credits biometrically. This, in turn, eliminates password abuse and provides clear auditability of transactions.
“Moreover, the Match-on-Card solution is the end result of what should become a far more detailed customer take-on process. Organisations can leverage technologies provided by BTG to ensure an accurate and verified documentation and identity collation before issuing the card in the first place. This effectively introduces a two factor verification process for the financial services provider, ensuring that the person sitting in front of them applying for some form of finance is actually the person represented through the documents that they are presenting.”
“Furthermore, re-verification takes place at each transaction point by re-confirming the identity of the card holder before commencing with the transaction, ultimately putting processes in place which we expect will massively reduce card based fraud,” Perkins concludes.