WORLD Markets + Enterprise March

RESOURCES White Paper 2008

INSTITUTE

Biometric
Security for
Mobile Banking
By Loretta Michaels

Forward
By Dr. Allen L. Hammond

Washington, DC 20002 USA tel +1 202 729 7600 fax +1 202 729 7610 http://www.wri.org
World Resources Institute gratefully acknowledges generous financial assistance from Vodafone, PLC for the
research presented below.
 Markets + Enterprise
White Paper
Foreword
Innovations in Financial Services for the Poor
Dr. Allen L. Hammond1
Over the past 30 years, the rise of microfinance has
helped many Base of the Pyramid (BoP) households
to improve their livelihoods and even, in some cases,
to climb out of poverty. Microfinance is increas-
ingly becoming a commercial activity with significant
involvement by banks. And with an industry-wide
client base of approximately 80 million borrowers, it’s
clear that Muhammed Yunus deserved his Nobel Peace
Prize. But the need for access to financial services by
BoP households is both much larger than 80 million
customers and more varied than micro-savings and
micro-lending.
I believe that the next truly transformative innovation
in financial services for the poor is now visible. That
innovation is mobile phone banking—already fully
commercial in the Philippines, in South Africa, and in
Kenya, and gathering momentum virtually everywhere
in the developing world. While banks may play an im-
portant role in this activity, the real catalysts are likely
to be technology owners and experts. Specifically,
two parties will be key to the coming mobile banking
revolution: first, the mobile telecom companies that
own the networks capable of reaching several billion

unbanked people and the servers capable of process-
ing many billions of tiny transactions; and second, the
startup mobile transaction companies that are figuring
out innovative ways to use those networks.
The following report, Biometric Security for Mobile
Banking, addresses a key barrier to an impending
technology-driven revolution in financial services for
the poor. This forward provides some context for the
report and its findings by describing technology trends
and their potential implications for access to financial
services.
Enabling Technology Trends
There are several technology and business trends
worth mentioning here. One is the build out of mo-
bile telecom networks, arguably the most remarkable
(and largest) recent technological phenomenon on the
planet. There are already more than 1.5 billion mobile
phones in use in developing countries, and that num-
ber is likely to reach 2.5 billion within the next 5 years.
More than 80 percent of new customers worldwide
will come from developing countries, and since nearly
everyone in developing countries who is not part of the

Markets + Enterprise
White Paper
BoP already has a mobile phone, that growth will come
almost entirely from adding BoP customers.
Growth is still explosive—in India, mobile compa-
nies are adding more than 8 million new customers a
month and plan to build more than 30,000 additional
cell towers in the coming year. Mobile companies in
Africa plan to invest $50 billion to expand their net-
works in the next five years2—double the rate of invest-
ment of the past five years. Impending privatizations
of government-owned phone companies in countries
with large, unserved rural populations, such as Viet-
nam, are attracting many interested bidders.
A recent empirical study of low-income consumers’
spending patterns showed that the share of BoP house-
hold expenditures on ICT services (largely mobile
telephony) rises 8-fold between the lowest and the
highest income segments of the BoP. This is a far more
dramatic increase than any other sector and a clear
preference that underscores the huge latent demand
remaining to be tapped3. This is especially the case in
Asia and Africa, where BoP populations and markets
are dominantly rural and not yet well served by mobile
networks.
A second trend is the increasing technological sophis-
tication of mobile handsets, even as prices decline.
Virtually all basic handsets now include voice and
data capability and significant memory; many are
multimode (capable of working over more than one
frequency band); cameras are increasingly a common
feature, even for low-end handsets. Some high-end
handsets include Wi-Fi capability, and there appears
to be no technological reason why Internet-enabled
mobile handsets (e.g., multimode handsets with a
Wi-Fi radio) cannot easily be made available to low-
end customers as well (one estimate is that the cost,
in quantity, of adding a Wi-Fi chip to a handset will be
less than $5 per phone).
Moreover, costs of entry-level handsets continue to
decline: $30 GSM phones are common, and a $20
handset is planned for release in India later in 2008.
The processing power of handsets is also increasing

Forward: Innovations in Financial Services
for the Poor
Dr. Allen L. Hammond
rapidly, and is expected to equal that of today’s PC
within about 5 years. Thus, mobile phones are becom-
ing inexpensive, Internet-enabled, multimedia-capable
computing devices—with a replacement market ap-
proaching 1 billion phones per year. So it’s not hard to
think of them as portable banking terminals.
Of course, conventional mobile phone networks don’t
yet cover many rural parts of developing countries,
and may never do so. The costs of installing a mobile
network (usually more than $100,000 per cell tower,
including diesel generators) may simply be prohibitive,
especially where sparse populations and low incomes
mean that a positive return on investment will be a
long time in coming.
Such high costs lead us to a third technology trend,
which may prove important, especially for BoP finan-
cial services—the growing capability and very low
costs of advanced fixed wireless networks—especially
Wi-Fi or WiMax networks4, but including advanced
VSAT networks. These technologies are based on open
standards, attract many manufacturers, and hence have
declined in cost very rapidly. They also are optimized
for data—they are broadband networks capable of
carrying a much higher volume of Internet or data
traffic than are the proprietary cellular networks com-
monly deployed by mobile telecoms. That makes them
ideal for a wide range of services, including Voice over
Internet Protocol (VOIP), commonly called Internet
telephony—and it may turn out that these advanced
networks are especially well suited as a way to extend
mobile telephony into more remote, rural areas.
Trends in Action: The Case of Vietnam
World Resources Institute, in partnership with USAID
and AUSAID, a provincial government, and a mobile
telecom company—as well as Intel and other equip-
ment vendors—has recently deployed just such a
Wi-Fi/VoIP network in a poor, rural part of Vietnam5.
The pilot uses advanced mesh Wi-Fi technology to link
together a group of rural villages, and advanced Wi-Fi
backhaul technology to link those villages to existing
optical fiber. It provides voice service using VoIP on
Wi-Fi-enabled phones and Internet access to telecen-

Markets + Enterprise
White Paper
ters or individual computers. The structure of the net-
work makes it possible to provide local calling—within
a group of villages—at no cost (in effect, these villages
are all within a large Wi-Fi hotspot), while charging
normal prepaid tolls for calls to more distant locations.
Since about half of the phone calls in most local net-
works stay local, free local calling is a powerful incen-
tive to own a phone. But the most interesting charac-
teristic of the network is its low cost: we estimate that
the capital investment required to build this network
to cover every rural village in a million-population,
mountainous province is about $3 per person ($15 per
household)—between one-fifth and one-tenth the cost
of a conventional cellular network in the same terrain.
An additional characteristic of the Wi-Fi networks is
their low power requirements, such that they can be
powered with solar cells instead of diesel generators,
when no reliable access to the electrical grid is avail-
able—making these networks more environmentally
benign as well. Thus we believe that mobile telecom
companies will be able to profitably provide service
even in remote rural areas. With Wi-Fi-enabled mobile
handsets, the phones will work on either the village
Wi-Fi network or the urban cellular network. In fact,
most users won’t know or care which network the
phone is using.
It may seem strange to suggest building a modern,
broadband network with cutting edge technology in
the world’s poorest areas. Yet the justification, I believe,
is that the technology (or rather the services it enables)
is simply more valuable for rural BoP communities
than in more developed, urban locations that already
have a variety of options for connectivity. When you
have no phone service and no Internet access, your first
connection makes a huge difference—and it may only
be affordable with the very latest technology6. The de-
mand for affordable phone service and for Internet ac-
cess in BoP markets is, as pointed out above, very large
and largely unmet. As it turns out, more than half a
dozen of the world’s leading mobile phone companies
active in developing countries have expressed interest
in this approach and in visiting the Vietnam pilot to
see for themselves both how it works and the extent of

Forward: Innovations in Financial Services
for the Poor
Dr. Allen L. Hammond
customer acceptance.
Mobile Banking for the BoP
What are the implications of these broader technology
trends for mobile banking, and especially for extending
banking services to low-income, rural areas? Let me
start with an example from my recent work in Vietnam.
If you are out on the streets around midnight in Hanoi,
Vietnam’s capital, you cannot miss the thousands of
motorbikes streaming into the city, so loaded with
produce that the driver is nearly invisible. These farm-
ers are taking their produce to wholesale markets that
operate at night, so that the products reach stores and
restaurants in time for the next morning. The farm-
ers, however, don’t stay—they turn over their crop of
flowers or vegetables to the owner of a market stall, and
then start the (often long) journey back to their rural
village. How do they get paid for their crop? Usually,
not until the next time they come back into the city—
which might be a month or more later, when they
return with their next load of produce. Suppose they
could get paid the next morning, as soon as their crop
is sold by the market stall, on their mobile phone?
That mobile phone banking will benefit rural BoP
families seems clear. The continuing rapid growth of
mobile telecom networks and customers provides an
enormous potential market for banking services—the
2.5 billion people in developing countries expected to
be mobile phone customers within 5 years. The grow-
ing processing power and sophistication of mobile
handset technology will make possible a wider range
of services such as advanced transaction security and
voice recognition/voice synthesis that could benefit
BoP customers, (for example by coaching illiterate
customers through a banking transaction), while de-
creasing costs place mobile handsets within reach of a
wider market. Extending mobile networks with Wi-Fi
or other fixed wireless technologies and with Internet
telephony can provide coverage in more remote or
sparsely-populated areas, as well as lower costs for local
calling. Therefore, conditions are favorable for extend-
ing financial services to the vast number of people in
developing countries that are now unbanked.

Markets + Enterprise
White Paper
Two basic kinds of mobile banking models have been
deployed: bank-centric models that work under the
banking license of a single bank and will work on one
or frequently multiple mobile telecom networks; and
telecom-centric models that work on a single telecom
network but are compatible with multiple banks or
banking networks.
Wizzit (a start-up company) in South Africa uses
a bank-centric model that can work with multiple
mobile networks; the Smart money network in the
Philippines is also bank-centric, but works only on
the Smart Telecom mobile network; and m-Pesa in
Kenya is bank-centric, but works only on the Vodafone
(Safaricom) mobile network. G-cash, deployed on the
Globe Telecom mobile network, is a telecom-centric
model that works with multiple banks. These models
have been discussed elsewhere and I will not elaborate
on them here. But it is perhaps useful to note that
Vodafone expected some 200,000 customers at the
end of the first year of operation of its m-Pesa system
in Kenya, but found itself dealing with long lines of
eager customers that resulted in 200,000 customers in
2 months and more than 1 million customers in less
than a year. There is no shortage of demand for mobile
banking services.
These models may well be rapidly replicated. Globe
is franchising G-cash to other mobile companies;
Wizzit plans to do the same; Vodafone is planning
to replicate m-Pesa on other Vodafone networks in
developing countries. Other models will appear. All
Mexican banks, for example, have signed onto a com-
mon platform for m-transactions and will shortly begin
deploying mobile banking services. There is move-
ment toward mobile banking in Nigeria, Pakistan, and
a number of other countries. We are probably entering
an era of rapid experimentation and competition, from
which the winning models will emerge.
I believe that it is plausible that the next 5 years will see
1 billion unbanked people gain access to financial ser-
vices via mobile phone banking. Mobile telecom com-
panies in developing countries already understand that
their growth is dependent on serving BOP customers,

Forward: Innovations in Financial Services
for the Poor
Dr. Allen L. Hammond
and they are eagerly looking for value-added services
to offer those customers. From that perspective, mo-
bile banking looks like a killer application—one that
will drive phone usage and increased individual phone
ownership (you might share your phone, but you are
less likely to share your wallet).
Mobile Transactions
Mobile banking provides a way to offer a wide range
of financial services. In addition to cash management,
loan and bill payments, direct deposits of salaries or of
receipts from retail sales or other commercial transac-
tions, mobile networks can also offer remittances and
money transfers and, either directly or via a linked
debit card, facilitate cash-less consumer purchases. In
Kenya, Vodafone found that some m-Pesa customers
were using the system to provide a safe way to carry
funds from one location to another—they would
deposit cash to the system, and then draw it out again
upon reaching their destination. Typically, both bank
branches and a wide range of retail shops provide
cash-in and cash-out locations, where mobile banking
customers can exchange cash for digital credits or vice-
versa. In the Philippines, Smart money customers are
notified of a remittance from a relative overseas via a
text message and can pick up their cash at any McDon-
alds or at a large number of small convenience stores
or kiosks or have it credited directly to their debit card.
Given the large and rapidly growing volume of both
international remittances (estimated at $300 billion/
year) and domestic money transfers, and the hazards
of carrying cash in many parts of the developing world,
this broad range of services will find ready markets.
In addition, mobile phones can provide a marketing
and sales platform for additional financial services,
such as insurance (life insurance, health insurance,
and crop or weather insurance), since they can read-
ily provide information on or answer questions about
specific products, in local languages. (Such informa-
tion is especially easy to provide with the VoIP systems
described above as part of village Wi-Fi networks,
since they can be programmed into the VoIP switch-
es—e.g., they are automated software-based products,
even if delivered as voice). Moreover, the transaction

Markets + Enterprise
White Paper
records including payment or remittance records of a
customer’s mobile phone account may prove a kind
of substitute credit rating that could qualify a mobile
banking customer for a micro-loan—applied for, ap-
proved, paid out, and eventually repaid over the mobile
platform. Both of these (still hypothetical) examples
illustrate how mobile transactions could dramatically
lower transaction costs, compared to conventional
banking methods, thus making BoP financial services
more affordable to customers and more profitable to
banks.
Barriers to Mobile Banking
A key barrier to the rapid expansion of mobile banking
is lack a familiarity with the technologies and business
models on the part of both banks and telecom compa-
nies, and the necessity of establishing partnerships that
involve both kinds of companies. As awareness spreads
of the success of mobile banking efforts and of the
details of specific models, however, these hesitations
are beginning to disappear. Competition and the fear
of being left behind will increasingly spur innovation.
A more significant barrier is regulatory approval,
especially by central banks and sometimes by telecom
regulatory authorities7. Central banks – along with the
U.S. Treasury Department – are concerned that mobile
banking provides adequate protection to customers
and to the banking system itself against fraud, money
laundering, and other criminal activities such as
transfer of funds by terrorist organizations. At pres-
ent, security for mobile banking transactions rests on
several parallel approaches: device-based security, such
as the unique SIM card within each mobile handset
that identifies the customer who owns the phone;
know-your-customer requirements, especially for the
retail cash-in/cash-out points that are usually required
to have a traditional bank account and establish their
identity to the bank in order to open the account; and
pattern recognition software that tracks transactions to
ensure that limits on the size and frequency of trans-
actions does not exceed regulatory limits that might
suggest money laundering activity. The weakest link is
device-base security.

Forward: Innovations in Financial Services
for the Poor
Dr. Allen L. Hammond
Many central banks in developing countries have
yet to establish rules for mobile phone banking, nor
have they set in place some version of the transaction
security system described above. And because mobile
banking is still in its infancy, serious criminal attention
to defeating these systems, for example by hacking SIM
cards so as to “establish” fake accounts or take over le-
gitimate accounts, has probably not reached the levels
likely to occur eventually. Building capacity in central
banks and spreading awareness of safeguards and how
they need to be implemented is important to accelerate
the spread of mobile banking.
Biometric ID and Enhanced Transaction Security
There may also be a significant role for technology in
improving mobile transaction security, as the follow-
ing report makes clear. There has been a lot of work on
biometric identity systems in recent years. The report
surveys that work and assesses its relevance for mobile
banking. In particular, it identifies a biometric technol-
ogy approach that has already been incorporated in
some mobile handsets—a sophisticated, but low-cost,
fingerprint sensor.
Use of this approach for mobile banking would work
something like this: When a customer initiated a
mobile banking transaction, the handset would request
that the user register his or her fingerprint on the sen-
sor, and the handset would compare the fingerprint to
the one already stored in the phone (and, as a backup,
also stored on the bank mobile transaction server). The
handset would then send the transaction request and
the result of the fingerprint comparison—in effect, a
biometric ID authentication—to the bank server for
approval and execution of the transaction. That would
replace the device-based security safeguard (the SIM
card) with something much more robust and harder
to defeat. As the report makes clear, the technology to
implement such a system is available now.
In summary, there is a confluence of technology trends
leading to viable solutions that can enable very wide-
spread access to financial services. Demonstration of
these technologies and the related service models will
help to accelerate commercial adoption, overcome
 Forward: Innovations in Financial Services
Markets + Enterprise for the Poor
White Paper Dr. Allen L. Hammond

regulatory hesitation, and empower the unbanked

billions. We therefore invite widespread discussion of
these solutions, in the belief that as they become bet-
ter known, acceptance of mobile banking as a viable
commercial enterprise by banks, telcos, and regulatory
authorities will accelerate.

FOOTNOTES
1)Dr. Allen L. Hammond is Vice President for Innovation and Senior Fellow,
Markets & Enterprise Program at the World Resources Institute.
2)Tom Phillips, GSM Association, cited in Balancing Act, Issue # 378 (London, 2007).
3)The Next 4 Billion: Market Size and Business Strategy at the Base of the Pyramid
(International Finance Corporation and World Resources Institute, Washington DC,
2007).
4)Wi-Fi is the wireless standard already widely deployed employed in hotspots
and in homes and offices; WiMax is its more sophisticated (and expensive) cousin,
designed to handle the multiple reflections of wireless signals encountered in urban
environments and to provide slightly longer range. Its complexity and cost are at
present a disadvantage in rural areas of developing countries, compared to Wi-Fi,
although costs are expected to continue declining.
5)The pilot referred to here is one of several similar pilots in Vietnam; other similar
models have been deployed in Mongolia and Sri Lanka.
6)The advanced mesh WiFi access points being used in the Vietnam pilot can con-
nect at high speeds to a normal laptop within a “cell” extending at least 1 kilometer
from the access point, except where line-of-site is blocked by hills or tall buildings;
with a small extension antenna plugged into the laptop, the cell radius is 2 kilome-
ters. This range often makes it possible for a single access point to cover a village or
a rural neighborhood extending over several square kilometers. With the appropri-
ate antenna, the units can connect to the next cell—e.g., the next village coverage
zone—located between 1 and 10 kilometers away. As many as 10 such cells can
be linked together in a chain, sharing a single fiber link or VSAT connection to the
Internet. Such advanced technology thus facilitates affordable connectivity for rural
BOP populations--connectivity that may otherwise be prohibitively expensive.
7)CGAP, Regulating Transformational Branchless Banking: Mobile Phones and other
Technology to Increase Access To Finance, Focus Note 43 (cgap.org/portal/site/
cgap/BranchlessBnaking/FN43).


 Markets + Enterprise
White Paper
Biometric Security for Mobile banking
Biometric authentication for mobile banking addresses key concerns of the financial sector in trying to reach the unbanked
Loretta Michaels8
The provision of basic financial services to unbanked
populations, and the growth of mobile phone net-
works, are both widely acknowledged as having broad
economic benefits. The logical extension of these
growth areas is to converge the two to allow innovative
approaches to rural banking and payment systems. In
order to do so, countries need to pursue both broader
coverage of cellular networks, and better connectivity
in the form of affordable mobile phones and easier ac-
cess to financial and other types of services.
The economics of extending high-cost cellular net-
works into rural areas cannot usually be justified
without high voice and data traffic forecasts. One way
to address low-cost coverage is via WiFi technology,
which is the subject of another WRI project9. Beyond
basic coverage, however, is the need to link users to
useful financial services via easy-to-use handsets and
simple applications.
For the banking sector to provide financial services in
rural areas, the issues they face include not just cover-
age and connectivity, but also basic familiarity with
banking systems, from training and education in the
use of bank accounts to the provision of adequate
security measures for users unfamiliar with PINs and
passwords and who often have few formal identifi-
cation documents. It is the security issue that is of
particular importance to financial institutions, not just
in developing countries but worldwide, led by growing
concerns about money laundering and terrorist financ-
ing, fraud and consumer protection.
An area of rapid development in security systems is
the use of biometrics. While fingerprints have long
been used in law enforcement, other types of biomet-
rics have largely been the stuff of research and science
fiction. However, rapid advances in biometric tech-
nology, largely driven by national security concerns,
have brought several biometric solutions to the mar-

ket, especially for border control, physical access and
fraud prevention. To date these biometric systems
have largely been complex and expensive to build and
operate, and have thus been limited in their imple-
mentation. As technology improves, the ability to use
biometrics for individual applications, particularly in
mobile banking, is of great interest to financial institu-
tions seeking secure means of signing up rural custom-
ers.
The purpose of this document is to provide an intro-
duction to biometric technologies, and in particular
look at those biometric technologies that would be
portable to mobile platforms. The intention is to un-
derstand and evaluate how biometrics might be used
for mobile banking and payment systems, and to iden-
tify the best approach to take given the current state of
the technology and the nature of most rural markets in
the developing world.
The Biometric Process
Biometrics is typically defined as a means of uniquely
recognizing humans based upon one or more intrinsic
physical or behavioral traits. Physical traits refer to
what you are, as opposed to what you know, and in-
clude such things as fingerprint, face, retina, iris, hand
geometry, and DNA. Behavioral traits reflect what
you do, and include such actions as signature, gait, and
keystroke. One biometric trait that is considered both
physical and behavioral is voice.
Regardless of the type of biometric that is used, the
process involved when conducting biometric authen-
tication is generally uniform (see figure below). The
user will first enroll themself in the system by provid-
ing multiple samples of the relevant biometric, which
are then converted to digital, mathematical “templates”
and stored for future reference. Once the user is suc-
cessfully enrolled, they’ll gain biometric access to the
system by presenting a “live scan” of the biometric

Markets + Enterprise
White Paper
trait, which is then compared to the reference template.
The comparison of templates takes the form of either
identification, which means that the live scan is com-
pared to many templates to ascertain who the user is
(aka a 1:N comparison), or authentication, where the
live scan is compared to just one template to confirm
that the user is indeed who they say they are (a 1:1
comparison). The determination of whether or not
the two templates match will depend on the levels of
accuracy demanded by the system administrator (the
threshold level). This may seem oddly flexible for a
security system, but in fact no biometric system is
completely foolproof in returning a 100% total match.
Rather the systems will indicate that the templates cor-
respond to a certainty level of, say, 95%. It’s up to the
administrator of the security system to decide how ac-
curate they demand the match to be, and set the system
accordingly via the threshold level. The distinction
between identification and authentication is important
when evaluating biometric systems, as the systems will
require different threshold levels, not to mention vastly
different storage and processing systems. After all, con-
firming that I am who I say I am is very different from
trying to determine who I am in the first place, and the
former should be easier than the latter.
It’s also important to understand the different per-
formance metrics of a biometric system, as these
will impact what sorts of threshold levels are needed
depending on the purposes of the security system. As
their names imply, the False Match Rate (FMR, also
Figure 1. Comparison of Biometric Templates
10
Biometric Security for Mobile Banking
Loretta Michaels
known as the False Accept Rate, or FAR) measures the
percentage of invalid users who are mistakenly allowed
into the system, while the False Non-Match Rate
(FNMR, or the False Reject Rate, FRR) measures the
percentage of valid users who are mistakenly rejected
by the system. While it would seem intuitive to set
both measures as close to zero as possible, in reality
there are tradeoffs made depending on the purposes of
the biometric system. For example, access to a nuclear
weapons site would demand absolutely no false match-
es, but will correspondingly result in a higher number
of false rejections of valid users, which will then need
to be resolved via other means of verification. While
military authorities will probably deem this type of
inconvenience to valid users an acceptable price to pay
for nuclear security, other organizations may demand
more user-friendly systems for their employees or
customers, say for access to an office building elevator
or all-day passholders at a theme park10. Because the
levels determined for both FMR and FNMR involve
a tradeoff in the system design, most scientists who
are looking to compare biometric verification systems
will in fact look at the level at which the FMR equals
the FNMR, otherwise known as the Equal Error Rate
(or EER). Other measures that are looked at when
evaluating biometric systems are the times required for
enrollment and verification, and the Failure to Enroll
(FTE) rate, which would reflect how often users are
unable to enroll at all due to any number of reasons,
including illness and physical injury.

Markets + Enterprise
White Paper
Another element to consider when designing a bio-
metric system is whether the template comparison,
or matching, will occur locally, for example on the
mobile handset or the door keypad, or centrally using a
separately located database. The obvious implications
of this choice are the need for storage capacity and
communications links between the biometric scan-
ner and the host system. Local matching will require
less processing power, but will also mean a limit to
the number of reference templates that can be stored
for comparison purposes. As a result, local matching
is generally though to be better suited for 1:1 authen-
tication, requiring a yes or no decision about a single
template match. Depending on the type of system
being implemented, some experts also believe that
local storage and verification of reference templates are
better for preserving the privacy of personal data. The
fact that many biometric systems use each successive
live scan to enhance and improve the reference tem-
plate on the local device is another reason to consider
local matching systems.
Larger, centralized matching systems have their own
benefits, of course. For one thing, they will have
greater storage and processing power available to the
system, and are therefore able to provide both 1:1 and
1:N authentication, which is necessary for some sys-
tems such as law enforcement and surveillance. This
greater capacity and capability, however, will necessar-
ily involve the storage of multiple reference templates,
which will impact system hardware and software
needs. There is also the need to constantly monitor the
host and its communication with scanner units such
as mobile handsets, plus database management and
backup requirements.
To date, no research testing has been done to compare
accuracy levels between local and centralized biomet-
ric matching systems, although there’s little reason to
believe that there would be major quality differences.
Rather, biometric experts agree that the performance
of any system will depend more on the quality of the
scans that are taken, which in turn depends upon
environmental issues such as noise, illumination or
dirt, and on usability issues, which in turn will depend
11
Biometric Security for Mobile Banking
Loretta Michaels
on system design and user training. Decisions about
which type of system to build should be based upon
what types of authentication will need to be done,
1:1 or 1:N, how the system will be used, what level of
backup and communications links can be built, and
how the entire system needs to integrate into existing
information management systems.
For purposes of replacing PINs and passwords for
mobile banking transactions, biometric authentication
via local matching should suffice in terms of security, as
the bank’s purpose will be to verify whether the user is
who they say they are rather than identify them in the
first place. In keeping with the latest financial security
standards, banks may want to employ two-factor iden-
tification, whereby two criteria are used to verify the
customer’s identity, but this is entirely feasible with the
mobile phone. One solution is to register the handset,
usually via the user’s cellphone number, and link it
with a particular individual account holder, and then
send this information along with the biometric confir-
mation to the financial institution’s processing systems.
Many Kinds of Biometrics
There are many types of biometrics being studied
today, some of which are already being commercially
implemented in certain applications. Physiological
traits that are used for validating a person’s identity
include fingerprints, faces, retina and iris, voice, hands
including knuckle, palm and vascular patterns, DNA
and other more experimental traits such as odor,
earlobes, sweatpores and lips. Behavioral traits include
signatures or specific signs, keystroke patterns, voice,
and gait. While fingerprints have been in use by law
enforcement for more than a century, the rest of the
biometric traits listed here are far more recent and in
some cases still considered very experimental. An in-
depth review of all the various biometric technologies
is beyond the scope of this paper. Rather, what we are
interested in is which of the biometrics can be consid-
ered portable to some type of mobile device, specifi-
cally a cellphone. The biometrics that lend themselves
most to the small form-factor inherent with a cell-
phone are facial recognition, voice recognition, iris
recognition and fingerprints. (Signatures and sign rec-

Markets + Enterprise
White Paper
ognition are proving to be reliable authentication tools,
but they require larger and more sophisticated screens
than would be found on most cellphones nowadays,
so they are excluded from this analysis.) The issues to
consider in evaluating these measures include accuracy,
reliability, acceptability, susceptibility to fraud, ease of
enrollment, usability, environmental effects, hardware
and software size, and cost.
Facial Recognition
A facial recognition system uses a computer algorithm
to identify or verify a person from a digital image or a
video frame. This is done by comparing selected facial
features from the image and comparing them against a
reference template usually stored in a facial database.
While it’s much newer than fingerprint technology,
it’s gained wide usage in some security applications,
particularly CCTV systems and some border cross-
ing controls. Facial recognition emphasizes features
that are less susceptible to alteration, like eye sockets,
cheekbones, and the sides of the mouth, and as such is
resistant to many of the changes associated with most
plastic surgery and to changes that come with aging.
Traditional facial recognition algorithms include Ei-
genface, Fisherface, the Hidden Markov model and the
12
Biometric Security for Mobile Banking
Loretta Michaels
neuronal motivated dynamic link matching. However,
in recent years, a newer facial technology has emerged,
3D facial recognition, that isn’t affected by illumination
and is showing accuracy rates up to ten times better
than older algorithms11.
Facial recognition is cheaper and easier to use than iris
or retinal scans, in part because it’s less invasive and can
generally use low speed, low resolution cameras, but it
gives a higher false negative rate than other biometric
technologies because of the need for tightly controlled
environments. A facial recognition system is sensitive
to such criteria as head position and angle, movement,
lighting and other factors, including the use of different
cameras for enrollment and verification. In addition,
facial recognition has certain weaknesses that limit its
usefulness for fraud prevention. It cannot distinguish
identical siblings, it can be defeated by pointing the
camera at a high-resolution video monitor playing a
video of an authorized user, and can also be defeated
by the use of a severed head. And of course there may
be religious or cultural prohibitions against facial pho-
tographs in some regions of the world that will limit its
voluntary uptake by target users.
As a result of the environmental issues noted above,
facial recognition’s reliability is still lower than other
technologies, and usually returns a list of “close match-
es” rather than a single definitive match, as do iris and
fingerprint systems. For the time being, facial recogni-
tion is most often deployed in 1:N environments for
large-scale identification opportunities, surveillance
and law enforcement.
A basic facial recognition system can probably use a
standard camera phone of 1 Mg or more, while tem-
plate size can range from 1000 to 2000 bytes. (See
chart on page 8 for comparison of biometric tem-
plates.)
Voice Recognition
Virtually all North Americans are familiar with speech
recognition, having come across it when trying to
phone most companies nowadays. Voice recognition
differs from speech recognition, in that voice recogni-

Markets + Enterprise
White Paper
tion analyzes how you say something, versus what
you say in speech recognition. Each person’s voice is
unique, due to differences in the size and shape of their
vocal cords, vocal cavity, tongue and nasal passages.
The way an individual speaks is also determined by the
complex coordination of their lips, jaw, tongue and soft
palate. Voice and speech recognition can in fact func-
tion simultaneously using the same utterance, allowing
the technologies to blend seamlessly: speech recogni-
tion can be used to translate the spoken word to an ac-
count number, while the voice recognition verifies the
vocal characteristics correspond to those associated
with that user’s account. Considered both a physi-
ological and a behavioral biometric measure, voice rec-
ognition has good user acceptance and requires little
training to use. However, while popular, low cost and
capable of working over any phone, it’s less accurate
than other biometric systems and can entail lengthy
enrollments requiring multiple voice samples to attain
a usable template. Spectrographic voice images are
used to create a relatively large template, between 2 and
10 kilobytes. There are many vendors of voice recogni-
tion systems, along with many proprietary technolo-
gies, and though no systems have been commercialized
on handheld devices, processing can be done on a cen-
tral server that is easily accessed via a mobile phone, so
no new hardware should be needed.
One of the biggest weaknesses of voice recognition is
that it suffers from a high reject rate in noisy environ-
ments, which is a problem for outside usage. Perfor-
13
Biometric Security for Mobile Banking
Loretta Michaels
mance can also vary according to audio signal quality
as well as variations between enrollment and verifi-
cation devices, and with variations in environments
(inside versus outside, variations in background noise,
etc.). Voice changes that occur as a result of time, in-
jury, cold or illness can also be an issue. Finally, voice
recognition can be defeated by playing back a high
fidelity recording, which would obviously be of great
concern to financial institutions.
While voice recognition benefits from ease of usage,
high user acceptance, and no need for new hardware,
the impact of environmental issues upon performance
renders it of low to medium accuracy, which is not
likely to meet the security needs of most financial
institutions.
Iris Recognition
Iris recognition is a newer method of biometric
authentication than analyzes the features that exist in
the colored tissue surrounding the pupil, such as rings,
furrows, freckles and the corona. Iris patterns possess
a high degree of randomness, with each iris having 266
unique identifiers as compared to 13-60 for other bio-
metrics. These iris patterns, which differ even between
identical twins, are apparently stable throughout ones
life (although they will change within hours of death,
preventing the use of dead eyes). The iris features
and their location are used to form what’s called the
IrisCode T, which is the digital template of the iris,
with an average template size of 512 bytes.

Markets + Enterprise
White Paper
Iris recognition is proving to be a highly reliable
technology, offering excellent performance with a very
low false match rate, while being less invasive than
the older retinal scans. However, for the time being,
real-world efficacy rarely matches the performance
achieved under laboratory conditions. An iris scan in-
volves a small moving target, located behind a curved,
wet, reflecting surface, which is obscured by eyelashes
and lenses, and partially occluded by eyelids that are
often drooping. As a result, using the system effective-
ly requires tightly controlled environments and a very
high level of training.
Iris scans require hardware that is not usually found on
today’s average cellphones. Typical cellphone cameras
are still too low in resolution for accurate iris scanning
applications, and a proper iris scan requires a near-in-
frared illumination filter instead of the more common
visible light filter found in cellphone cameras. Addi-
tionally, to prevent a picture from being able to fool the
system, advanced devices may vary the light shone into
the eye and watch for pupil dilation, a feature that is
not currently viable on small devices like cellphones.
In terms of user acceptance, the fact that iris scans are
not invasive is helpful, assuming the training issues can
be properly addressed. Of course there remain some
negative, Orwellian connotations to the use of iris
scans, but whether these concerns would also apply to
developing country users is unclear.
Fingerprints
The use of fingerprints to identify people has been
around for over a century. It ’s the most mature
biometric technology out there today, with accepted
reliability and a well-understood methodology. As
such, there are many vendors of fingerprint recognition
on the market today, although not all of them employ
compatible equipment or algorithms. Three of the
traditional means of fingerprint recognition employ
Optical, Captive Resistance/Pressure, and Thermal
scanning technologies. While all three have been in
use for years, with good reliability and accuracy, they
do have weaknesses when faced with today’s demand
14
Biometric Security for Mobile Banking
Loretta Michaels
for better fraud prevention in
the face of more sophisticated
biometric applications, not to
mention more sophisticated
criminals. Specifically, all
three of these types of finger-
print scanning can be de-
feated in various ways, such as
using dead fingers or copying
the last print used with adhe-
sive film and re-presenting it
to the scanner. Additionally,
testing has shown that the elderly, manual laborers and
some Asian populations are more likely to be unable to
enroll in some of the traditional fingerprint systems.
A newer fingerprint technology, employing RF Imag-
ing, uses ultrasonic holography of the outer layer of
dead skin as well as the inner layer of live skin to create
the template, rendering it nearly 100% accurate, not to
mention resistant to the use of fake or dead fingers, or
dirt and oil. In addition, the newer fingerprint systems
use each new scan of the finger to enhance the existing
template, thus making it more accurate with use over
time.
While fingerprints have proven to be highly reliable
and accurate over the years, particularly now using RF
imaging, they’re not completely infallible. They can
be affected over time by such things as years of manual
labor or physical injury, so there would probably be a
desire to update the reference templates as and when
necessary for commercial and financial applications.
Other factors that can cause failure in a fingerprint
scan are cold and humidity (particularly in the older
types of fingerprinting), and location, angle and pres-
sure of placement on the sensor (known as a platen).
Other issues to consider are that the use of fingerprints
requires physical contact, which can be a problem in
some cultures, and the fact that fingerprinting’s long
association with criminal justice lends itself to some
privacy resistance, although this will probably ame-
liorate over time with increased use of biometrics and
updated privacy laws.

Markets + Enterprise
White Paper
Fingerprint capture technology is easily accommo-
dated on a cellphone, with sensor sizes ranging from 12
mm x 5 mm to about 1.5 cm x 1.5 cm, and low power
and processing requirements. The fingerprint template
itself ranges in size from about 256 bytes to 500 bytes.
Chart 1. below summarizes the main characteristics of
the biometric technologies discussed in this paper.
Market Activities in Mobile Biometrics
Currently, most biometric applications around the
world tend to focus on national security and law
enforcement activities, as well as physical access to
sensitive or restricted facilities. As understanding
of the technologies and their performance levels has
improved, more sectors of the economy are looking
at the use of biometric systems for identification and
authorization. The technology and financial sectors in
particular are interested in the use of biometrics, partly
to improve their customers’ user experience by saving
them the hassle of having to constantly re-enter pins,
passwords and account numbers. For those parts of
the financial services world who are seeking to expand
their customer base into previously unserved areas,
inconsistencies in the availabilities and types of official
identification present challenges to opening up new ac-
counts. Biometric identification is one way of address-
ing those challenges.
Asia is leading in the use of mobile biometric activity12.
Most current cellphone-based biometric applications
are being seen in Japan, South Korea and, increasingly,
China, where biometrics are used to unlock handsets
and/or applications on the handset. In all these cases,
Chart 1. Main characteristics of biometric technologies
15
Biometric Security for Mobile Banking
Loretta Michaels
though, the biometric is used to supplement, rather
than replace, the normal security systems already in
place for online and mobile banking. In Japan, Soft-
bank Mobile (formerly Vodafone) and NTT DoCoMo
both offer Sharp handsets that use Face Recognition,
from biometric vendors such as Oki and Neven Vision.
Several handsets on offer at all the mobile operators
have Fingerprint sensors, including those from LG, Fu-
jitsu, Samsung, Panasonic and Sharp, using fingerprint
technology from AuthenTec and Atrua. In addition,
Oki Electronics has come out with a proprietary cell-
phone that contains Iris Recognition software that uses
the phone’s own camera. (Whether this phone has had
to be retrofitted with infrared filters is not clear.)
In China, handset vendors are starting to introduce
handsets with fingerprint technology, including Yulong
and Qiao Xing Mobile (CECT). And in Korea, KTF
has introduced several phones using AuthenTec’s
fingerprint solution, including those from Pantech,
Motorola and LG.
While Europe hasn’t been as active in this area, there
was an EU collaborative research program started in
2004 called SecurePhone that produced a high-end
PDA prototype using face, voice and signature-based
biometric authentication systems on a SIM card. More
recently, Swisscom Mobile has embarked upon a trial
using Atrua’s fingerprint sensors on a Toshiba phone.
In India and parts of Africa, governments and financial
institutions have started using biometrics to enroll ru-
ral populations for social benefits and banking applica-

Markets + Enterprise
White Paper
tions. In these cases, the reasons for the use of the bio-
metrics are to provide identity verification and prevent
fraud. While these applications are generally being
provided via mobile ATMs, smart-cards and “roving”
service agents, rather than via cellphone, the concepts
are similar and proving usable in these markets and,
critically, acceptable to financial regulators.
In India, the government has embarked on a rural em-
ployment guarantee program, guaranteeing people 100
days work a year if they are poor. However, the system,
which uses job cards and involves many intermediaries,
has been rife with fraud. In the Indian state of Bihar, a
project has begun to set up a biometric system of iden-
tification for job cards, after which all payments will
be deposited directly in the bank accounts of the poor,
thus checking leakages. One challenge to this scheme
is that banks have been notoriously reluctant to open
small accounts for illiterate users who cannot handle
paperwork; and many poor people have to travel 50
miles to get to a bank branch.
In response, a few major Indian banks (Canara, An-
drha, ICICI), as part of a mandate by the government
to address the vast unbanked populations in the rural
areas, have recently introduced fingerprint-enabled
ATMs, both mobile and low-cost fixed. Customers
are enrolled and given a smart-card that holds their
account information as well as their biometric identifi-
cation. They then swipe their smart-card on the ATM,
and present their finger or thumb, which is compared
against the information contained on the smart-card
for authorization. Simplified voice instructions and
color-coded touchscreens walk the user through the
various banking transactions, while a service represen-
tative is always on-hand to provide additional support
if necessary. While these trials were introduced to
much fanfare in early 2007, and appear to be working
well according to preliminary press, there have not yet
been follow up reports indicating whether the banks
themselves consider the trials to be commercial suc-
cesses. However, such efforts are not just a response to
the government’s mandate, as Citigroup has launched
a similar project in India, making clear that they intend
to make a profit doing so.
16
Biometric Security for Mobile Banking
Loretta Michaels
In South America, Bolivia led the way in the use of bio-
metric ATMs, having been introduced in 1999 by the
Prodem FFP bank. Targeting low-income communi-
ties and entrepreneurs offering a wide range of savings,
credit and money transfer services, Prodem rolled out
a large urban and rural network of branches and smart
ATMs (now at 90 branches and 52 ATMs). To over-
come barriers such as illiteracy, they created a solu-
tion employing smart cards, fingerprint recognition
technology and smart ATMS, as well as stand-alone,
voice-driven ATMs in local languages with color-coded
touchscreens. In fact, Prodem was a finalist for the
2005 Gateway Development Prize for its innovative
approach, which went on to provide the framework for
later initiatives in India and elsewhere.
South Africa is another place where the use of bio-
metrics is growing, largely for identification purposes
(having started in the mining industry years ago).
Capitec Bank is using biometrics for providing low-
cost banking services to unserved populations, largely
via kiosks and smart-cards, while the government is
using fingerprint recognition for the delivery of pen-
sion benefits to its citizens. As the use of biometrics
grows in South Africa, so does the number and size of
South African biometric vendors designing solutions
specific to African needs. One such vendor, Net 1
Technologies, designs smartcard and banking systems
aimed specifically at unbanked populations. Their
system uses secure smartcards that operate in real-time
but offline, unlike traditional payment systems offered
by major banking institutions that require immediate
access through a communications network to a central-
ized computer. This offline capability means that users
of Net1’s system can enter into transactions at any time
with other card holders in even the most remote areas
so long as a portable offline smart card reader is avail-
able. Net1 was recently chosen by the Central Bank of
Ghana to develop biometric smart-cards for use in that
country’s ATMs and POS.
Conclusions
As biometrics continues to advance scientifically and
technologically, its use and acceptability as a means of

Markets + Enterprise
White Paper
security and authorization across various sectors also
grows. In particular, the financial industry is increas-
ingly interested in the use of biometrics to help in the
ongoing fight against money laundering and terrorist
financing, fraud and consumer protection. At the same
time, as the provision of standard infrastructure lags far
behind the rollout of cellular services in most devel-
oping countries, interest in the use of mobile phones
to access rural populations and provide banking and
information services is exploding.
Biometrics would be a useful solution to the issue of
security for mobile banking in developing countries,
particularly to address the unique needs of the un-
banked in rural areas. Technically, the use of biomet-
rics is entirely feasible in mobile applications. The
accuracy of biometric identification systems is as good
if not better than most traditional banking security sys-
tems, and the software and transmission requirements
of several biometrics technologies are certainly within
the realm of possibility for most of today’s cellular net-
works. The main issue to address with any biometric
system is that the performance will only be as good as
the quality of the data captured, so that environmental
controls and user training are of paramount impor-
tance.
For purposes of mobile phone banking, fingerprint
recognition appears to be the best technology to use
today. Fingerprints are already being used for several
rural banking applications around the world, with ac-
ceptable performance and security results. And while
there is a requirement for incremental hardware and
software to accommodate fingerprint sensors on the
handset, the use of fingerprint recognition technol-
ogy is being used in several mobile phones today by a
wide range of handset vendors. As for use in cellular
networks, the size of fingerprint templates, which can
range from 250 to 500 bytes, can easily be transmitted
via today’s GSM and CDMA data networks, allowing
for systems that can provide matching both locally and
centrally, depending on the application requirements.
In terms of how it would work, fingerprint recogni-
tion security could either interface directly with a
17
Biometric Security for Mobile Banking
Loretta Michaels
bank’s online banking system, an approach that will
often require costly systems integration (and result in
an undesirable one-off solution), or it could interface
with a separate mobile banking platform. The mobile
banking platform would act as a “black box” interme-
diary between the cellphone and the bank, receiving
the identity and biometric authorization data from the
user’s handset and, once verifying the information,
sending a pre-authorized signal to the banking system,
using standard ISO banking protocols, telling the bank
to go ahead with the transaction at hand. In fact this is
how many mobile banking systems work today, taking
information from the handset and translating it in one
form or another for use by banks and payment proces-
sors.
As is often the case with new technology applications,
the biggest issue facing mobile operators and banks
when trying to evaluate biometrics for mobile bank-
ing will not be the technology, per se, but rather the
business case around building the technology into the
application13. Questions such as who owns the cus-
tomer, who builds and operates the mobile banking
platform, who pays for the cellphone, and who handles
all the implementation, training and customer-service
related issues all need to be addressed to understand
the overall attractiveness of a biometric mobile bank-
ing application.
FOOTNOTES
8)Loretta Michaels is a consultant with extensive experience in telecoms and mobile
payments, particularly in the developing world.
9)See Forward.
10)Disney World was, until 2007, the largest user of biometric systems in the US. It
used fingerprint scanners from Lumidigm, a company set up with financial backing
from the CIA, NSA and DOD.
11)National Institute of Standards and Technology (NIST) 2006 Facial Recognition
Vendor Test (FVRT).
12)Appendix A: leading vendors addressing mobile phone biometric technologies.
13)Appendix B: issues for consideration when designing a mobile banking system.
 Biometric Security for Mobile Banking
Markets + Enterprise Appendix A: Biometric & Handset Vendors
White Paper

Appendix A.
Biometric & Handset Vendors with
Mobile Products in Market

Fingerprint Recognition Vendors

AuthenTec, Inc. Melbourne, Florida, www.authentec.com.

With over 25 million sensors in use worldwide, including in 7 million cellphones, one of the leading suppliers
of fingerprint sensors for PC, wireless device and access control markets; AuthenTec has issued 33 patents on
its technology, the largest patent portfolio in its industry, and is listed as one of the fastest growing technology
companies in America.

Atrua Technologies, Inc. Campbell, California. www.atrua.com

Leading provider of fingerprint solutions to the mobile, consumer electronics, computing and mass storage
markets, as well as a leading provider of joysticks and touchpads to the computing and gaming markets. Of the
12 new fingerprint mobile phone models announced in the first half of 2007, 10 had Atrua’s fingerprint solution.
Currently in a mobile payments trial with Cellular South and Kyocera.
Other leading fingerprint recognition vendors (currently without cellular solutions): L-1, CrossMatch, Lumi-
digm, SagemMorpho, Digital Persona, UPEK

Face Recognition Vendors

Omron Corporation Kyoto, Japan. www.omron.com

A global leader in sensing and control components, Omron operates in a wide variety of fields such as industrial
automation, home appliances & office equipment, automobiles, social & financial systems, and healthcare. In
February 2005 it introduced the Okao Face Recognition Sensor, for use in PDAs, mobile phones and other
mobile devices containing a camera. The Okao Vision line consists of a range of facial-recognition technology,
including identification technology, which can recognize individual faces; the ability to estimate gender and age
based on facial characteristics; a tracking technology that can detect and track the movements of a human body;
and the ability to estimate where a person is looking based on the orientation of their face and gaze.

Oki Electric Industry Co., Ltd. Tokyo, Japan. www.oki.com

OKI is Japan’s first telecommunications manufacturer, and is now focused on three main businesses, the “info-
telecom system” business, semiconductors and printers. It has been providing facial recognition software, the
FSE (Face Sensing Engine) middleware for embedded systems, as a security product to various government
agencies, financial institutions and other enterprises, along with its iris recognition technology. In late 2006 OKI
introduced it’s new Iris Recognition Technology for Mobile Phones, which is able to use a standard camera that
is embedded in a mobile terminal.

Neven Engineering, Inc. (trade name: Neven Vision) Santa Monica, CA.
Neven Vision was founded in 2003 by a group of people who had worked together on a biometrics company

18
 Biometric Security for Mobile Banking
Markets + Enterprise Appendix A: Biometric & Handset Vendors
White Paper

(Eyematic Interfaces, Inc.), but in the last few years had changed their focus to applying that technology to mo-
bile visual search. Their service offerings include image-driven mobile marketing services, visual mobile search,
comparison shopping and m-commerce, enhanced photo messaging, secure data access and field identity verifi-
cation. Customers include NTT DoCoMo (for authenticating transactions), the U.S. government (including the
LAPD for identifying gang members), and Coca-Cola (for mobile marketing campaigns). Neven Vison holds
a number of patents on face recognition, image recognition and video recognition, including the “image base
enquiry system for search engines for mobile telephones with integrated cameras,” image-based search engine
for mobile phones with camera,” and “single image based multi-biometric system and method.” In August 2006,
it was purchased by Google, to be incorporated into Google’s Picasa product line to improve organization and
search of personal photo albums. Google hasn’t made any specific announcements on how it intends to use the
mobile technology it acquired with the purchase, although the fact that Google will be participating in the FCC’s
spectrum auction indicates that it does plan some type of mobile offering.

Other leading face recognition vendors (currently without cellular solutions): L-1, Bioscrypt, CrossMatch,
SagemMorpho, Datastrip, Labcal

Iris Recognition Vendors

Oki Electric Industry Co., Ltd (see above)

Other leading iris recognition vendors (currently without cellular solutions): Irisguard/Iridian (now owned by
L-1), LG Iris, Panasonic

Mobile Handset Vendors with Biometric Solutions in the Market

Fingerprint
Samsung, LG Electronics, Fujitsu, Hitachi, Motorola, Pantech, Toshiba, Panasonic, Kyocera, CECT, Yulong

Face
Sharp

Iris
Oki (proprietary)

19
 Biometric Security for Mobile Banking
Markets + Enterprise Appendix B: Key Issues to Consider
White Paper

Appendix B.
Key Issues to Consider in Designing a
Biometric Security System in Mobile Banking
- Who does customer belong to - mobile operator or bank?

- Who builds, operates and owns the mobile banking platform?

- Who pays cost of new and/or upgraded cell phone hardware? How are cell phone batteries kept charged
(solar?)

- How will customers enroll in system? Physical presence required, plus processes for verifying initial identify
claims

- How will customers be trained in use of system?

- Should debit cards be issued in conjunction with service for use in urban ATMs?

- Need exception handling for both enrollment and verification; 1-800 # for problems, with secret questions for
when customer can’t verify biometrically?

- To what degree will biometric match decisions be incorporated into existing interfaces for banking, payment
and clearance systems?

- How many identifiers - handset ID, bank account #, biometric ID

- What are the threshold (accuracy) requirements?

- Location of biometric data storage and processing for maximum availability

- Administrative and auditing functionality to manage biometric accounts and transactions

- How much personal data resides on handset?

- Cash handling network and use of field agents, retail agents, mobile ATMs

- Software requirements for cell phones not prohibitive; software and backup requirements for mobile banking
systems and linkages to bank network to be determined

- Processing requirements - need basic data network (shouldn’t need 3G as long as you’ve got a secure tunnel to
the bank)

20