How biometric ATMs are entering mainstream use
Until recently, biometric ATMs were very hard to find in developed markets other than Brazil, India and Japan.
But this is changing with the advent of biometric authentication within mobile banking apps, the use of the blockchain, and software enabling ATM security cameras to be used for authentication.
“Latin America, particularly Brazil; and Asia, especially Japan, are the most mature markets for biometric ATMs,” said Douglas Russell, director of U.K.-based DFR Risk Management. “But other countries and regions are witnessing an increase in trials and rollouts. Fingerprint and finger vein authentication are the most popular authentication techniques, followed by palm vein, but an increasing number of deployments are using facial recognition at ATMs."
Facial recognition is used in Taiwan, Spain, Japan, Australia, India and Macau, Russell said. The technology received a boost in 2018 with Apple’s adoption of Face ID as the biometric authentication method for iPhones, replacing Touch ID on newer handsets.
Last month, Spain’s CaixaBank installed facial recognition technology at 20 ATMs across four of its Barcelona branches enabling customers to authenticate themselves by looking at the ATM’s security camera. These ATMs can validate up to 16,000 points on the image of a user's face, and accept PIN authentication as fallback.
Separately, Cupertino, Calif.-based digital ID platform developer ShoCard has created a prototype of blockchain-based ATM authentication with Alhamrani Universal, a Middle East ATM provider. The prototype addresses a barrier to the widespread deployment of biometric ATMs — the lack of a global, interoperable standard for biometric authentication, which means that generally people can use biometric authentication only at their own bank’s ATMs.
According to RBR’s report “Global ATM Market and Forecasts to 2023,” around 8 percent of ATMs worldwide — 270,000 out of 3.3 million — featured biometric identification in 2017. The biggest market is Brazil, with 126,000 biometric ATMs, 80 percent of the country’s installed base, in 2017. Most other markets with significant numbers of biometric ATMs are in Asia: Japan with 87,000, India with 20,000, and South Korea with 13,000.
RBR associate Rowan Berridge notes that in Brazil and Japan both palm vein and finger vein authentication are used at ATMs. “In Japan, virtually all bank ATMs use biometric identification,” he said.
“Diebold Nixdorf has over 80,000 biometric identification devices installed in countries such as Brazil, India, Mexico, South Africa, India, Nigeria, Poland and Germany,” Marcelo Castro, Diebold Nixdorf’s principal product manager for ATM Security, said. “Biometrics can help improve financial inclusion in developing economies. Fingerprint authentication allows consumers to be linked directly to their card by their fingerprint alone. This helps remove the barriers of literacy or memory challenges, since users don’t need to remember PINs.”
Russell identifies banks’ need to increase security and comply with KYC rules as drivers for biometric ATM rollout.
“There is progress in developing a truly global biometric ID standard, which should reduce barriers to further deployments,” he said. “But currently deployments tend to be bank- or country-specific.”
“There’s a strong movement towards standardization, and I think the FIDO Alliance is one of the strongest players in this arena,” said Castro.
“The other main challenge is maintaining confidence in the security of biometric systems,” Russell said. “Sophisticated criminal gangs are exploring ways to compromise biometric systems. Recently, a sample of ATM-specific malware was discovered with functionality tailored to attack biometric ATMs.”
Following its initial rollout of biometric authentication in Barcelona, CaixaBank plans to deploy the technology at all of its 9,000 Spanish ATMs from the second half of 2019.
Customers enroll at a branch using a CaixaBank employee’s tablet. During the registration process, 16,000 points on the image of the customer’s face are mapped and stored on CaixaBank’s servers.
When the biometric system verifies a customer’s identity, it checks that the 16,000 points of their biometric pattern detected at the ATM coincide to a very high degree with their biometric pattern stored in CaixaBank’s servers. Also, the ATM requests a “life test” from the user, which involves performing a random movement to the right, left, up, or down to prove that the client's reaction is correct and human. If the biometric pattern detected by the ATM is different from the user’s, or the “life test” fails, the system requests a PIN.
If, when the ATM captures their biometric pattern, a significant part of the client’s face is covered by their hair or large dark glasses, the ATM can’t capture enough points to make an accurate comparison with the stored biometric pattern. So the ATM requests a PIN.
CaixaBank developed its facial recognition system, which uses an ATM’s existing security camera, with FacePhi, a Spanish biometrics software company, and Fujitsu.
“Our software doesn’t need any additional hardware at CaixaBank ATMs, as it upgrades the ATM’s existing security camera to give a better image when reading the customer’s biometric pattern,” said Javier Mira, FacePhi’s CEO.
ShoCard and Alhamrani Universal’s biometric ATM prototype is designed to enable Middle East consumers to use a blockchain-based app and a photo of their face instead of PINs to withdraw cash. The solution uses the ATM’s existing security camera, and relies on users storing their ID on a mobile device, with proof of that ID on a distributed blockchain to identify customers from different banks.
Alhamrani Universal resells ATMs across the Middle East, and has over 50 percent of Saudi Arabia’s ATM market.
To enroll with ShoCard, users download the ShoCard ID app and take a photo of their government-issued ID. ShoCard extracts the personal information from this ID, encrypts it and creates a hashed copy that it writes it to the blockchain. Users decide which third parties to share their personal information with such as banks or retailers. However, the user’s data is never stored centrally on their bank’s database, according to Ali Nazem, ShoCard’s VP of business.
In ShoCard’s implementation, users communicate with an ATM by scanning a QR code or via Bluetooth.
“The user digitally signs and encrypts all communications with the ATM, and a unique code is created for each transaction,” Nazem said. “The ATM’s camera takes a photo of the user which is compared to the original image that was signed by the user's private key and certified by the bank during registration with ShoCard.”
ShoCard uses multiple authentication factors including geolocation, QR codes, timestamps, session IDs, and biometrics for ATM withdrawals. Nazem said this makes ShoCard’s solution more secure than existing mobile cardless ATM withdrawal services, which may just require the use of Touch ID for authentication and can be vulnerable to fraud.