Biometric Technology can protect ATM related cybercrimes -Dr. M. Mahbub Hasan


The ATM frauds were massively committed in Bangladesh in 2016 since online banking in operation. Aftermath a massive $8 million cyber heist occurred from Bangladesh Bank, it is not only the biggest cybercrime in Bangladesh, it is also in world history . Thereafter we have found frequently news of ATM frauds. Most of the offenders stealing huge amounts of money by cloning cards. After the ATM fraud has committed in 2016, Bangladesh Bank (BB) has issued a circular dated 15th February 2016 (The Daily Star, 16th February 2016); and making it compulsory all of the banks installing anti-skimming and PIN shield devices at all new ATM booths. And, also issued directions that all of the old ATM booths would be also equipped with these devices within a month. It is further directed that all banks should examine video footage of their booths every day and send reports to it on a monthly basis and trained up all security guards who are working in booths (The Daily Star, 16th February 2016). If all of the banks have implemented all of the directions by the BB and installed a new device, it may be protected the present nature of the cybercrime but not protect data theft, hacking, and cloning card. This system only gives protection skimming ATM fraud but not protected other online transactions, where the cyber crimes nature and style are fully different that ATM fraud. It is now a burning issues, to use smart solution to prevent all kinds of cyber crimes, it should also customers user-friendly and secure. On consider of all elements ‘Biometrics technology’ is the smart solution, and many developed countries used it.
Types of ATM relating Crimes:
There are three types of ATM relating cyber offences named as: (1) Card and currency fraud- it involves both attacks to steal cash from the ATM and indirect to steal cash from the ATM and indirect attack to steal a consumer’s identity (in the form of consumer card data and PIN theft). The intent of indirect attacks is to fraudulently use the consumer data to create counterfeit cards and obtain money from the consumers, accounts through fraudulent redemption. It could happen in different ways such as ATM card skimming; which was committed recently in Bangladesh. Card skimmers are devices used by perpetrators to capture cardholder data from the magnetic strips on the back of an ATM card. These sophisticated devices smaller than a deck of cards and resembling a hand-held credit cards scanner- are often installed inside or over the top of an ATM’s factory-installed card reader. When consumers inserts his card into the card reader, the skimmer captures the card information before it passes into the ATM card reader to initiate the transaction. When removed from the ATM, a skimmer allows the download of personal data belonging to everyone who used the ATM. An inexpensive, commercially available skimmer can capture and retain account numbers and pins for more than 200 ATM cards. The following three kinds of card skimming attacks can occur- external card skimming, internal card skimming, and vestibule card skimming. Another type of skimming name as card trapping / fishing- whereas an attempt to steal consumers’ cards as they are inserted into the card reader during a transaction and used later; (2) logical attacks- is used in ATM’s software, operating system, and communication system such as called Malware and Hacking; and (3) physical attacks- physically damage the components of the ATM in an attempt to obtain cash (White Paper, DIEBOLD 2011).
How can be achieved better protection from cybercrimes?
For better protection of customer in the modern world, many banks such as the HSBC has been starting the latest technology named “Biometrics Security”, even in Japan about 15 million customers have been using this technology. This technology is familiar in Bangladesh and uses in National Identity card system, and it is now using a mobile phone- SIM registration purpose. The HSBC is the largest implementation of biometric security in the UK. It is supporting to use of fingerprint recognition systems for identification verification. Another British Bank, named as the RBC, is also using fingerprint authentication for their customer since last year. Another European Bank, Tatra Bank, Slovakia has been using “voice recognition technology” for their online banking customer since 2013. Angela Sasse, Director of the UK Research Institute in Science of Cyber Security, said that the biometrics is a secure replacement for passwords. She told that consumers show signs of being ready to switch to biometrics because of the convenience and extra security (SC Magazine
How does it work?
“Biometrics” is defined by Ratha NK as “..a measurable physiological and behavioural characteristic that can be captured and subsequently compared with another instance at the time of verification” (Generating Cancellable Fingerprint Templates, IEEE Transaction on Pattern, Analysis and Machine Intelligence 2007). A verification system authenticates a person’s identity by comparing the captured biometric characteristic with her own biometric templates restored in the system. Biometric technologies identify or authenticate the identity of a living person on the basis physiological or physical characteristic. Physiological characteristics including the rate and flow of movements, such as the pattern of data entry on a computer keyboard. A basic biometric authentication system consists of five main components (Anil et al. 2008). These are a sensor, a feature extractor, fingerprint/template database, matches and a decision module. (Amtul Fatima et JIBC 2011).
The process of introducing people into a biometrics-based system is called enrolment. In enrolment, samples are converted into a mathematical model or template; and the template is registered into a database on which a software application can perform the analysis. Once enrolled, customers are interest with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate customers. The results of the alive scans, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access. (Authentication in an Internet Banking Environment FFIEC 2010).
There are two factors in measuring the accuracy of a biometric system: (1) False reject rate (FRR): FRR is the rate, usually in percentage at which a truly authentic person is rejected during the process of authentication as unidentified or unverified by a biometric system. And (2) false accept rate (FAR): Far is the opposite of FRR. It is measured in percentage. This is the rate at which an un-enrolled or an imposter person is unaccepted as a true authentic by a biometric system. (Amtul Fatima et JIBC 2011). Moreover, another type of biometrics technology named as “voice recognition technology” as used in the HSBC and Barclays Bank for their telephone banking authorisation purpose in the UK. It is almost similar that technology but here digitizing a person’s speech to produce ‘voice print’ and stored and used it verification process. In this process, the extra advantage is that customer does not need to memorise password, PIN, and card verification numbers, which customers identified through voice. (SC Magazine
Disadvantages and advantages of Biometrics Security
The main argument against, biometrics security is about the privacy concerned. Davit Mount, a UK based Director of Security Solution Consulting Firm, EMEA at Macro Focus, opened that “ I think as we see biometrics being used more and more, it’s going to open up a raft of privacy concerns such as, what does the biometric data say about me and my physical and emotional state ?” It is noted here that in the biometric process all persons- personal biological structure and sexual history can be possibly disclosed. He further added that there may be cultural and trust issues around its adoption (SC Magazine It is true for his country’s perspective because they do not give compulsory biometrics for buying a phone and issuing national identity cards or passports even their bank or any office restricted to use a photograph of the customer without free will; because their laws do not permit for compulsory use it for the question of privacy breached. Previously in the UK, the government was taken the initiative to compulsory use biometrics for National Identity Card and security for their citizens. But the European Court of Human Rights has declared it is breached of human rights- “Right to Privacy”, and made it compulsory to its citizen to give biometrics against their free consent. (EU Human Rights Policies: A Study in Irony, Oxford University Press 2004) and it is now compulsory for only foreigners who are entered into the UK and live inside the country. But in our country, we have already been used for a national identity card and Passport purpose without challenging Constitutional and legal validity and even it is used simply buying mobile SIM and used against the free will of the customers. So far in Bangladesh laws are supporting but it was also debatable issues whether our Constitutional right- “right to privacy” is breached or not. In 12 April 2016, the writ petition is known as Biometric SIM re-registration verdict, the High Court Division of the Supreme Court has opened that it is legalised to use it. Therefore it is also used in banking purposes for the better protection of the customers’ financial protection and security. It may be also considered that the free will of customers either agrees to give biometrics or not. Another disadvantage comparative to the current ATM system that it requires a longer time than the biometrics technology; because it is a complex process and to many applications need to be followed whereas ATM system needs within second (Amtul Fatima et JIBC 2011 ).
For the interest of the better protection of customer’s money, customers would ready to prefer biometrics technology. The new technology is comparatively more secure and cost-effective, it would reduce cybercrime, monitoring and maintaining costs. In our national Election Commission has already stored our national biometrics database, so if the Financial Institution may connect it with very less cost, rather than maintaining the expensive separate database. And it is possible to set up biometrics reader on existing ATM booths and even it is possible to set up on smartphone and laptop as used biometrics readers those are like to use internet banking from anywhere. The great extra advantage also it can be used beside ‘password’ security system as double protection. Therefore, this technology can ensure secure digital banking for all.
The Writer is a Cyber Law and Justice System expert& Head of the Law Chambers, Mahbub & Mahbub Associates.