Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

How one retailer fights insider theft with fingerprint readers

Biometric technologies mean many things to many people. Some might think of passing through airport security checkpoints without hassle, while others may have visions of using a fingerprint scan to gain physical access to highly confidential areas.

But in the retail world of Anne Hodkin, director of information technology at Holt Renfrew, a biometrics system has meant the virtual elimination of so-called shrinkage, which is merchant lingo for often significant cash and property losses due to employee theft.

Holt Renfrew, one of Canada's premier high-end fashion and lifestyle shopping retailers, has deployed a fingerprint-based biometrics point-of-sale (POS) system that tracks sales associates' transactions at cash registers.

Deployed in 2001, in its first three months the technology paid for itself in loss prevention, says Hodkin.

And no mistake about it, eliminating shrinkage is a big deal to retailers. The number of dishonest retail employees caught stealing, which runs around 68,994, and the $49.9 million recovered in 2005, was not trivial, according to the recent Retail Theft Survey conducted by Jack L. Hayes International, a consulting firm specializing in loss prevention and inventory-shrinkage control. Their research revealed that the average dishonest retail employee caught stealing cost an employer $724.15 in 2005. This equals almost six times the amount taken by shoplifters, which comes in around $126.87, Hayes International stats showed.

For Holt Renfrew, making sales associates accountable for transactions by requiring fingerprint authentication shows clearly that there are consequences for committing fraudulent transactions, says Hodkin. For instance, Holt Renfrew can view when employees credit a refund to their own credit cards after having logged into the cash register via the fingerprint reader. When that sort of activity occurs, the employee will be fired, she adds.

“Once you catch a few people doing that, it's apparent to anyone else that they'll get caught,” she says.

Holt Renfrew also uses the fingerprint system, from Redwood City, Calif.-based DigitalPersona, to track retail sales employees' time and attendance. Both sides win in this application of biometrics, Hodkin explains.

On the one hand, with a biometrics-based attendance system in place, there's no pressure from peers to cover for others. This has allowed the company to significantly reduce overpayment associated with what's known as buddy punching — one employee using another employees' identification number or password to clock that person in when they are actually absent.

For Holt Renfrew's sales associates, whose compensation is at least partially based on commission, it means they get paid for the sales transactions they handle, Hodkin says. And in regard to time and attendance, paychecks simply are more accurate because paychecks  reflect the number of hours the employee actually worked, and they get paid faster as well.

In addition, Holt Renfrew uses the biometric system to control access to the records of its personal shopper services. These records contain the name, phone number, sizes, personal preferences and recent purchase details of all-important repeat customers. On top of this, these details are used by salespeople to make purchase recommendations when the customer re-enters the store.

Restricting access via the fingerprint system offers two benefits. It not only limits who can view sensitive customer information, but it ensures that only employees with the necessary skills
are allowed to work with valuable repeat customers.

Despite fears in the early stages of implementation that the company's sales personnel would resist the system, the staff really likes it, according to Hodkin.

“Most of the staff are young people, and they want to be accountable for just what they do. With this system, they're absolutely sure that anything registered against their fingerprint is something they did,” she adds.

Holt Renfrew picked DigitalPersona's product for, among other reasons, its small footprint.

“Real estate in the store is at a premium, and we didn't want anything big or clunky,” explains Hodkin. “It's economical and reliable, and we also wanted something discrete, something that would fit in with the ergonomics of our counters. Look and feel is very important to us.”

Slow growth
Despite the success of the Holt Renfrew deployment, adoption of biometric technologies is moving slowly, according to analysts. At the same time, there's increased acceptance of biometrics in both the workplace and in day-to-day life, says Victor Lee, a senior consultant with the International Biometric Group (IBG).

In fact, the New York-based integration and consultancy firm predicts that the market for biometrics will more than double — from $3 billion this year to $7.4 billion by 2012. According to IBG, that growth will be driven by government identity management programs and private sector initiatives, such as consumer ID. As biometric technologies become pervasive by private employers and the government, people are realizing that maybe their original fears were displaced, Lee says.

Breaking adoption rates down, IBG expects fingerprint-based systems to capture 38.1 percent of the biometric market in 2007, with face recognition (19  percent) and iris recognition (7.7 percent) following. Blood vein-pattern recognition, a technique that's been around since the 1980s, will eventually comprise about 10 percent of the market, the company says.

In a similar vein
Shinkin Central Bank, a New York-based bank for more than 300 community banks in Japan, is among the first companies in the U.S. to deploy that latter technology as an access solution. Shinkin is using Hitachi's VeinID product to control physical access to offices where its front- and back-office bonds sales and accounting systems are used, says Takeshi Aoki, Shinkin's deputy general manager.

Like much of today's security-related spending, Shinkin deployed the VeinID system because of financial accounting mandates. To eliminate any chance of fraudulent activity, its front office investment employees, who buy and sell bonds, aren't allowed into the back office accounting area where trades are confirmed, Aoki says.

The VeinID system operates similarly to a fingerprint reader. Both systems first record an electronic image of the finger, then create and store a numerical template that represents the image.

Instead of capturing the ridges and curlicues on the epidermis, as the fingerprint reader does, the VeinID system flashes infrared light through the finger, and a camera captures light reflected off the hemoglobin in the vein. This outlines the finger's vein pattern, which is as unique as a fingerprint, according to Lew Iadarola, Hitachi's North American sales manager, who worked with Shinkin.
Hitachi has sold more than 30,000 VeinID units in Japan, which account mostly for ATMs, but also for physical access to doors and logical access to PCs, Iadarola says. This helps Japanese banks meet government regulations that require enhanced security measures for ATM access, he explains. About 80 percent of the financial institutions in Japan have adopted finger-vein biometrics for ATM access, according to Hitachi.

And, finger-vein authentication systems don't suffer from some of the problems of fingerprint-based solutions, Iadarola says. For instance, vein-based systems can be used in manufacturing environments, where dirty or greasy fingers can make it difficult to get accurate readings with fingerprints.

Fingerprint systems also don't offer what he calls live-finger protection. Hitachi's vein readers contain a secondary security device that senses whether the finger is still attached to a living human, he says.

Ease of deployment
Shinkin selected the VeinID product for several reasons. One is its ease of deployment and use, according to Aoki. He said eye- and palm-based biometric systems are too big for the company's front door. He was also concerned that fingerprint systems would give false readings when employees injure their fingers. But, just as important was the practicality offered by the technology.  Shinkin's employees don't have to carry keys.

“We need only a finger, we don't have to manage keys and we don't have to remember who has keys,” he says.

After enrolling with the system, users merely enter their employee ID number, then place their finger in the reader and it unlocks the door if the employee is authorized to enter that office.

Shinkin has six of the devices, including one controlling access to Shinkin Central Bank's computer room. Aoki says the bank doesn't plan to install vein readers at each workstation, believing that user names and passwords are sufficient for security because of the company's already limited-access environment.

After about a half year using the VeinID product, Shinkin's employees are now getting used to biometric security systems, Aoki says. “Because they understand what biometrics is, they are more willing to use them.”

That doesn't mean there weren't hurdles in the initial going.

“A few of the employees had trouble matching with the registered finger-vein and their actual finger at first,” Aoki recalls. “However, once we adjusted the sensitivity of the system, they have not had any matching problems.”

Fighting the devil
When it comes to deploying biometrics technologies, “the devil is in the details,” says Ben Rothke, a senior security consultant with consulting firm BT INS.

 “I think everyone would agree that biometrics provide effective authentication technologies at a high level,” he says. “But down at the practical level, the devil is in the details, and there are challenges in making biometrics work.”

The most successful implementations, he points out, have been on a smaller scale, generally targeting special problems and issues.

 “For example, we've seen a lot of them in financial applications and in welfare offices, as opposed to rolling out 20,000 units at the desktop in Fortune 500 companies — the huge deployment has always been a challenge.”

The success stories have been in kiosk-based banking and retail point-of-sale, he adds.

“The biggest problem with biometrics, and a lot of security technologies, is that those deploying them don't really know what their problem is and what they want out of it. A lot of companies throw hardware and software at a problem and hope it goes away. PKI [public key infrastructure] in the late 1990s was a good example: A lot of PKI deployments failed because companies didn't know exactly what they wanted to do with it.”

Consulting firms that sell and install biometrics products are seeing more small- and medium-sized businesses (SMBs) than large enterprises deploying biometrics systems. Specifically, they look to fingerprint-based solutions rather than other biometrics technologies, says Cindy Greatrex, the vice president of partner development of Integralis, a systems integrator.

These companies don't want to spend a lot of money on biometrics solutions, she says. For example, fingerprint-based authentication systems are now readily available on many notebook PCs, so they are an affordable choice for small businesses.

Moreover, people see fingerprint applications in day-to-day life, making them more acceptable than before, Greatrex explains. As a result, she says, the owners and decision-makers in the SMB market are more comfortable bringing fingerprint-based biometrics into their businesses.
— Jim Carr

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.