Schalk Nolte, CEO Entersekt, discusses the latest innovations in security, and asks if biometrics alone is secure enough when it comes to banking
Identity fraud is at an all-time high. According to figures from the fraud prevention organisation Cifas, there were almost 173 000 cases of identity fraud in the UK in 2016 – the highest number ever recorded. Last year, identity fraud cost the UK economy £5.4 billion, as revealed by research conducted by Experian in partnership with the University of Portsmouth’s Centre for Counter Fraud Studies. It should therefore come as no surprise that enterprises are increasingly looking to the digital space to improve their security, and private banks are no exception. Their challenge is that customer opinions are split between millennials, who are comfortable with the integration of social media, payments platforms and digital banking, and an older, more conservative client segment who do not necessarily trust this revolution. It therefore becomes a balancing act between a demand for one-click checkouts and all manner of mobile banking features, and a duty to ensure the security of these convenient digital channels, especially for high-risk transactions.
To add to this challenge, the Revised Payment Services Directive (PSD2) is now heralding an era of open banking, forcing financial institutions that operate in SEPA countries to allow third parties access to their customers’ accounts (with the customers’ consent). In the UK, the Competition and Markets Authority has underscored the importance of opening access to new entrants, saying that older and larger banks are not having to compete hard enough for consumers’ business. The aim of PSD2 to foster competition and customer-centric innovation may be commendable, but this opening-up of customer data will bring with it a host of new fraud vulnerabilities. Open banking therefore necessitates the strongest possible user authentication – but will the current developments in security technology be enough?
There is no silver bullet
Biometrics represents a leap forward in usability, but the irreplaceable identifiers they make use of, such as fingerprints, voice patterns and retina scans, represent a highly attractive target for hackers.
To avoid the theft of these identifiers, mobile manufacturers require that they never leave the mobile device on which they were scanned. This means that the identifier is never transmitted to an application’s server to be matched. During a biometric login, the application then simply attests that the identifier has been matched on the device. The bad news is that a fraudster could very easily attest the same thing – without matching anything at all.
As with biometrics, there have been significant advances in machine learning technology. These promise improved risk analysis based on past and present user behaviour and on the state of the user’s device when they access digital services. This approach is attractive to banks because the data that is used in doing risk assessment is collected without the user’s direct involvement, which means less user friction.
The problem is that reliance on risk-based authentication may not translate into better security. A false-positive authentication could result in an account breach, and a false-negative in a declined transaction – a key cause of the current prevalence of abandoned e-commerce carts. Card issuers are finding their top-of-wallet status threatened as consumers resort to competing institutions in frustration over risk-based declines.
A winning strategy
Risk assessment can certainly help determine which transactions qualify as high-risk, while biometrics can be used as a second factor of authentication. For example, in addition to a password and/or PIN, the user can be requested to present a fingerprint (or, in the case of voice biometrics, speak a phrase) in order to authenticate themselves before being allowed to log in, proceed with a transaction, add a beneficiary, or make a payment. But neither biometrics nor risk assessment can provide foolproof authentication on their own.
Instead, the answer lies in deploying digital certificate technology on the mobile phone to enable out-of-band, multi-factor authentication and encrypted communication. Selecting an authentication solution that combines the best security with low user friction will go a long way in meeting the requirements of both customers and regulatory bodies, and help prepare private banks and other financial institutions for both imminent and future changes.