Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .


Why banks are moving away from one-time passwords

Why banks are moving away from one-time passwords

By Claudius van der Meulen, Entersekt’s SVP Europe

Technology’s rapid evolution means we have said goodbye to countless gadgets and systems that many of us grew up with.

Consider, for example, the SONY Walkman, the telegram, and the once-popular video cassette. While we may remember these relics fondly, we wouldn’t dream of substituting our iPod with a Walkman today. So why, when our technology has developed in leaps and bounds, are we still using the SMS one-time password (OTP) – technology that was developed in the early 80s? Incredibly, this tech is still widely used as an identification and authentication method by many major financial institutions and other organizations, for example, the TAN and PAC codes used by ING Bank. Originally, only a TAN (Transaction Authorization Number) code was sent to a user’s mobile phone to authorize a transaction being made. Subsequently, the PAC (Personal Authentication Code) was added in 2012 to better protect users against online fraud. Even tech giant Facebook offers two-step authentication with SMS, and the DigiD code used to log in to government websites also uses SMS with a one-time password for verification.

Although this method was considered quite safe in its heyday, hence its widespread use, it is no longer the case.

Why is it so important that companies and banks, in particular replace this authentication method?
Unfortunately, this rapid development in technology has been accompanied by an equally rapid development in new forms of crime. Hackers can easily intercept the authentication codes sent by SMS via the mobile network. Moreover, a cyber thief does not always have to go to the trouble of stealing a password; we change SIM cards regularly, and phone numbers are recycled. If you forget to pass your new details on to your service providers, then when you next try to log in, they will send the authentication code to your old phone number, which may well be in someone else’s hands.

The risks are clear, and the fallibility of SMS OTPs is widely known, so why hasn’t this form of verification been eliminated?
In an industry as highly regulated as the banking sector, large-scale technological changes are a major undertaking, not least because banks have a variety of risks to consider when contemplating this kind of transformation. Implementing a new security system is a huge investment for a bank, which doesn’t always guarantee returns. Also, this new technology can unexpectedly disrupt customers – for instance, because of delays in transactions or limited access to banking details – which then negatively impacts customer satisfaction. Another concern for a bank is whether its customers will embrace the new technologies, especially if they are not easy to use. A bank must also carefully choose the right partner to assist it; one that can provide support with everything from integration to compliance. With so many technology partners and potential solutions to choose from, it’s no wonder banks have taken some time to transition from older methods of authentication.

Competing in a disrupted payments market
Despite these concerns, it is undeniably necessary for banks to move away from SMS OTPs and implement more robust security measures. The world is moving forward in terms of technology and security, and banks must do the same. New regulations, such as PSD2 in Europe, require major change. Today’s customers also expect more in terms of the user experience and will look elsewhere if their needs aren’t met. As such, competition for customers is fiercer than ever, with fintechs entering and disrupting the payments market by introducing new levels of security and user-friendliness. If banks want to stay relevant, then they need to keep up with the changing tides.

The dangers of OTPs
We are slowly starting to see a shift from two-step authentication via SMS to other forms of two-step authentication. For example, ING Bank announced earlier this year that they would discontinue the 30-year-old TAN code, and since last May, Facebook has also offered an alternative to two-step authentication via SMS. New regulations are encouraging this transition: European financial institutions, for instance, now have to offer two-step authentication because of the revised Payment Service Directive (PSD2). To be compliant with PSD2, consumers must be able to explicitly authenticate via a second channel, defined in PSD2 as “strong customer authentication” (SCA). SCA means that consumers now identify themselves with at least two of the three possible factors – which essentially amounts to multi-factor authentication. The three authentication factors are something the person knows (e.g. a password), something the person owns (e.g. a card), and something the person is (e.g. a voice or fingerprint). The implementation of SCA is supposed to make it harder for hackers to commit identity fraud.

So how can banks keep up?
Push authentication technology is a proven and effective alternative to SMS OTPs. Analyst firm Gartner expects that this technology will dominate the authentication market within the next two years. Its appeal isn’t surprising – push authentication does not require the user to switch between mobile banking apps, copy or remember pins or passwords, or wait for a message to arrive. With this approach, communication between the bank and the user takes place via an isolated, encrypted channel that is not susceptible to the same external attacks as passwords or SMS OTPs. This practically frictionless and highly secure approach offers huge incentives for financial institutions to migrate from OTPs via SMS. A bank that invests in these types of technologies will see a decrease in digital fraud and happier customers as a result. It will be complying with all relevant regulations by opting for a method that utilizes an out-of-band, encrypted channel for transactions, while simultaneously keeping up with changing times, reinforcing its security and enhancing customer experience. In today’s highly competitive and changeable fintech landscape, banks will need to look to new technologies to capture an up-and-coming generation of loyal customers without sacrificing security.

Global Banking & Finance Review


Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!

By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post