10 RAFM Issues: The Rise of Biometrics

This article is the eighth installment in a 10-part series about important issues for revenue assurance and fraud management. The goal is to conduct a ‘reverse survey’, where the importance of each topic covered will be ranked according to the audience acquired, rather than by asking questions and collating the answers received back. Today’s article is about the game-changing technology of biometrics: using the distinctive, measurable characteristics of human beings and their bodies to identify individuals and hence control access to systems. The anti-fraud potential is obvious, but are the people working inside telcos prepared to embrace it? And if they are, what will be the implications for customers and the general public?

Minority Report is ancient history

Some futurists and other soothsayers try to explain the significance of biometrics by reminding people of Minority Report, the 2002 science fiction movie starring Tom Cruise. I suppose they are helping people with limited imagination to understand the significance of technological change by referring them to a popular story created for a mass market. But they might as well be explaining the historical significance of coal by observing it is better than wood at heating your home, whilst ignoring all the other ways that steam powered the industrial revolution. In the future depicted in Minority Report everybody has their retinas scanned whenever they walk around a public place, so when Tom Cruise goes on the run he must pay an underground surgeon to replace his eyeballs (pictured above). Tom changes nothing else about himself. But let us list all the ways the future police would have identified and captured our Tom, just using technology which is already available today:

  • The police would have Tom’s fingerprints in their database. So he had better keep his gloves on at all times.
  • The authorities would have a copy of Tom’s DNA. So Tom must avoid giving any sweat, spit, blood or hair samples away. And he better not use any public toilets either.
  • Tom’s voice will have been digitally mapped. So he must not speak to anybody, especially not on the phone. (The old trick of putting a handkerchief over the mouthpiece would not be enough.)
  • On the subject of telephones, Tom must ditch his mobile or else they will use it to track his location. So if he wants to see anyone he must go to their house and hope they are in.
  • Tom can only move around by walking and using public transport, because of automated recognition of car number plates. He will have to hope the city buses have not yet been fitted with surveillance cameras.
  • Well-dressed Tom will need to buy a whole new wardrobe, because of the RFID chips in his clothes.
  • But Tom will find it difficult to pay for bus rides and pants, because nobody will accept cash and he will be unable to use any of the electronic alternatives.
  • And he also suffers the handicap of looking exactly like Tom Cruise, which should be a slam dunk for any facial recognition software, irrespective of whether his eyes are open or closed.

So let us ignore the idiosyncracies of Hollywood storytelling and recognize there are several kinds of biometric technology that are very effective already. Combine a couple of these biometric methods, or complement one method with some more basic but common identification techniques (identity cards, passwords etc) and we already possess the means to identify people with almost perfect certainty. This is no fiction. An increasing number of countries record your fingerprints as you cross their border, and the passports will have stored biometric data too. Banks are recording your voice so they can verify your identity when you call them. Pakistan has recorded the fingerprints of everyone who owns a mobile phone, and now will be using biometrics to ensure welfare payments go to the people entitled to them. Telcos are big businesses with millions of customers we hardly know; it is inevitable that we will adopt the same methods of verifying identity.

Might the win-win create some internal losers?

Suppose your telco makes the investment needed to recognize any customer’s voice or face. This will greatly assist the prevention of fraud. Consider the following:

  • Someone calls up with the intention of socially engineering your staff. But your systems instantly recognize the voice of a criminal who has fooled you before. Now you know to ignore them.
  • Someone walks into a store, wanting a refund for a handset. The facial recognition software identifies a serial scammer. Out they go!
  • Someone walks into another store, holding a lot of documents that seemingly confirm their identity. But your database contains the real biometric data for the real person being impersonated by this fraudster. Now you just need to call the police before the criminal can escape.
  • Some stupid kid is persuaded to be a mule for a criminal. He walks into the store and walks out with a service that will never be paid for, because existing biometric data will not prevent this. But that kid will never be able to do the same thing again, and a few prosecutions will deter other stupid kids from doing the same thing, if the part where their biometric data was collected was not enough of a deterrent already.
  • Someone steals the password for an online account. Your two-factor authentication system calls the mobile phone associated with the account, to confirm the changes of details and new transactions on the account. The crafty criminal has stolen the real user’s phone too. But instead of using the keypad to enter a code, the user must speak the code into the phone. Because you know the real user’s voice, the criminal is stymied. And now you have recorded that criminal’s voice too.

It is possible to list many more examples of how biometrics should greatly reduce fraud involving faked or stolen identities, but you can do that for yourself. And many of the anti-fraud benefits delivered by biometrics will also yield benefits for other aspects of our business. For example, slimming down and speeding up the process of verifying identities means we can more quickly deal with a customer’s query, reducing our costs and pleasing customers too. Systems will be able to personalize the customer’s experience from the moment they open their mouth or show their face. And the biometric data we collect will have numerous potential applications, making it valuable to others.

Biometrics should be widely adopted by telcos, and I consider them to be part of an emerging ‘next generation’ of RAFM technologies that will revolutionize what we do and the value we add. However, I worry that one potential obstacle to adopting biometrics may be that fraud managers will feel threatened by the technology. Few fraud managers will claim to be experts on biometrics, and sometimes people resist change if they believe it reduces their value to their employer. There will be frauds which cannot be prevented by biometrics, but a significant drop in fraud for large retail-oriented telcos may raise questions about the skills needed by their Fraud Department.

Certainly biometrics will change the work done to prevent and detect fraud. I have no need to inspect your photo ID if I already recognize your face, and I would not enquire about your mother’s maiden name if I recognize your voice. The enthusiasm for biometrics will be influenced by whether fraud professionals define themselves by their stated purpose (reducing and preventing fraud) or by the skills they use. Individuals whose skills are more focused on information technology and querying databases have less reason to welcome biometrics if their case load drops dramatically because many previous fraudsters are successfully denied access. Telcos may find it necessary to manage a transition for their fraud staff as well managing the implementation of new technology.

And what about the people?

If you thought Minority Report depicted a surveillance state, you may be troubled by the potential of biometrics. We already talk about an explosion of data and the potential downsides for personal privacy, but that is before factoring in the uniqueness of biometric data, and the way it will be collected and stored on a wholesale basis.

There will be many issues to deal with. Some individuals will resist giving their biometric data. Opt-outs will be highly problematic, not least because we know criminals will always choose to take them. There will be various objections to biometrics, ranging from the religious to the political. Activists and civil servants will debate when it is permissible to share or sell biometric data. There will be a lot of talk about potential abuse of data, and uncertainty about safeguards and regulation. We can anticipate negative news stories about biometrics failing to identify people correctly, even if the technology is fine and the story is bogus. Good security will become even more important, so all those headlines about data breaches will not boost the popularity of biometrics. Data integrity is vital; there is no point collecting biometric data if you mislabel it. And I have sympathy for anyone who questions the integrity of businesses that continue to make a mess of billing migrations and tariff updates. Telcos must be mindful of the consequences of failure, and of the opinions of ordinary people.

Though the technology of biometrics has improved greatly, it would be a serious mistake to treat their implementation as a technology upgrade. The doomsayers were wrong to predict bar codes on the back of our necks or chips inserted under our skin, but only because there is no reason to waste money on solutions like that when we can capture biometric data with cameras and microphones. The public has a right to be suspicious of anyone using automated systems to gather data about them, and not all their worries will prove ill-founded. Biometrics is a form of communication; the person is involuntarily telling us who they are. Telcos will also need to communicate, in order to assuage fears and promote the benefits of biometrics. Stopping crime is a public good that people will support, so should be an important component of the message given to customers as biometric technologies are rolled out. As a consequence, biometrics may be a rare opportunity to take the back office work done by anti-fraud functions and to project them as a source of competitive advantage.

Biometrics has the potential to both significantly improve or damage the reputation of telcos. The extent to which it changes public perceptions about the work done to prevent fraud will depend on how well we take this transformative opportunity.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.