Sophos Cloud Optix
ATM access has traditionally been about you inserting your bank card and then entering your PIN – but that may be about to change.
Cash machines being rolled out in Poland are using a different form of identity verification developed by Japanese electronics company, Hitachi.
The new cash points, set to appear in 2,000 locations around the country, take a new approach to biometrics.
The infrared scanner on one of these new machines will literally get under your skin as it scans the veins inside your finger. The light from the scanner is partially absorbed by haemoglobin in the veins and returns a unique pattern which can then be matched to an existing profile.
Hitachi spokesman, Pete Jones, talking about the use of veins as a means of identification, said:
They are a physiological feature that is established in the mother's womb. As the person grows, they remain the same. Even if someone becomes very overweight, all that happens is that the pattern scales up. We have been researching this technology for 15 years and found it to be very stable.
Such technology looks to be gaining in popularity, having already been installed in several countries.
Isbank, Turkey’s largest commercial bank, had 3,400 Hitachi units installed by 2012 and Ogaki Kyoritsu Bank Ltd have employed a comparable system since September of the same year.
A similar technology has also been devised for shops in America.
Developed by Fujitsu, Biyo allows customers to pay for goods by placing their hand over a scanner which reads the veins under the skin of their palm.
The accuracy of vein identification appears to be extremely high with Biyo claiming:
The acceptance rate for a scanned palm vein pattern is 99.99992%.
The company also employs two factor authentication, a feature that would appear to be lacking from the use of the technology within the ATM framework:
We use your phone number as a second factor of authentication to make sure that your data is safe. Think of your phone number as your username, and your palm as the password. You won’t have to worry about people creeping over your shoulders to steal your payment information.
Despite the lack of two-factor authentication, cash machine users needn’t worry about the consequences of having their fingers cut off by criminals looking to access their bank accounts – Biyo helpfully points out that one limitation of such scanners is the requirement of blood flow through the particular veins that are being scanned (so it would still be advisable to pay attention to who is behind you at the cash point).
Even so, such technology does not represent a silver bullet in terms of eradicating all types of ATM fraud.
We should not forget that cash dispensing machines are, at their heart, computers, so enterprising individuals and criminal organisations alike will always being looking for new ways to hack them.
Naked Security readers with good memories will remember the late Barnaby Jack and his demonstration of ‘jackpotting‘ at Blackhat Las Vegas in 2010 which highlighted how an ATM could be remotely manipulated into dispensing a given amount of money.
And earlier this month the Daily Mail reported how Maxwell Parsons created a program that allowed him and his gang to circumvent card limits and reverse ATM and Chip-and-PIN payments.
Image of ATM courtesy of Shutterstock.
How long until we hear the story about someone defrauding banks using severed fingers?
As mentioned above, it seems that blood circulation is required to make the technology work.
Unfortunately, the sort of thug that would sever digits for a cash advance is not likely to keep up with Naked Security.
Crooks tend to know what works and what doesn’t, though. Surely a thug who would be willing to cut off your finger in the hope of doing one withdrawal would instead simply compel (impel?) you to withdraw the cash yourself and hand it over…along with your card and PIN, perhaps?
What about if you used your big toe?
What I wonder about is whether a cut or scar could affect the reading, so as not to match the original scan.
Don’t veins rearrange themselves to sort out blood flow problems, especially after injuries? If one gets blocked or damaged, another one takes over the load, or something vaguely like that?