This session will present a case study about the innovative approach that Sberbank has taken to implement biometrics in the bank with over 100M customers. Speakers will share best practices in designing an omnichannel user experience for customers, and how risk-based approach and machine learning helped them to build an intelligent system that is soft to legitimate users and hard to fraudsters. Learning Objectives: 1: Learn how biometrics may be implemented in omnichannel environment. 2: Get a fresh view on how innovative risk-based approaches help mitigate threats. 3: Gather some hints for implementing biometrics in a bank. (Source: RSA Conference USA 2018)

1. SESSION ID:
#RSAC
RISK-BASED APPROACH TO
DEPLOYMENT OF OMNICHANNEL
BIOMETRICS IN SBERBANK
IDY-W02
Leyla Goncharenko
Risk-based authen:ca:on Product Owner
Sberbank
Anton Mitrofanov
Authen:ca:on PlaBorm Chief Product Owner
Sberbank

2. #RSAC
Biometrics as a FinTech Trend
2
Juniper, TOP 10 DISRUPTIVE TECHNOLOGIES IN FINTECH, 2016

3. #RSAC
Biometrics as a FinTech Trend
3

4. #RSAC
Biometrics as a FinTech Trend
4

5. #RSAC
Biometrics as a FinTech Trend
5

6. #RSAC
Biometrics as a FinTech Trend
6
Banks turn into digital plaBorms
Digital UX requires seamless and fast security– biometrics?
Biometrics is already trendy among mobile devices (FaceID, TouchID)
Banks experimen:ng with different types of biometrics depending on the
environment (Branch, Call Center, Mobile Apps, ATM)
Biometrics becomes a part of government regula:ons and complience

7. #RSAC
Biometrics is a “silver bullet” ..?
7
No need to take the IDs - Biometrics is always with you
Biometrics aligns the Customer experience among the
service channels:
ATM
Branch
Mobile Apps
Call Center
Geng the costs down for the branches and call center

8. #RSAC
.. Or a challenge?
8
What the Banks face when implemen:ng
biometrics are:
Privacy concerns
Liveness issues
Recogni:on accuracy
Enrollment is not equally secure
Complicated rules and trust matrix are
implemented to reduce the risks

9. #RSAC
Biometrics limita:ons
Recogni:on accuracy
9
Accuracy in large volumes
Is it alive?
How to re-issue
your biometrics?
?
Probability of false accept for biometrics is always
above zero
P = 0,999 P = 0,0001
?
Biometrics based mostly
on image processing.
How could we assure
that it is live person?
If your biometrics was
stolen - how could we
trust you?
17

10. #RSAC
Biometrics technologies security
Framework
10
From ISO/IEC 30107-1, inspired by figure by Nalini Ratha from 2001 and
Standing Document 11 of ISO/IEC JTC1 SC37.
Data capture Comparison Decision
Data storage
Signal
processing
6
7
1 3 5 9
2 4 8
Presenta:on
alack
Modify
sample
Modify
probe
Modify
scoreOverride
signal
Override
comparator
Override
decision
Modify biometrics
reference
Override or modify
data
18

11. #RSAC
Biometrics technologies security
Alacks examples
Biometrics scanners
Spoofing
11
Biometrics search engine
Morphing
Enrollment process
Profile stealing
Profile 1 Profile 2 Profile 3 Profile 4
Presenta:on
alack
Override
comparator
Modify biometrics
reference
19

12. #RSAC
Biometrics liveness detec:on
Interac:ve liveness
Random user ac:ons
«3D» models based on
movements
Environmental liveness
Recogni:on of displays signatures
Recogni:on of paper and phone/
tablet forms
Scanner-based liveness
3D models based on depth
surface, temperature and
pulse analysis
IR images
28

13. #RSAC
Authen:ca:on factors across the channels
13

14. #RSAC
Lessons Learned
14
Voice and face biometrics are easier to integrate and common for
Customers.
Behavioral biometrics is an addi:onal invisible layer of protec:on.
Fingerprints and palm veins – good for physical access and trade acquiring.
Presenta:on alack detec:on is s:ll a challenge: we see poten:al in
mul:modal liveness detec:on (e.g. face+voice or face+behavior).
Server-side processing provides omnichannel approach, but s:ll you need to
es:mate the risks.
On-device processing is s:ll on our radar as the privacy concerns and
regula:ons may change the world quickly

15. #RSAC
RISK-BASED AUTHENTICATION
AS UNIVERSAL SOLUTION

16. #RSAC
Risk-based authen:ca:on
Basic workflow
16
Score ac:on’s risk
level
Select available
auth factors
Define necessary
and sufficient
challenge
1 2 3
Authen:cate by
selected factors
4
• Risk score
• User behavior profile
for anomaly detec:on
• Define available auth
factors
• Check IT-environment
for scanners
availability
• Select appropriate
combina:ons
• Define challenge based
on risk score
Factor i weight Fi
Risk score R
Challenge: Sum (Fi) – R = 0
• Challenge user by
selected factors
• Confirm users iden:ty
?
21

17. #RSAC
Measuring risks
AuthenRcaRon data model
AuthenRcaRon measurement
models
Rule-engine decision maker
• Behavior profile
• Environment data
• End-point device fingerprint
• Ac:on data
• Anomaly behavior
• Change in environment
• End-point device fingerprin:ng
• Ac:on risk scoring
• Set thresholds for interpre:ng measurement results
• Rules for combining results of measurements
• Rules for including external data and models results
• Decision making conveyer
22

18. #RSAC
How to measure auth alempt?
18
Supervised learning Unsupervised learning Rule engine
Based on appeals from
customers or IDS/Fraud
incidents detec:on
User behavior profile for
anomaly detec:on
Set of rules, describing:
• know alacks/frauds
• interpreta:on of
outputs from models
23

19. #RSAC
Authen:ca:on measurement models
Behavior model
Environment score
End-point score
Factors weight
Overall score
User behavior scoring looks at previously
aggregated sta:s:cs of typical user ac:ons
End-point device scoring takes into account device
alributes (model, S/N, hardware etc)
Rule-engine as mandatory component of decision
making for risk-based approach – our approach to
use rules for interpre:ng scores from models
Environment scoring based on geoloca:on, network
provider, IP
24

20. #RSAC
Rule-engine for risk-based models
Rule-engine is mandatory component of decision making for risk-based approach
Interpre:ng models scoring
Defining known alack/fraud cases
Selec:ng available and allowable
authen:ca:on factor
Rule-engine used for:
Composing final decision
25

21. #RSAC
How to measure auth factor’s trust?
21
Frequency of usage by user – how usual this factor is for this user?
«Resistance» to compromising (based on experience) – set by
security experts based on best world prac:ces and experience
Channel type – how secure is channel of registra:on?
Alack sta:s:cs – how much security incidents with this type of
factors?
26

22. #RSAC
How to measure biometrics template’s trust?
Biometrics template enrollment channel
22
Biometrics enrollment sample quality
Step-up bio template confirma:on VS ?
VS ?Liveness detector score
Step-up template confirma:on process
Enrollment environment risk score
27

23. #RSAC
Risk-based transac:on verifica:on
Financial
transac:on scoring
1
Confirma:on of
payment
3
Is transac:on
good?
2
Decline
Allow
Yes
No
Not sure
• Transac:on risk score
• Authen:ca:on risk
score
• User environment, etc.
• What factors available in
this channel?
• What factors are
available for user?
• Supposed fraud case
restricts sufficient auth
factors
• What factors set are
sufficient to ensure
trust?
Models adjustment
4
• Adjus:ng
transac:on and
authen:ca:on
measurement
models according to
confirma:on result
• Transac:on risk score
• Authen:ca:on risk
score
• User environment, etc.
29

24. #RSAC
RBA: Typical transac:on
Legi:mate user
makes a typical
transac:on in a
banking mobile app
RBA checks the pre-requisites
Login+pass Device
“fingerprint”
Geoloca:on, IP-
address, etc.
Behaviour
palern
Transac:on
metadata
Metadata from
the other
systems
Current operaRon paZern:
Entered correctly
from the first try
Known device
with a good
background info
Typical
geoloca:on and
IP-address
Typical
behavioral
palern
Typical
transac:on
No red-flags
from the other
systems, e.g.
SIM-card never
switched, mobile
number never
changed, no
SIEM alerts, etc.
User Risk: low TransacRon risk: low
AcRon: allow transac:on
Result: transac:on allowed with no addi:onal ac:ons from a user
30

25. #RSAC
RBA: Step-Up and De-escala:on
Legi:mate user
makes purchase
abroad
RBA checks the pre-requisites
Login+pass Device
“fingerprint”
Geoloca:on, IP-
address, etc.
Behaviour
palern
Transac:on
metadata
Metadata from
the other
systems
Current operaRon paZern:
Entered correctly
from the first try
Known device
with a good
background info
Non-Typical
geoloca:on and
IP-address
Typical
behavioral
palern
New transac:on
type, but no
fraud-signs
detected
No red-flags
from the other
systems, e.g.
SIM-card never
switched, mobile
number never
changed, no
SIEM alerts, etc.
User Risk: low or medium TransacRon risk: medium
AcRon: allow transac:on or request step-up using addi:onal factor
Result: transac:on allowed aver two-factor authen:ca:on
31

26. #RSAC
RBA: Fraud Preven:on
Fraudster alempts
to make non-legal
transac:on
RBA checks the pre-requisites
Login+pass Device
“fingerprint”
Geoloca:on, IP-
address, etc.
Behaviour
palern
Transac:on
metadata
Metadata from
the other
systems
Current operaRon paZern:
Entered correctly
from the first try
New device, no
background or
red-flags.
Non-typical
geoloca:on and
IP-address
Non-typical
behavior
Risky transac:on
and/or fraud
signs
Red alerts from
the other
systems: e.g.
new mobile
number was
added recently
User Risk: high TransacRon risk: high
AcRon: request step-up using addi:onal factor
Result: transac:on denied because of authen:ca:on failure
32

27. #RSAC
Unified authen:ca:on plaBorm concept
27
Authen:ca:on plaBorm’s API
Biometrics management sub-
system
Basic authen:ca:on sub-
system
Analy:cs and decision
subsystem
External models and data
sources
pwd otp token face voice palm
Bank’s systems Channels ACS Partners
Universal id
Ac:on’s risk measurement
Dynamic challenge selec:on
Mul:factor authen:ca:on
Mul:modal biometrics
Key principles
Addi:onal trust factor for ID
One of the many authen:ca:on
factors
Comfortable tool for end-users
Biometrics role
33

28. #RSAC
Next steps for applica:on
28
Iden:fy and categorize all the authen:ca:on op:ons used
Iden:fy all channels, where authen:ca:on is needed
Create matrix of applicability for channels and auth factor
Set weight’s for auth factors in each channel
Biometric tuning is a must
Integrate biometrics with IAM and fraud-monitoring solu:ons

29. #RSAC
THANKS!
QUESTIONS?
Anton Mitrofanov
admitrofanov@sberbank.ru
Leyla Goncharenko
lkhgoncharenko@sberbank.ru