Home / Featured / Biometric Payment Authentication (BPA) – Corporate Banking Transactions: Pakistan Perspective

Biometric Payment Authentication (BPA) – Corporate Banking Transactions: Pakistan Perspective

1. Introduction

The term 'authentication', describing the process of verifying the identity of a person or entity. Within the domain of corporate e-banking systems, the authentication process is one method used to control access to corporate customer accounts and transaction processing. Authentication is typically dependent upon corporate customer users providing valid identification data followed by one or more authentication credentials (factors) to prove their identity.

Customer identifiers may be user ID / password, or some form of user ID / token device. An authentication factor (eg PIN, password and token response algorithm) is secret or unique information linked to a specific customer identifier that is used to verify that identity.

Typically, the way to authenticate customers is to have them present some sort of factor to prove their identity. Authentication factors include one or more of the following:

Something a person knows – commonly a password or PIN. If the user types in the correct password or PIN, access is granted

Something a person has – most commonly a physical device referred to as a token. Tokens include self-contained devices that must be physically connected to a computer or devices that have a small screen where a one-time password (OTP) is displayed or can be generated after inputting PIN, which the user must enter to be authenticated

Something a person is – most commonly a physical character, such as a fingerprint. This type of authentication is referred to as "biometrics" and often requires the installation of specific hardware on the system to be accessed

Authentication methods are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. Multifactor authentication utilizes two or more factors to verify customer identity and allows corporate e-banking user to authorize payments. Authentication methodologies based upon multiple factors can be more difficult to compromise and should be considered for high-risk situations. The effectiveness of a particular authentication technique is dependent upon the integrity of the selected product or process and the manner in which it is implemented and managed.

'Something a person is'

Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. The process of introducing people into a biometrics-based system is called 'enrollment'. In enrollment, samples of data are taken from one or more physiological characteristics; the samples are converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis.

Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access.

Biometric identifier, such as a fingerprint, can be used as part of a multifactor authentication system, combined with a password (something a person knows) or a token (something a person has). Currently in Pakistan, mostly banks are using two-factor authentications ie PIN and token in combination with user ID.

Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along with small unique marks known as minutiae, which are the ridge endings and bifurcations or branches in the fingerprint ridges. The data extracted from fingerprints are extremely weak and the density explains why fingerprints are a very reliable means of identification. Fingerprint recognition systems store only data describing the exact fingerprint minutiae; images of actual fingerprints are not retained.

Banks in Pakistan offering Internet-based products and services to their customers should use effective methods for high-risk transactions involving access to customer information or the movement of funds to other parties or any other financial transactions. The authentication techniques employed by the banks should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (eg ID / password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is obligated, banks should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Although some of the Banks especially the major multinational banks has started to use two-factor authentication but keeping in view the information security, additional measure needs to be taken to avoid any unforeseen circumstances which may result in financial loss and reputation damage to the bank.

There are a variety of technologies and methodologies banks use to authenticate customers. These methods include the use of customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of tokens.

However addition to these technologies, biometric identification can be added added advantage for the two-factor authentication:

a) as an additional layer of security

b) cost effective

Existing authentication methodologies used in Pakistani Banks involve two basic factors:

i. Something the user knows (eg password, PIN)

ii. Something the user has (eg smart card, token)

This paper research proposes the use of another layer which is biometric characteristic such as a fingerprint in combination to the above.

So adding this we will get the below authentication methodologies:

i. Something the user knows (eg password, PIN)

ii. Something the user has (eg smart card, token)

iii. Something the user is (eg biometric character, such as a fingerprint)

The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.

2. Methodology

The methodologies applied in this paper build on a two-step approach. First, through my past experience working in Cash Management department of a leading multinational bank, implementing electronic banking solutions for corporate clients through Pakistan and across geographies.

Secondly, consulting and interviewing friends working in Cash Management departments of other banks in Pakistan and Middle East for better understanding of the technology used in the market; its benefits and consequences for successful implementations.

3. Implementation in Pakistan

Biometric Payment Authentication (BPA) ie biometric character, such as a fingerprint for authorizing financial transactions on corporate e-Banking platform implementation in Pakistan will be discussed in this section. First the descriptive, then the economic benefit analysis for adopting the presented methodology.

As technology is very much advanced today, fingerprint scanners are now readily available on almost every laptop or a stand-alone scanning device may be attached to a computer. Also with the advent of smart phones, now the fingerprint scanner is available on phones as well (eg Apple iPhone, Samsung mobile sets etc)

In Pakistan, end users should not have trouble using a fingerprint-scanning device on a laptop or on a smart phone as all work which needs to be done has to be done by banks introducing this methodology.

Beside this Pakistan is a perfect location to implement biometrics based authentication, mainly because:

a. CNICs are issued after taking the citizen's biometric information – especially fingerprints

b. Telco companies need to maintain and validate an individual's fingerprints before issuing a SIM card

These examples show that large population Pakistan is already familiar and comfortable with biometrics (fingerprints) methodology. However, banks have to develop their e-banking portal or application in accordance with and by accepting fingerprints for corporate users. The e-banking portal would invoke the fingerprint device of the end user for either login or authenticating financial transactions. Enrollment can be performed either remotely through first time login into e-banking platform after user has received setup instructions and passwords or at the bank's customer service center.

This article recommends banks in Pakistan to move multifactor authentication through PIN and; fingerprints. Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.

Now let's discuss the economic benefits of using PIN and; fingerprints instead of token devices for authentications. And before we deep dive into the statistics, first just look into the current process of token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty.

Most banks in Pakistan order and import tokens from a US based company called 'VASCO Data Security International Inc.'. Once order is placed, the VASCO ships the token to the corresponding ordering bank and the bank receives the tokens after clearing the custom duties. Banks settles the invoices of VASCO by sending back the amount through out remittance along with the courier charges. Banks then initialize the token and upon customer written request issues the token to an end user. The token is couriered to the end user and training is connected via phone or physical visit of the bank's representative to the customer office. Any lost or faulty token are replaced with new ones and again couriered to end users. Tokens are returned back to banks if any end user resigns their organization or is being moved into some other role that does not involve banking related operations or use of e-banking platform.

Theoretically it looks pretty simple, but practically these are very time consuming activities and cost is associated to each and every step mentioned above.

Now, let's do some cost calculation which are associated to the above activities and build some statistics so that cost benefit analysis can be done.

Currently, some of the banks in Pakistan, locally, have introduced fingerprint recognition technologies to authenticate ATM users and are in the phase of eliminating the need for an ATM card which will always help banks in cost saving of replacing lost or stolen cards.

Cost calculations are approximations and not to be taken as true cost for any budgeting.

3.1. Descriptive Statistics

The descriptive statistics for token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty (statistics built on roughly 1000 tokens consumption per year per bank) are shown in the below statistics.

Descriptive Statistics

Tokens Cost (1000 tokens) 15,000USD (1,569,000PKR)

Custom Duty 4,610USD (482,206PKR)

Courier to End User 922USD (96,441PKR)

Training Cost 7376 (771,530PKR)

Total 27908USD (2,919,177PKR)

The above stats shows that, approximately 28000USD (amount in USD rounding off to thousands) is spent on tokens by a single bank which can easily be saved if the token is replaced by fingerprints. It's not only cost saving for a bank but also ease off banks in administration and maintenance.

Forex interbank rates as of December 23, 2016 http://www.forex.com.pk

4. Change Management Grid

Stage One: "Coming to Grips with the Problem"

Mind-set (Thinking / Understanding)

a. Currently banks are paying lots of cost on physical token purchasing which can easily be eliminated by using biometric methodology such as fingerprints.

Motivation (Emotional / Intuitive Dynamics)

a. The current old methodology of token ordering takes time and cost till it reach banks. Then specific training needs to be connected for end users for token device activation and usage. Maintenance is another huge activity for banks. As biometric scanners are easily available on laptops and smarts phone therefore this new change is easily achievable without any huge cost. Fingerprint authentication will ease end users from remembering too many password and they have not to carry the physical devices along with them all the time.

Behavior (Capability)

a. Banks in Pakistan needs to be visited and proper presentations will be communicated to brief their IT team with this easy to and; secure technology, finance team for the cost benefits and to their operations team about reducing their operation maintenance.

b. Demos will also be arranged to show in live how this new technology assist banks.

c. End user will have to use fingerprint to login or authenticate transactions instead of using physical tokens.

Stage Two: "Working through the Change"

Mind-set (Thinking / Understanding)

a. Biometric authentication will help banks to reduce cost and reduce operational hassle. This technology will also ease off end users with their day to day e-banking activities. Proper training to the bank concerned team will be conducted. End user will also be instructed with the fingerprint enrollment.

Motivation (Emotional / Intuitive Dynamics)

a. Banks has to invest first to adopt this new technology but this will eventually help them to reduce the recurring cost and operational maintenance.

b. End users will no more have to carry any gadgets and will perform banking activities with a touch of a finger.

Behavior (Capability)

a. Post implementation reviews will help banks about the feedback of their customer who have started using the new technology and client experience will help banks to strengthen their product.

b. With fingerprint technology, corporate customer will no more have to pay any additional cost for requesting Tokens.

Stage Three: "Attaining and; Sustaining Improvement"

Mind-set (Thinking / Understanding)

a. Banks to hold Client experience forums which will assist them on customer feedbacks and also give new ideas on any future enhancements.

b. Banks to update Departmental Operating Instructions (DOI) for employees, emphasizing on their roles and responsibilities across this new technology.

Motivation (Emotional / Intuitive Dynamics)

a. Banks can launch reward campaign for employees who will successfully migrate the e-banking users from token to fingerprints technology.

b. Likewise some promotion of fee waivers can also be offered to customers for availing this technology.

Behavior (Capability)

a. Training and; retraining to be conduct for any new bank staff or existing staff to emphasize the benefits of biometric authentication.

b. Customer can be retrained or refurbished about this technology by send regular product brochures and short videos on trainings.

c. Quarterly feedback will be communicated across all customers to assess their knowledge for the biometric authentication and gather new ideas on future enhancements.

5. Monitoring / Evaluating

Banks being a service oriented industry always focus on 'Customer First'. Through client experience forums customer feedbacks will be attained and issues, if any, faced will be addressed through following follow-ups and final feedback on will be taken from customer upon resolution.

Post implementation review will give a clear picture of the new biometric methodology implemented and will also get further view points for future enhancements.

6. Conclusion

This study aims to examine the replacement of physical token usage of corporate e-banking platform users with the end users fingerprints for their login into e-banking channel and financial transactions authentication. Findings of this study reveal that this new technology will not be only beneficial for the banks in cost and; maintenance perspective but will also facilitate corporate end users with a peace of mind of not remembering too many passwords or carrying the physical token wherever they roam.


Source by Syed Noor Ullah Jan

About Maria Kane

Check Also

Top 3 Risks of NOT Replacing Your Timing Belt

The timing belt in a car is very important to the car’s proper operation. It …

Leave a Reply

Your email address will not be published. Required fields are marked *