Banks are under fire for not taking sufficient steps to ensure security. That's not surprising, given that misuse of banking data is on the rise — in some cases leading to disastrous consequences for banks and their customers. New technologies from Siemens are set to make life a lot tougher for criminals.
Thanks to scanners and optical sensors, verification data for Internet identification doesn't even need to pass through a PC.
Non-contact hand vein scanners will make banking more secure — and life tougher for anyone attempting online fraud.
- Text Size
- Share
- Print this page
Online banking conducted from the convenience of the customer's home is becoming increasingly popular. In fact, in Germany alone, there are more than 35 million online accounts that generate nearly 1.7 billion online fund transfers per year. But the other side of the coin is that crime in the online realm is also on the rise — in the form of phishing scams, for example, where hackers try to gain access to bank account data by setting up fake web sites.
According to Germany's Federal Criminal Police Office, Internet scams in 2007 alone resulted in damages totaling approximately €19 million, which was 50 % higher than the figure from 2006. Also not to be underestimated is the damage these scams can cause to a bank's reputation.
In an effort to combat this problem, Siemens is developing several solutions that will make banking more secure — not only online but also over the phone and at bank branches. "Many Internet users prefer to do their banking conveniently online, but they are nevertheless worried about the security of their personal data," says Olaf Badstübner, who is responsible for Worldwide Banking and Insurance Security Services at Siemens IT Solutions and Services in Frankfurt am Main. "Our goal is therefore to offer solutions that combine user-friendliness with the highest security standards. The key question here always boils down to how we can securely identify ourselves via anonymous communication channels such as the Internet and telephone lines."
Mini Scanners. Together with a Swiss biometric solutions company, Siemens now offers an Internet ID product that puts a stop to online scamming. The device, which is the size of a credit card, is equipped with a fingerprint scanner and six optical sensors. It requires no additional hardware or software installation, which means that it can be used with any Internet-enabled computer.
Any user wishing to conduct a bank transfer initially identifies himself or herself by means of a fingerprint. This print is compared to a previously made copy of itself, which is already stored on the device. The bank's website then sends a flicker code to the user's computer, and the code is registered and decrypted by the ID card's sensors. During this process, the user's monitor displays six rapidly flickering fields. In addition to the transfer data already entered using the computer keyboard, the flicker code contains the associated transaction authentication number generated by the bank (TAN).
Using an integrated cryptographic key, the ID card deciphers the code and displays the information on its small screen. The user can check the data to make sure it's correct and then complete the transaction by entering the TAN. "The new ID eliminates the need for separate passwords and TAN lists," explains Badstübner — and that makes the system not only easier to use but also much more secure than conventional setups.
At the moment, the Internet ID device is being offered exclusively to banks, but Badstübner believes it could also be used for less security-critical online applications. "Whether you're booking travel arrangements or downloading music from the Internet — the ID has 128 different keys and could theoretically be used for a corresponding number of online shops and services," he says. The system is already being widely utilized within Siemens, especially with applications that involve external partners. In such cases, the device ensures that only authorized persons can gain access to internal Siemens data. "Because users identify themselves with their fingerprint, you always know that the individual in question was physically present when they logged onto the system," Badstübner explains. "That means there's absolutely no possibility that a third party can get in by stealing a password."
Despite the varied range of application possibilities, Badstübner continues to focus on the banking sector. One reason: manipulation of ATMs is increasing dramatically. Approximately 5,000 instances of ATM fraud were recorded in Europe in 2007, but that number had climbed to more than 6,000 in just the first six months of 2008 — a staggering increase of 143 %.
Three out of every four such incidents involve what is called "skimming" — a method by which a thief gains access to bank card data by installing a mock-up card slot, equipped with a scanner and miniature camera, in the cash machine. A new system that uses hand vein scanning could put a stop to that, because each individual's vein structure is unique and can therefore be used as a means of identification.
Read My Hands. The new system works as follows: An infrared scanner installed in the ATM registers the vein structure in the customer's hand. This data is then transferred to a biometric data recognition unit that compares the scan with the user's stored information. "This type of ID provides customers with additional security to supplement their PIN number," Badstübner explains.
Siemens developed the technical equipment for data recognition and comparison, while Fujitsu supplied the infrared scanner and sensor. "Along with enhanced security, this procedure also offers the benefit of touchless operation. Unlike the fingerprint ID, the hand-vein reading unit doesn't require the customer to touch the scanner," says Badstübner. "What's more, the scanner avoids the problem that even just a little dirt or a slight cut can lead to an error in fingerprint identification, which could otherwise impede the authentication process."
Hand-vein scanning can be used to identify customers doing business inside a bank branch as well, eliminating the need for them to present their IDs. Time-consuming signature checks would also become a thing of the past. Several British banks are particularly interested in this technology and are now engaged in talks with Siemens about the possibility of obtaining the system.
Voiceprint by Phone. Badstübner's development laboratory has also come up with a third verification application, one that makes use of speech biometrics technology. Speaker recognition is an ideal solution for telephone banking — and Siemens is now offering a system that registers the individual characteristics of a user's voice and then uses this data as a basis for verifying the customer's identity in all future telephone transactions.
And to prevent fraud attempted by means of replaying recordings of the user's voice, the system also generates a random number sequence that the customer must repeat. Then the customer's voice is compared with the stored data to ensure completely secure identification.
Siemens is currently involved in negotiations with German, Spanish, and Turkish banks that are interested in using its speaker-recognition technology, which could simply be added on to a bank's existing telephone banking system. And Siemens is already successfully using the system internally to prevent the time-consuming documentation process that had been necessary for retrieving or changing passwords.
"Now, when employees forget their passwords, they simply call a number where their identity can be confirmed on the basis of their recorded voiceprint," Badstübner reports. They can then reset their password quickly, easily, and securely.
Secure, fast, and easy — these are exactly the qualities that apply to all three of the security solutions from Badstübner's development department.