In 2015, Citigroup Inc. C 0.41% began testing an ATM that would scan a customer’s iris and make four-digit access codes obsolete. Two years on, Citi has quietly shelved the project.
Among the reasons: the cost and complexity of collecting and managing millions of customers’ biometric data. A large database of biometric data is also particularly juicy target for hackers.
“If I steal your password, you make a new password,” said George Avetisov, chief executive of HYPR Corp., a banking-technology startup. “But how do you make a new fingerprint?”
Perhaps as a response to that issue, banks are taking a different tack on collecting biometric data. They aim to use the information to replace personal-identification numbers and passwords, but are relying on customers to store and safeguard it themselves—via their own smartphones.
Over the past year, lenders such as Wells Fargo WFC 0.32% & Co., J.P. Morgan ChaseJPM 0.50% & Co. and Bank of America Corp. have started to roll out new ATMs that can link to customers’ mobile devices. Customers will sign in through their phones, potentially using a fingerprint, and then transmit a code to the ATM.
Though this adds a step to the identification process, customers are nonetheless eager to ditch the numerous PINs and passwords needed for transactions. Mobile phones are also one device on which biometrics has worked, as about two billion units globally can use fingerprints, pictures of eyes and faces, and voice recognition, according to HYPR. Those tools are already widely used for signing in to mobile-banking applications.
Citigroup’s apps, for example, use voice, face and fingerprint recognition, although the bank has yet to roll out cardless ATMs. As for the iris-reading ATMs, Citigroup has “reasons ranging from logistical to operational” for not pursuing them at this time, a spokesman said.
Other banks have shared similar difficulties with how to approach biometric data. A survey by the U.K.’s University of Oxford and Mastercard Inc. published in June found that while nine out of 10 bankers wanted to take advantage of biometrics, only about a third reported a good experience so far using the technology.
An added complication is that, unlike some other countries, the U.S. doesn’t have national identification databases. In countries such as Chile, which does have such a database, banks could tap into it to enable customers to sign into an ATM with a fingerprint. So, banks in the U.S. are on their own to figure out how to record and store customers’ biometric markers. That process adds extra steps, complexity and cost.
Meanwhile, the need for next-generation ATMs is urgent. For one, card fraud is rising despite new security measures such as chip-enabled cards. Fair Isaac Corp. , a credit-data provider, has said it detected a 70% uptick in compromised cards being used at ATMs and merchants in 2016.
Though ATMs—introduced 50 years ago—might seem quaint in the mobile age, their usage remains strong, and banks are still investing in them. Last year, J.P. Morgan, for example, increased the number of ATMs it owns by 4%, even as it closed 3% of its branches. In January, Citigroup nearly doubled the size of its ATM network with a deal to add 30,000 locations at retailers.
In their quest to use smartphones for biometrics, banks are relying on processes that are already well established. A customer using a phone at an ATM would authenticate her identify, using, say, a fingerprint as is the case with Apple Inc.’s iPhone and Apple Pay.
The phone would then create an individual digital token and transmit that to the ATM. That would validate the transaction without revealing any underlying biometric data to the bank.
‘Banks are reutilizing what they learned about biometrics through mobile.’
(Source: The Wall Street Journal)