Biometric Payment Authentication (BPA) – Corporate Banking Transactions: Pakistan Perspective

1. Introduction

The term ‘authentication’, describes the process of verifying the identity of a person or entity. Within the domain of corporate e-banking systems, the authentication process is one method used to control access to corporate customer accounts and transaction processing. Authentication is typically dependent upon corporate customer users providing valid identification data followed by one or more authentication credentials (factors) to prove their identity.

Customer identifiers may be user ID / password, or some form of user ID / token device. An authentication factor (e.g. PIN, password and token response algorithm) is secret or unique information linked to a specific customer identifier that is used to verify that identity.

Generally, the way to authenticate customers is to have them present some sort of factor to prove their identity. Authentication factors include one or more of the following:

Something a person knows – commonly a password or PIN. If the user types in the correct password or PIN, access is granted

Something a person has – most commonly a physical device referred to as a token. Tokens include self-contained devices that must be physically connected to a computer or devices that have a small screen where a one-time password (OTP) is displayed or can be generated after inputting PIN, which the user must enter to be authenticated

Something a person is – most commonly a physical characteristic, such as a fingerprint. This type of authentication is referred to as “biometrics” and often requires the installation of specific hardware on the system to be accessed

Authentication methodologies are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. Multifactor authentication utilizes two or more factors to verify customer identity and allows corporate e-banking user to authorize payments. Authentication methodologies based upon multiple factors can be more difficult to compromise and should be considered for high-risk situations. The effectiveness of a particular authentication technique is dependent upon the integrity of the selected product or process and the manner in which it is implemented and managed.

‘Something a person is’

Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. The process of introducing people into a biometrics-based system is called ‘enrollment’. In enrollment, samples of data are taken from one or more physiological characteristics; the samples are converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis.

Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access.

Biometric identifier, such as a fingerprint, can be used as part of a multifactor authentication system, combined with a password (something a person knows) or a token (something a person has). Currently in Pakistan, mostly banks are using two-factor authentications i.e. PIN and token in combination with user ID.

Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along with small unique marks known as minutiae, which are the ridge endings and bifurcations or branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense and the density explains why fingerprints are a very reliable means of identification. Fingerprint recognition systems store only data describing the exact fingerprint minutiae; images of actual fingerprints are not retained.

Banks in Pakistan offering Internet-based products and services to their customers should use effective methods for high-risk transactions involving access to customer information or the movement of funds to other parties or any other financial transactions. The authentication techniques employed by the banks should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g. ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, banks should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Although some of the Banks especially the major multinational banks has started to use two-factor authentication but keeping in view the information security, additional measure needs to be taken to avoid any unforeseen circumstances which may result in financial loss and reputation damage to the bank.

There are a variety of technologies and methodologies banks use to authenticate customers. These methods include the use of customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of tokens.

However addition to these technologies, biometric identification can be an added advantage for the two-factor authentication:

a) as an additional layer of security

b) cost effective

Existing authentication methodologies used in Pakistani Banks involve two basic factors:

i. Something the user knows (e.g. password, PIN)

ii. Something the user has (e.g. smart card, token)

This paper research proposes the use of another layer which is biometric characteristic such as a fingerprint in combination to the above.

So adding this we will get the below authentication methodologies:

i. Something the user knows (e.g. password, PIN)

ii. Something the user has (e.g. smart card, token)

iii. Something the user is (e.g. biometric characteristic, such as a fingerprint)

The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.

2. Methodology

The methodologies applied in this paper build on a two-step approach. First, through my past experience working in Cash Management department of a leading multinational bank, implementing electronic banking solutions for corporate clients throughout Pakistan and across geographies.

Secondly, consulting and interviewing friends working in Cash Management departments of other banks in Pakistan and Middle East for better understanding of the technology used in the market; its benefits and consequences for successful implementations.

3. Implementation in Pakistan

Biometric Payment Authentication (BPA) i.e. biometric characteristic, such as a fingerprint for authorizing financial transactions on corporate e-Banking platform implementation in Pakistan will be discussed in this section. First the descriptive, then the economic benefit analysis for adopting the presented methodology.

As technology is very much advanced today, fingerprint scanners are now readily available on almost every laptop or a stand-alone scanning device may be attached to a computer. Also with the advent of smart phones, now the fingerprint scanner is available on phones as well (e.g. Apple iPhone, Samsung mobile sets etc)

In Pakistan, end users shouldn’t have trouble using a fingerprint-scanning device on a laptop or on a smart phone as all work which needs to be done has to be done by banks introducing this methodology.

Besides this Pakistan is a perfect location to implement biometrics based authentication, mainly because:

a. CNICs are issued after taking the citizen’s biometric information – especially fingerprints

b. Telco companies needs to maintain and validate an individual’s fingerprints before issuing a SIM card

These examples show that a large population Pakistan is already familiar and comfortable with biometrics (fingerprints) methodology. However, banks have to develop their e-banking portal or application in accordance with and by accepting fingerprints for corporate users. The e-banking portal would invoke the fingerprint device of the end user for either login or authenticating financial transactions. Enrollment can be performed either remotely through first time login into e-banking platform after user has received setup instructions and passwords or at the bank’s customer service center.

This article suggests banks in Pakistan to move multifactor authentication through PIN and; fingerprints. Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.

Now let’s discuss the economic benefits of using PIN and; fingerprints instead of token devices for authentications. And before we deep dive into the statistics, first just look into the current process of token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty.

Mostly banks in Pakistan order and import tokens from a US based company called ‘VASCO Data Security International Inc.’. Once order is placed, the VASCO ships the token to the respective ordering bank and the bank receives the tokens after clearing the custom duties. Banks settles the invoices of VASCO by sending back the amount through outward remittance along with the courier charges. Banks then initialize the token and upon customer written request issues the token to an end user. The token is couriered to the end user and training is conducted via phone or physical visit of the bank’s representative to the customer office. Any lost or faulty token are replaced with new ones and again couriered to end users. Tokens are returned back to banks if any end user resigns their organization or is being moved into some other role that doesn’t involve banking related operations or use of e-banking platform.

Theoretically it seems pretty simple, but practically these are very time consuming activities and cost is associated to each and every step mentioned above.

Now, let’s do some cost calculation which are associated to the above activities and build some statistics so that cost benefit analysis can be done.

Currently, some of the banks in Pakistan, locally, have introduced fingerprint recognition technologies to authenticate ATM users and are in the phase of eliminating the need for an ATM card which will eventually help banks in cost saving of replacing lost or stolen cards.

Cost calculations are approximations and not to be taken as true cost for any budgeting.

3.1. Descriptive Statistics

The descriptive statistics for token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty (statistics built on roughly 1000 tokens consumption per year per bank) are shown in the below statistics.