That was the question asked by the European ATM Security Team (EAST) in its website research poll conducted from July to September 2010. 73% of the respondents would not use the technology, or were cautious about it.
The participants were asked if they felt comfortable with the notion of having their finger scanned. The results below follow the statement:
If ‘finger vein’ biometric technology was on an ATM:
- I would be happy to use such technology in place of my PIN (27%)
- I would only use such technology after full explanation as to how my personal data will be held and controlled (23%)
- I would not use such technology due to concerns about personal data privacy (50%)
So the majority would not use the technology, or are cautious about it. Biometric ATMs are however well established in Japan, where tens of thousands are now in operation, and in Brazil. A common system is ‘finger vein’ identification technology. The transaction is authorised by a finger scan, rather than by entering a PIN.
This technology has been launched in Europe, by BPS Bank in Poland which is running a trial using a system developed by Hitachi and Wincor Nixdorf. The technology combines ease of use for customers, with enhanced card protection.
My concern is the possibility of my biometric data template falling into the wrong hands or being misused. There is a big difference between a compromised PIN and compromised biometric data. My finger vein pattern is not going to change and, once taken and stored, the data is out of my control for ever (yes, maybe data protection legislation says it should be destroyed once an account is closed, but if that is the case how do I know that it actually happened and, even if it did, was it compromised before hand?)
A compromised PIN can be changed, and is for the sole purpose of authorising transactions for a single card - it is unique for that card, which can be re-issued if compromised. For online transactions we are told to never use the same password for different purposes. It also can be changed if compromised. Yet hypothetically, if I have accounts with several different card issuing banks and they all use finger vein technology for ATM transactions, then I am using the same authentication (admittedly unique to me) for multiple cards (and possibly other future legitimate purposes).
The industry view is that compromise of stored biometric data is impossible - but is anything impossible relating to data that is held on computers? The cycnic in me says that insider and external vulnerabilities will always exist for stored data and that those with the necessary technical know how will find them. I agree with the the 50% - what's your view?