One of the most notorious ATM scams in Japan started at a posh golf club in the green hills of Gunma prefecture. In 2004 a ring of thieves that included a club employee installed tiny cameras in the club’s locker room to record members typing in their four-digit locker codes. Then, while the golfers were out on the links, the thieves opened the lockers and used “skimming” devices to copy data off the magnetic stripes on club members’ bank cards.
The crooks transferred the data onto the mag stripes of blank cards. Then they started testing those cards in ATMs, checking to see how many of the golfers had used the same four-digit number for both their locker codes and their bank personal identification numbers (PINs). The answer: plenty. By the time the police arrested seven members of the gang in January 2005, the crooks had stolen more than 300 million yen (nearly US $4 million) from more than 300 victims.
In an orderly society like Japan, the busting of an ATM-theft ring was big news. And the 2005 golf-club case was one of 801 instances of ATM crime that year—an astounding jump from just 90 in 2003. Shocked by such a rise, the Japanese government demanded that banks find ways to combat ATM fraud and ordered them to compensate victims from their own coffers. The banks turned to the country’s high-tech firms for help, and both Hitachi and Fujitsu came forward. The answer, they said, was already in their hands.
Put one of your hands in front of a bright light and you’ll see a web of blue veins snaking up across your palm and into your fingers. That delicate lattice of branching blood vessels is unique to you, just like the striations in your irises or the swirls of skin on your fingertips. Hitachi and Fujitsu have been working for years to commercialize technologies that identify people by their vein configurations.
Now, thanks to their biometric systems, about 80 000 ATMs in Japan are as close to being theft proof as it’s currently possible to make them. They’ve worked so well that the technology is now rolling out worldwide: Major banks in Brazil, Poland, and Turkey have recently integrated Hitachi and Fujitsu’s vein scanners into their ATMs, with more to come. In Europe, ATM theft from skimming and other fraud added up to €23 million in the second half of 2010, according to the European ATM Security Team. In the United States, where the simple and relatively insecure mag-stripe card still predominates, ATM fraud and theft is generally assumed to be a far larger problem. Exact figures for global losses are impossible to come by, but Robert Siciliano, an identity theft and fraud expert with the security company McAfee, says that at least $1 billion is lost every year.
Eliminating ATM theft would be impressive enough, but backers of biometrics have grander plans. A few banks are doing away with PINs, while one bold bank in Japan is preparing to let its customers ditch their bank cards. These advances are pushing us toward researchers’ most ambitious and futuristic visions, where you’d be able to buy a candy bar or a shirt from a shop just by flashing your hand at a sensor. Such a scheme is still sci-fi for now, and the technical challenges of such a biometric-pay system would dwarf those of ATM-card authorization. But the fact that engineers are starting to tackle those challenges is yet another sign that we’re approaching another milestone in human culture: a new level of abstraction in the centuries-old virtualization of money.
Ranks of squat gray ATMs fill a sixth-floor testing room in the Bank of Kyoto’s central operations building. To get into this sanctum, visitors must swipe their temporary security badges at no fewer than six gates, and they’re allowed to take in nothing but a pencil and paper. Here the bank’s technologists test new applications and security software for their more than 1000 ATMs in and around Kyoto prefecture.
Yuji Kitayama, a managing executive officer of the Bank of Kyoto, ushers his visitors toward the ATMs, which are outfitted with Hitachi’s finger-vein scanners. To cope with the ATM fraud epidemic, Kitayama says, Japanese banks all began moving from magnetic-stripe bank cards to “smart cards” with embedded microchips. But the Bank of Kyoto wanted additional security to protect its customers, and its reputation—hence the finger-vein readers.