More and more enterprises are looking to the digital space to advance their security channels. Unfortunately, private banks seem to be struggling to get to grips with this evolution. Consumer opinions are split between a younger cohort who are comfortable with the integration of social, payments and banking digital platforms and an older, more conservative client base that does not necessarily trust the mobile.
A juggling act on a tightrope
Financial institutions and private banks in particular, have a responsibility to protect the financial assets and information of customers who place a premium on privacy and security. Yet they also need to deliver a user experience that is both elegant and simple. Many private banking clients are reluctant to adopt digital channels, especially for high-risk transactions, but to others, one-click checkouts and mobile banking are welcome improvements in speed and convenience, and they expect their banks to continue streamlining their digital interactions without exposing them to fraud.
To add to this challenge, the Revised Payment Services Directive (PSD2) is now heralding an era of open banking, forcing financial institutions that operate in SEPA countries to allow a host of third parties access to their customers’ accounts if they consent to it. In the United Kingdom, the Competition and Markets Authority has underscored the importance of opening access to new entrants, saying that older and larger banks are not having to compete hard enough for consumers’ business. The aim of PSD2 is to foster competition and customer-centric innovation, but this opening-up of customer data will bring with it a host of new fraud vulnerabilities.
Open banking therefore necessitates stronger user and transaction authentication. So, how can a bank add security without adding friction, especially when existing measures such as one-time passwords are already getting such bad press?
There is no magic bullet
An Equifax survey conducted in 2016 by YouGov found that 56 percent of UK banking respondents would favor a biometric login for online banking services. Their desire for a simpler login process is certainly shared by their banks. Biometrics represents a leap forward in usability, but on its own this approach is not fraud-proof. Irreplaceable identifiers like fingerprints, voice patterns and retina scans represent a highly attractive target for hackers.
To avoid their theft and ensure the sustainability of biometric-based security systems, industry bodies and mobile manufacturers require that these identifiers never leave the mobile device on which they were scanned. This means that the identifier is never transmitted to the server side to be matched. A biometric-enabled app then simply attests that the identifier has been matched on the device. The bad news is that a fraudster could very easily attest the same thing – without matching anything at all.
As with biometrics, there have been significant advancements in machine learning technology. These promise improved risk analysis based on past and present user behavior, and on the state of the user’s device when they access digital services. This approach is attractive to banks, because the data that is used in doing risk assessment is collected without the user’s direct involvement, which means less user friction.
The problem is that over-reliance on risk-based authentication may not translate into the desired outcome. A false positive could result in an account breach, and a false negative in a declined transaction – a key cause of the current prevalence of abandoned e-commerce carts. Card issuers are finding their top-of-wallet status threatened as consumers resort to competing institutions in frustration over risk-based declines.
What you really need to know
Biometrics and transactional risk analysis can play valuable roles in a layered security regime, but step-up (strong) authentication must be in place to secure high-risk transactions. Globally, regulators are demanding or advising that multi-factor, out-of-band authentication be used for sensitive transactions.
Meanwhile, banking and security companies are pointing to the “digitalization” of security as a trend that tracks very closely the rapid rise of mobile banking and payments. “The mobile phone will be the mass-market solution to the problems of recognition, relationships and reputation,” predicted Dave Birch from Consult Hyperion. “We have said repeatedly that a model based on strong authentication against a local, revocable token held in tamper-resistant memory delivers the right platform.”
So, no – SMS one-time passwords will not be making a comeback. Mobile’s cryptographic capabilities and rich user interfaces offer so much more in security and ease of use. Many financial institutions are fast realizing this as they respond to changes in consumer preferences, fraud vectors and government regulations. Gartner predicts that phone-as-a-token and out-of-band push modes will account for 80 percent of the global authentication market in three years’ time – up from just 15 percent today.
International institutions are making strong statements in the direction in which regulators are moving on strong authentication. Consumers, on the other hand, are more demanding than ever of hassle-free, on-the-go access.
Selecting an authentication solution that combines the best security with low user friction will go a long way to meeting the requirements of these distinct groups, and help prepare private banks for years of swift change. The answer lies in deploying digital certificate technology to the mobile phone for out-of-band, multi-factor authentication, encrypted communication and advanced app security.
Frans Labuschagne is the Country Manager (United Kingdom and Ireland) of Entersekt