Despite the wealth of physical resources and electronic access points that modern credit unions must monitor, it’s important to remember that all security-related issues — both positive and negative — start with people. Perhaps that’s why some credit unions are harnessing biometrics — a merger of both biological and electronic information — as a way to help lock down potential vulnerabilities.
No Time For Downtime
With 38 branches — including 17 in Germany — Service Credit Union ($2.3B, Portsmouth, NH) is essentially a 24-hour operation. Despite its size, the credit union relies on one-on-one interactions to identify choke points in process and security. When chief information officer Bill Arnold joined the credit union in 2009, he asked IT staffers to use their on-site visits with the front line to proactively identify minor, yet recurring, pains that could — in aggregation — negatively impact service and security across the institution.
“As technologists, we sometimes make the mistake that our people are plug and play just like our solutions,” Arnold says. “We need to take the time to really identify and understand any needs our fellow employees might have.”
One issue that immediately sprang to the forefront during these visits was the number of credentials employees needed just to do their jobs.
“We had employees with 30 different username and password combinations,” Arnold says. “They would have them all written down on a pad that they kept in their desks or in their cash drawer.”
In addition to posing a security risk, this environment was also generating a steady stream of account lockouts, password resets, and other account access issues that were consuming a disproportionate amount of the IT help desk’s time.
Use What You’ve Got, Literally
Prior to joining Service, Arnold served as vice president of IT at Purdue Federal Credit Union ($786M, West Lafayette, IN), which was the nation’s first financial institution to incorporate biometric access for member accounts.
Given his background, Arnold quickly identified how a similar solution might remedy the employee-facing issues at his new institution. After surveying available options, Service moved forward with a system from California-based Digital Persona in 2010. By first quarter 2011, it had deployed fingerprint readers for every PC and laptop at the institution at a cost of roughly one-eighth of a new help desk hire.
Each time an employee scans their fingerprint, a client on each PC connects to the Digital Persona server, which then searches for a match and bridges back into the credit union’s active directory of authorized user accounts.
“Today, almost every internal and web-based system used by our staff is enabled for biometric authentication,” Arnold says. “You can forget passwords or lose access cards, but it’s really hard to forget to bring your finger to work.”
The number of client support requests has dropped significantly since implementing this system, which allowed Service to eliminate the department altogether.
“We still do some of our user access management activities manually, but we’ve been able to move the three people who were in client services to new areas and have them focus more on other critical issues,” Arnold says.
Biometrics has also helped Service control and limit the spread of sensitive information that could be exploited to hurt the credit union.
“Employees don’t actually know or have access to their passwords anymore, so we don’t have to worry about where that information ends up,” Arnold says.
And although the education and training required to onboard employees on the use of this authentication technology is fairly streamlined compared to offering the same service to members, Service is open to that option in the future.
“Even if you have thousands of members, you can still use a one-to-one authentication formula, which means the system looks for and compares information only on the specific profile for the name given,” Arnold says. “A one-to-many system, like those used by law enforcement, searches through the full database and feeds back several likely matches, but there’s a real cost and extra time associated with that.”
Best Practices For Implementation
Despite its many advantages, biometrics is still a hard sell for some, admits Arnold. Here, he highlights three common concerns a credit union might encounter with biometrics and the education and approaches that are helpful in addressing them.
Ouch, That’s Gonna Leave A Mark
Injuries or alterations can temporarily or permanently alter the physical traits used for biometric authentication. And in colder climates, an issue as simple as dry skin may also cause problems.
To address these variations, credit unions need to find an acceptable balance in selecting their confidence threshold, Arnold says.
“You can set a system to look for a 100% match, but a 95% match is sophisticated enough for one-to-one authentication and it still provides enough wiggle room to limit unnecessary user headaches.”
The Man With The Golden Thumb
“Due to extreme wear on the ridges of the finger, an injury, or some other factor, a very small section of the population has prints that will never be scannable,” Arnold says.
For this reason, he recommends member-facing biometrics only as secondary form of authentication and advises institutions to keep ready alternatives in place when such cases do come up.
Conspiracy Theorists And Hollywood Heists
Given rapid-fire revelations about the extent of the government’s reach into supposedly secure networks, consumers might harbor concerns that their biometric profiles could somehow be accessed without their permission or even used against them.
“The good thing is that these readers just establish a string or a number of points that describes your fingerprint,” Arnold explains. “It’s a one-way system that can’t be reversed engineered to recreate a fingerprint.”
And don’t let members or employees believe what they see in the movies. Most modern readers scan under the first layer of skin to the capillaries beneath to check for liveness — body heat, pulse, etc. — so a severed finger or an artificially produced decoy would not fool the system.