2013年7月29日星期一

Bankers still worried with Aadhaar authentication

According to a report in the Economic Times on Monday, the Unique Identification Authority of India is pushing for biometric authentication for credit card and ATM transactions, but bankers are reluctant to make changes since technology costs are high.  Bankers argue that upgrading every ATM and point of sale terminal at thousands of merchant outlets will not come cheap, besides travails and risks of a new technology, says the report. But aren’t we forgetting something here? ATM with biometrics is not a new idea. It has been tried and discarded as a failure when the ATMs did not authenticate the biometrics of many underprivileged persons and left them without access to their own funds, especially when banks were closed.

While use of biometric ATMs looks good on paper, its implementation so far has proved costly for the banks as well as for the end-users. On 1 December 2006, Citibank had issued a global release about the launch of its biometric ATM with multi-language voice instruction capability.  It had tied up with a NGO called Swadhar FinAccess and a microfinance firm for Citibank Pragati for accounts. The experiment ended in a whimper. In fact, the drumbeat for biometric ATMs began in 2005 as suggested by this report in The Financial Express.  In 2007, Andhra Bank had launched biometric ATMs and wanted to make the mobile, to cater to the burgeoning microfinance business.

Canara Bank set up its first biometric-based ATM at Dharavi, in Mumbai in 2008 with much fanfare. It was a dual purpose ATM, which accepted cards as well as thumbprints for banking transaction (mostly cash withdrawals). The biometric-based ATM was expected to cater to the needs of working class, especially housemaids and other people in Dharavi. In fact, even after the global financial crisis, the biometric ATMs and tie-ups continued because micro-finance firms were still seen as saviours and had not revealed their exploitative and rapacious side.

The ground reality turned out to be completely different. According to information provided by several non-government organisations (NGOs) spreading financial literacy in that area, the biometric ATMs in Dharavi failed from day one. The reason? Working class there, especially housemaids and other labours do not have fingerprints without which they could not operate the ATM!

Not having fingerprints is just one of the issues with the biometric-based ATMs. The more serious issue is the danger it may pose to the user as thieves may stalk and assault the person to gain access. If the item is secured with a biometric device, the damage to the owner could be irreversible, and potentially cost more than the high risk merchant account. For example, in 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal his car.

In addition, the biometric-based passwords are irreversible. That means it cannot be re-issued in case of loss or theft. If a token or a password is lost or stolen, it can be cancelled and replaced by a newer version. This is not naturally available in biometrics. If someone's face or fingerprint is compromised from a database, it cannot be cancelled or reissued.

Another problem associated with the biometric-based ATM is its cost, both installation and operations. The biometric-based ATMs, as proposed by the Reserve Bank of India (RBI) that would facilitate use to Aadhaar data, are more costly than the regular card-based ATMs. While consumers are increasingly complaining about reasonableness of bank charges, the banks themselves are lobbying hard with the RBI, claiming that high cost of technology is making each transaction very expensive. For instance, having encouraged and pushed to obtain corporate accounts of companies, banks are now cribbing about high transaction costs on small withdrawals from ATMs.

For instance, a senior central banker says that each balance inquiry at an ATM costs the bank Rs11 while each transaction costs around Rs18. However, this calls for a serious discussion on the cost-benefit of technology to consumers, since the solution cannot be to load higher costs on to consumers.

And while the UIDAI and RBI are still thinking about using Aadhaar number or fingerprints collected under the UID scheme, for authentication of transactions, the world has moved ahead. World over, fingerprint based ATMs are being replaced by biometric ATMs, which use ‘finger vein scanning’ technology to authenticate the customer's ID. Unlike current fingerprint scanners, the finger vein scanner, developed by Japanese company Hitachi, uses infrared light to analyse the micro veins beneath the surface of the finger. According to Hitachi, it is impossible to fool its machine, as it is not possible to replicate an individual's finger veins. In addition, it does not work with fingers that have been chopped off, the company had said.

In addition, several experts have pointed out that using Aadhaar for identification is completely different than using it for authentication. Especially, when it comes to using biometric data of Aadhaar for payment transactions, the facts are not too encouraging. Several poor people like housemaids and construction labourers are finding it difficult to even enrol for Aadhaar due to lack of a clean fingerprint sample. Some could not even submit sample of their iris due to cataract. In such cases, how will the Aadhaar help in authenticating the card present transaction? Also, why burden the entire banking system with high costs, which will have to be paid by hundreds of million account holders who have no need for biometric identification and have no reason to support biometric authentication systems?

Coming back to the issue of using Aadhaar or UID for authentication card present transactions, it looks good only on paper. As per the latest census, 58.7% households were availing banking services in 2011 as compared with 35.5% in 2001. Notwithstanding these efforts by the RBI and the offshore merchant account, the challenges are enormous. Providing banking coverage to a population of 120 crore and ensuring transactions in these accounts is a daunting task.

While, the government and the RBI have asked banks to accept the Aadhaar number as one of the identification proofs for opening an account, the lenders are not sure about the authentication and verification of these numbers for payment system. The RBI itself was not confident about Aadhaar as it felt that the UID project is not ready for handling secure payment transactions.

According to the Economic Times report, there was a distinct possibility that RBI would ask banks to gradually roll out Aadhaar-based biometric authentication as an additional authentication for card transactions. RBI may not mandate banks immediately, but may nonetheless ask them to upgrade the technology. This is happening at such a time when banks are issuing credit and debit cards based on Europay, MasterCard and Visa (EMV) chip technology, the report said quoting a banker.

According to a report by a "Working Group on Securing Card Present Transactions" of the Reserve Bank of India (RBI), there is a need to put in place a series of measures to strengthen the payments’ infrastructure and ecosystem in the country. Inferences drawn from case studies clearly indicate the need to have a much stronger authentication mechanism and reiterate the need for a second factor (2FA) for card present transactions.

The report discusses new systems like EMV chip cards with PIN that has been adopted by many countries and enhancing the current MSD card system with help from biometric identification.

"Aadhaar (issued by UIDAI) authentication using biometrics, provides a strong 'Who you are' factor of authentication. This can be combined with a second 'What you have' or 'What you know' factor to achieve strong customer identification at the point of sale," the report said.

While the option to use biometrics from the UIDAI database looks good, it may, in practice, due to insufficient feasibility tests, may not be a viable option. "The working committee considered biometric, or UID, as the second factor in one of the solution sets; however, the decision to adopt this would depend on various factors like the number of UIDs issued to the population which transacts through cards, the error rates, authentication network capability to handle transaction volumes, network capability to handle enhanced transaction size and acquiring infrastructure," the report said.

According to the Economic Times report, another working group set up to study the recommendation of the previous group has recently submitted its report to the RBI. “(the) panel has pegged the cost of banks' readiness for Aadhaar at Rs4,259 crore compared with Rs3,556 crore the banking industry has to spend to upgrade machines to match a different technology they think lowers the risk of card frauds,” the report says.

Unfortunately, instead of addressing all the problems related with the Aadhaar, the UPA government is forcing its usage and acceptance, that too without any Parliamentary approval for the UIDAI scheme. The hard push for biometric ATMs is just one of the examples about how technology is being used to exclude the needy, without even thinking about the cost.

没有评论:

发表评论