Thursday, May 13, 2010

Polish bank claims Europe's first biometric cash point

From The Independent (UK)

Could it be? Are token-less ATM machines now in use in Europe?

From day one, cash machines have required a token and a PIN. The token, a plastic card, identifies you to the banking network and the PIN confirms that the card is being used by someone who knows the account holder's password.

When the card is introduced into the machine, the banking network already knows the correct PIN that goes with the card. The computer network has only to answer one simple question: Does the PIN that goes with the card match the PIN that was just entered into the machine? If the answer is yes, the transaction is executed and the ATM user gets her cash.

In the case of the token-less ATM's described in the article linked above, it is less clear what is going on. Unlike the magnetized plastic card, fingerprints and PIN's don't store any account information so their use can't lead directly to a simple yes/no question for the bank software to sort out. So what is happening?

It's probably not the case that the bank customer puts their finger on a sensor and the bank software identifies the proper account from the finger alone to be confirmed later by the PIN. This would require the bank software to answer a yes/no question as many times as it has finger vein-enabled accounts every time someone uses the machine. Example: Does this finger go with account 1? If no, does this finger go with account 2? If no...

I suspect that, in order to dispense with the plastic card, the machine's software designers ask the user to input their PIN first. That would reduce the number of yes/no questions the software must answer in order to confidently establish a user's identity by a factor of 10,000 by allowing the software to search only from among accounts that use the same PIN. Given that there probably aren't very many consumer checking accounts that are finger-vein accessible, the customers of BPS SA aren't likely to notice any increase in the machine's response time over earlier cash machine models.

A system, such as the one described in the article, however, is likely to experience considerable growing pains. First, in order to serve other bank's customers and to reap the considerable fees to be charged in so doing, the machine must still support the old fashioned card-and-PIN model, adding to the costs of the machine by adding an input device to the older model (sensor/card reader/key pad vs. card reader/key pad).

Then, as the number of the bank's customers which use the finger-based method to access their account increases, the number of yes/no questions the software must sort through increases as well, slowing response time.

When my local bank adopts a finger-based system, I can start using the BPS SA machines while in Poland, correct? Not necessarily. If my bank uses the same Hitachi software that BPS SA uses, then things might work out, but if it has chosen another finger-based biometric vendor then things are unlikely to go well unless the banks involve a middleware vendor such as SecurLinx.

Over time and with the giant leaps in computing power implied by Moore's Law, applications like the one described in the linked article will be brought to the market improving the efficiency of the banking industry and improving the lives of people worldwide. Those days, however, are still in the future. The BPS SA case is probably best seen as a proof-of-concept experiment, rather than a full commercial deployment.

The exact same critiques could have been and probably were voiced when John Shepherd Barron, the inventor of the cash machine, first pitched his idea to Barclays way back in 1967. Kudos to BPS SA for blazing the trail.