More banks turn to biometrics to keep an eye on security

Are you a technophile who likes signing in to your banking app with a fingerprint? Get ready for more, because banks are now capturing not just fingerprints but scans of your voice, eye and face to improve security.

Fabrizio Bensch/Reuters/File
A person uses a sensor for biometric identification on a smartphone in Berlin, Germany (October 16, 2015).

Are you a technophile who likes signing in to your banking app with a fingerprint? Or does it make you cringe?

Get ready for more, because banks are now capturing not just fingerprints but scans of your voice, eye and face.

Biometrics provide a layer of security beyond passwords, which are looking increasingly feeble against sophisticated hackers. Consumers’ tendency to fall back on lazy ones — like “123456” and “password” — makes them even less effective. The financial industry is rushing to invest in security at a time when cybercrime costs the global economy an estimated $450 billion a year, according to the Center for Strategic and International Studies, a Washington, D.C., think tank.

If it hasn’t already, your bank may soon offer you the chance to use biometrics to protect your accounts. That could mean fingerprint authentication on banking apps, voiceprints for customer calls, facial recognition for verifying online purchases, or ATMs that scan your iris. Here is what’s already available and what’s on the horizon.

Fingerprint identification

Once so futuristic, fingerprint sign-in has been showing up on banking apps in the last couple of years. Institutions like Bank of America, Chase and PNC now offer it.

“Fingerprint ID was the No. 1 requested feature from mobile users before we introduced it,” says Betty Riess, a Bank of America spokeswoman. Since September, its customers have been able to save their fingerprints on iPhones, iPads or Android devices then use them to access their mobile accounts without pass codes.

Fingerprints are unique identifiers, but don’t be lulled into thinking they’re foolproof. There’s actually plenty of room for security breaches due to human behavior. Many smartphones let you store not just one but several fingerprints, in case you want to sign in with a different finger or let a family member or friend have access to your phone. But once someone else’s fingerprint can unlock your device, that person can also access your banking app.

Voice authentication

Possibly the most annoying part of calling a bank is punching in your long account number or having to answer tedious security questions about your mother’s maiden name or the name of your first pet. While banks need to make sure you are you, verifying your identity is no one’s idea of fun.

What if your bank just recognized your voice? Several large banks are testing voice authentication. Citi said it had registered roughly 250,000 customers’ voiceprints by late last year. The process takes less than a minute to set up, the bank says. As soon as you start talking, your voice is matched against the stored data, comparing 130 characteristics of your vocal pattern within a few seconds. That sounds painless.

At the forefront of biometrics is USAA, which serves members of the military and their families; it was the first large institution to roll out three different biometrics — fingerprint, voice and facial recognition — to all customers. Those who opt in enroll through their phone or tablet. For example, for voice authentication, they train the system to recognize them by reading three sample phrases.

Since late 2014, over 1.4 million USAA customers have signed up for some form of biometric identification. “Single-factor logins (password only) represent about 10% of our logins from mobile devices,” says Wil Bennett, USAA assistant vice president of financial crimes analytics.

Face recognition

For face recognition, USAA customers use their smartphone cameras to record their faces, including a blink. The blink proves that the image is live, and not someone trying to trick the system with a photo.

USAA customers can use whichever biometric is more convenient for them at the moment. If you’re in a noisy restaurant, you might choose facial recognition or fingerprint, for example. If it’s dark, you could use voice. 

Meanwhile, MasterCard is piloting “selfie-pay” — using a face scan to approve online purchases — in parts of the U.S. and the Netherlands. It will be rolled out in 14 countries this summer, the company has said. When making an online purchase with the MasterCard phone app, a pop-up asks whether you want to authorize the transaction with fingerprint or face recognition. If you choose to use your face, you look at your camera and blink once to prove you’re not a picture. The company says that it doesn’t store your actual picture, just a coded version of it.

ATMs with iris scanners

If a face scan sounds uncomfortably intimate, what about an eye scan?

When taking out cash, you won’t need a plastic card with a magnetic stripe — that’s a nearly 50-year-old technology, by the way — if you’re at a next-generation ATM with an iris scanner. Diebold and Citibank tested such an ATM in New York last fall. No two humans’ irises are alike, so a scan of the eye is a very accurate way to verify identity.

The prototype doesn’t have a number pad or a screen like a traditional ATM. To make a withdrawal, you first set up the transaction on your mobile app, entering the dollar amount. When you reach the ATM later, you place your eye near the iris scanner, which takes a quick video and matches it to the initial scan you previously registered with the system. If it’s a match, the machine dispenses the cash.

The company says the technology can’t be tricked with a picture or a video — or even a disembodied eyeball. “Iris-scanning technology is the second-most reliable biometric next to a DNA test and validates that the person … is alive with the use of infrared light,” says Dave Kuchenski, a senior business development manager at Diebold. Diebold is currently planning additional pilots with other financial institutions.

Kuchenski says among consumers who tried it, most said they liked it, but “a small segment … were hesitant to register their iris definition due to concerns about ‘big brother’ privacy.”

If biometrics become common at retail banks, it might become the new normal for customers to have to keep tabs on who has their fingerprints and other identifying features, just as they do with their Social Security and PINs now.

Jeanne Lee is a staff writer at NerdWallet, a personal finance website. Twitter: @jlee_jeanne.This article first appeared at NerdWallet.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.