Siemens IT Solutions and Services: biometrics for safe banking over the internet. The popularity of online banking is on the rise. Initiating transactions from the comfort of your PC offers considerable time advantages in terms of flexibility and convenience. The downside, however, is that the combination of PINs and TANs is no longer able to provide sufficient protection against fraudulent hackers or phishing attacks. In response, a biometric internet ID card now allows banking customers to use fingerprints to unambiguously identify themselves on the web.

39% of all Germans are already conducting their banking on the internet. According to a recent study by Forrester Research, this share is expected to climb to 47% by 2012. The growing acceptance of online banking has good reasons: the internet is open around the clock, there is no waiting in line, and doing your banking online is cheaper than at a branch office. But as the volume of online banking increases, so does the threat of hacker attacks.

According to Germany’s Federal Office of Criminal Investigations, German bank customers suffered losses totalling more than € 14 million as a result of phishing and man-in-the-middle attacks in 2007 alone. To keep existing online customers and win new ones, financial institutions must strengthen their trust in the internet channel over the long term.

Olaf Badstübner, in charge of banking security and biometrics at Siemens IT Solutions and Services, knows how important this channel is for the banks: “When a customer goes to a branch office to initiate a transfer, this costs the bank on average six to eight times as much as the same transaction made via online banking.”

At present, customer accounts are protected against hackers and phishing attacks by the PIN/ TAN procedure. For particularly sensitive transactions, customers can additionally make use of the HBCI (Home Banking Computer Interface) system. While this procedure is secure, it requires the installation of additional hardware. This is not the case with the three-factor authentication procedure. Here, the customer identifies himself in three ways: by knowing his online banking ID, having an internet ID card, and proving his personal presence through his fingerprint.

AXSionics, a spin-off of the University of Applied Sciences in Bern, has developed such an authentication system. To further advance its development, roll it out in large volumes and operate the IT for its biometrics solution, the Swiss company entered into a preferred partnership with Siemens IT Solutions and Services in August 2007.

Transfers at Your Fingertips

The solution consists of a software component installed on the bank’s server and a so-called internet ID card in credit card format, which is handed out to the account holder. The mini-device features a strip sensor for reading the fingerprint and optical sensors for reading the code on the PC monitor. An integrated cryptography chip decrypts this data, which is then shown on the display.

To make a transfer, the user logs in at the bank’s online portal with the usual name and account number information. The bank’s server instantly encrypts this information and sends it back in the form of a flicker code, which displays the data as six flickering black-and-white blocks on the customer’s computer screen — similar to a visual Morse code. In addition to the transfer order, the customer receives an associated transaction authentication number (TAN) in encrypted format.

The user activates the ID card and identifies himself by drawing his previously registered finger across the ID card’s sensor. If the fingerprint is recognised, the internet ID card is enabled to read and encrypt the flicker code on the monitor. The associated information and the TAN can be read on the ID card’s screen in a matter of seconds. The customer confirms the data, and the transaction is executed. “The entire process takes four to five seconds and is therefore much faster than using traditional TAN lists,” says Badstübner.

Data Protection and Protection against Hackers

The biometrics procedure is virtually forgeryproof on several levels. Since the ID card is a device that only reads information but doesn’t transmit any, it cannot be attacked by hackers. And the secure back-channel between the bank and the customer provides an additional way of confirming incoming orders, as the transaction is not executed until after the user has been identified and repeated his or her confirmation. In addition, the financial institution can reliably identify the initiator of a transaction at any time, as the fingerprint provides a clear link between the physical person and his or her digital identity.

This not only improves the level of security, but also helps the bank meet various compliance guidelines. Olaf Badstübner points out another benefit for the bank: “Thanks to the unambiguous identification of the person initiating the transaction, the banks’ liability is virtually zero. This is a critical point, particularly for credit card issuers.”

The internet ID card also protects the customer’s privacy and personal data. Since the fingerprints aren’t stored in a central database, but only on the internet ID card itself, the user maintains total control. For third parties, the personalised ID card is absolutely useless without the associated fingerprint.

Infrastructure Operation: In-house or Outsourced?

The ID card holder does not need to install any additional software and can conduct his banking with total flexibility and mobility from any PC. The bank needs two software components to deploy the biometrics solution. On the server system, an authentication platform must be installed on which the necessary cryptographic keys are stored. And to generate the flicker code and transmit the data optically, an additional web application must be implemented.

If the bank believes that running these systems in-house is too complex, the IT service provider offers an alternative: “In addition to implementing this infrastructure, we also offer running it as a managed service. This means that Siemens IT Solutions and Services will operate the system in its banking-certified data centres and handle the entire encryption process,” explains Badstübner.

First Test Projects Are Promising

Many German and international financial institutions have already expressed great interest in the solution, which was unveiled in December 2007. A well-known German bank is currently testing the system. “In prior tests of user-friendliness as well as in first test runs by banks, the solution has produced very good results. We are currently engaged in active talks with several financial institutions, and we expect to see the first practical pilot projects within the next few months,” reports Badstübner.

With its internet ID card, Siemens IT Solutions and Services addresses not only banks, but also online service providers, as all web-based internet services require secure user identification and payment data. For example, the system could be used to grant secure access to internet filespace and online stores. This would benefit not only end customers, but banks and online providers as well.

On the one hand, banks could offer attractive product bundles by working with internet service providers to get a competitive leg up on the competition. On the other hand, the added value might make customers more willing to carry some of the costs for the internet ID card themselves.

Ultimately, the final terms and cost details will be based on each bank’s particular business model.

Contact:

Astrid Heinz
Siemens IT Solutions and Services
Siemens AG,
Munich, Germany
Tel.: +49 89 636 527 49
Fax: +49 89 636 421 62
astrid.heinz@siemens.com
www.siemens.com/it-solutions