By Chris Stephens, Head of Banking Solutions at Callsign
In our day-to-day lives, SMS one-time passwords, also known as OTPs, have unintentionally become the default authentication factor when carrying out high risk and confidential transactions online. Banks, telcos, and businesses are opting for this method as SMS OTPs are relatively quick and simple to put in place. In our digital age, this solution works for the majority of users, who more often than not possess a mobile phone and are familiar with the user experience. As a result, companies are using them to securely authenticate both their customers and employees.
When looking into SMS OTPs, businesses should consider the bigger picture and how time- and cost-efficient solutions are as a whole by taking into account other key elements that might have been neglected in the past, such as hidden fees and security vulnerabilities. Apart from this approach, there are also other options better suited to different business needs – the European Authority (EBA) has already recognised other forms, such as employing the secure binding of a device to achieve possession and the use of behavioural biometrics as an inherence factor. For example, earlier this year Google officially began moving away from SMS OTP-based authentication. Whilst in the UK both the Financial Conduct Authority (FCA) and UK Finance have recommended banks ought to reduce their dependence on its use in the longer-term. Whereas, in the past, financial institutions were choosing to use this solution because it enabled them to save time on becoming compliant with the PSD2 Strong Customer Authentication (SCA) regulation.
It is common knowledge that SMS OTPs are not without their flaws, and with the extended deadline for SCA for e-commerce less than a year away (September 2021) – is now the best time for the industry to look elsewhere for more intelligent approaches to authentication?
SMS as the go-to solution
Fraudsters are sophisticated criminals, who attack the weakest points in the system – they have observed that banks and businesses heavily rely on SMS OTPs for 2FA (two-factor authentication) transactions, which is why they continue to abuse and weaken existing systems and exploit these solutions for their own benefit. Fraudsters commonly practise SIM-swap – where they steal personal information about the victim and then contact the target’s mobile operator pretending that their phone has been lost or stolen. With lockdown rules constantly changing, not all customers are able to easily visit stores right now, therefore operators are dependent on mobile-authentication channels that are more susceptible to this type of manipulation to service their customers.
SIM-swap fraud can easily be done. As soon as the fraudster has duped the mobile operator, a number transfer is authorised and then activated on a new SIM card – it works by granting cybercriminals access to the victim’s number and consequently all one-time passwords and authentication codes that are sent to that number. In March 2020, Europol warned that SIM-swap scams are a growing problem across Europe, following an investigation that resulted in the arrest of 12 suspects associated with the theft of more than €3 million ($3.3 million).
However, consumers and businesses need to be aware that SIM-swap fraud is not the only method cybercriminals are deploying to intercept OTPs from their victims during the pandemic and beyond.
Spotting a scam
SIM-swap attacks are not the only method scammers are using, there is also a growing number of cases that take advantage of malware and remote access applications to steal SMS OTPs. They do this by socially engineering individuals to download remote access apps or hidden surveillance apps to grant access to the victim’s device, without coming into contact with it. The cybercriminals can, therefore, directly read their messages or secretly record all their texts and phone calls to another device. The unknowing victim’s personal messages, including OTPs, are tapped into by the fraudster using the same approach as SIM-swap attacks. However, this time they also have direct access to the target’s device.
Several different parties are involved in the delivery of OTPs and at each stage of the process there is an opportunity for fraudsters to capture messages. There is also the potential mass compromise as a result of hidden vulnerabilities in the SS7 network and the attack surface to consider. With all these in mind, banks need to have a good overview of all data sub-processors to allow them to adopt the most suitable security controls, such as multi-factor authentication (MFA), audit logs, and dashboards.
Watch out for hidden costs
It comes as no surprise that intercepted OTPs result in fraud losses, which quickly increase as hidden fees go unnoticed over time. Beyond the upfront costs of SMS OTPs, such as cost per text, there are also several hidden costs that are difficult to budget for and avoid. They are typically the result of the domino effect of the aforementioned issues – forcing businesses into a reactive mode that is tricky to handle.
As an example, where drop-offs take place in an authentication journey, including when SMS texts are not received, financial institutions need to be ready to manage an influx in calls to their customer service helplines and the associated fees. Or else the customer may decide to use another card to make the payment, which is worse for the bank. This is due to the fact that customers are likely to abandon the use of a card when they are fed up with a customer journey that involves too much unnecessary friction. These abandonments lead to a decrease in interchange fees for banks and could even potentially reduce the customer base for merchants.
Evaluating the user experience
Whilst most consumers possess a mobile phone, SMS is not a reliable solution for everybody. For instance, SMS OTPs are not accessible to those living in remote or low-service locations, who may struggle to receive SMS alerts. This overall experience is also cumbersome as it takes roughly 30 seconds of transaction time for the text to be delivered, compared with the almost instantaneous transactions experienced by alternative authentication approaches, such as biometrics.
In this digital age, businesses are constantly adapting to accommodate different generations including Gen Z who are digital natives – so mobile use is only going to increase and, along with it, the volume of transactions taking place on these devices will also grow. This goes hand in hand with the ever-changing needs and expectations of customers as they look for hyper-personalised online experiences as the new norm. Yes, SMS OTPs are mobile-first, but they do still require the user to switch to another app to view the SMS so they can complete the transaction, which can be annoying for the customer as it interrupts the e-commerce user journey. After a friction-filled experience, it would be unsurprising if the user then decides to abandon the transaction. With this and other existing security implications in mind, the EBA recommends banks adopt other options.
Benefits of behavioural biometrics
Every person has their own unique behaviour and habits when swiping across the screen, which can be tracked through the analysis of the data signals captured from hardware sensors when the user engages with their device. These signals are crucial to designing user features such as finger movement, hand orientation, and wrist strength. Together, artificial intelligence and machine learning provide us with the capability to analyse this information to develop a personalised prototype of that user’s swipe behaviour, which only takes milliseconds to confirm whether the customer is who they say they are. This immediately allows the bank to seamlessly carry out appropriate security actions and stop fraudsters in their path before they can even begin using a target’s device.
Behavioural biometrics is ideal for positively identifying an individual and also effectively identifies bad actors. Including when cybercriminals use technologies, such as bots or remote access Trojan (RAT) software, to control transactional flows without the user being aware. This approach to biometrics works on both high- and low-end devices and helps to protect potential victims against both blind (where the fraudster has never observed how the user swipes their phone) and over-the-shoulder attacks (where the fraudster has been able to observe the victim’s swipe movements). Both forms of attack can be detected unique algorithms, with an accuracy rate of 98%; by layering in device intelligence and locational habits it is the most accurate and robust identification method currently available on the market. By preventing criminal access, even when the attacker has observed the user’s behaviour, it offers an added level of security to businesses and banks that other traditional methods, such as a PIN or password, cannot.
In order for organisations to maintain a competitive edge and successfully navigate through the pandemic, they will need to deliver hyper-personalised journeys to meet consumers’ expectations. They are increasingly looking to bank with or sign-up to services that offer a secure and bespoke service that meets their daily needs during and beyond the pandemic.
Therefore, a holistic approach to security empowers businesses to take back control of their fraud and authentication management. Unfortunately, single point solutions, like SMS OTPs, do not allow businesses to scale or provide enough flexibility to meet these requirements. By adopting a strategic, and intelligence-based, approach financial institutions and organisations will be able to upgrade security measures and enhance the user experience – whilst keeping IT spend low.
The Bank of England partners with Appvia to assist in the design, construction and assurance of a new cloud environment
The Bank of England has appointed self-service cloud-native delivery platform Appvia to support the creation of a new cloud environment.
The announcement follows a public procurement process which commenced in January 2020. The Bank of England will work with Appvia on design, construction and assurance of a modern, fit for purpose cloud environment.
During the two-year partnership, Appvia will be supporting development and project teams within the Bank in testing and deploying code in cloud environments, working with security teams to integrate the cloud into existing operational and security processes; and implementing information governance compliance so staff are able to collaborate safely and securely.
Oliver Tweedie, Head of Digital Platforms at the Bank of England, said, “We have selected Appvia as our Cloud Delivery Partner to help us realise the Bank’s cloud ambitions and unlock the potential of the Cloud. Appvia come with a great pedigree and a wealth of experience delivering Cloud services within government. Working in collaboration with Bank Technology teams, Appvia will help us shape and build the future of Cloud services across our organisation – a key part of our Technology strategy.”
Jon Shanks, CEO and Co-Founder of Appvia, said, “This is an exciting opportunity to work with the Bank as it undergoes a step-change in its approach to the cloud. Harnessing innovative cloud solutions, such as containers and Kubernetes is a real business enabler for the Bank to streamline the software development lifecycle, ways of working and cloud operating model. We look forward to working with all stakeholders at the Bank of England to support its digital transformation journey.”
Appvia, which counts the Home Office among its major clients, is a self-service platform that enables organisations to scale their infrastructure quickly, securely and easily using services such as Kubernetes. In September, Appvia launched the world’s first developer-centric tool to enable teams to predict and control cloud costs.
Solving the Challenges of the Modern Retail Industry with SD-WAN
Three key benefits of SD-WAN can help retailers solve new and old challenges and prepare for an uncertain future
By John Tait, Global Managing Director, TNS Payments Market
As customer needs and preferences change, and as technologies disrupt formerly effective strategies, retailers are confronted by continuous challenges in the modern era.
But no year has been quite like 2020. Mandates ordering the public to stay at home crippled foot traffic earlier this year and, even when physical stores were able to open, social-distancing measures have limited the numbers of customers permitted indoors, while fears of the virus have driven others away.
With new and old challenges impacting the industry, it’s time to think differently. Retailers need to look closely at how technology can support their operations and their customers, secure customer payments and business data, and help them adopt the digital strategies that will be vital in an uncertain future.
One network technology, software-defined wide-area networking (SD-WAN), can offer a host of benefits for retail businesses. At its core, SD-WAN is a way of simplifying the management and operation of a network by decoupling the networking hardware from the way it is controlled. This gives a business the ability to manage network traffic to and from data centres and retail sites or offices, which alleviates network congestion and keeps the network from becoming overloaded. It can be layered on top of any connectivity solution to securely connect users with applications, including apps in the cloud.
But that’s not all it is. Here’s how it can help retailers navigate an ever-changing business and economic climate.
It can support new strategies and modernises operations
Many retailers will have heard the term ‘digital transformation’ and their stores may even be working towards it. The basic premise is that all businesses can boost their overall agility, flexibility, and customer service experience by adopting digital initiatives and technology-based strategies.
For retailers, this can mean creating online storefronts to connect with customers, instead of face-to-face interactions, with cloud-supported e-commerce options and curb-side pick-up options for pandemic-friendly buying experiences. Alternatively, it could mean adding chatbots and customer data management solutions to a website for ways to support customers with a leaner staff. Or implementing contactless mobile payment options for the first time, supported by secure, high-speed connectivity. It can even be as simple as adding a separate Wi-Fi network for customers to use then they’re in a store.
The possibilities for digital transformation are practically endless within the retail space — it all comes down to how daring retailers want to be and how much tech they want to add. But even the more accessible parts of digital transformation incorporate devices and apps that can strain traditional networks and add new levels of complexity around network management. Even simply adding digital displays to stream promotional videos in a store can stretch a network’s bandwidth.
That’s where SD-WAN can come in. Because it can improve network uptime, performance and redundancy, it gives a business the ability to support new strategies and add the latest cloud-based apps while also prioritising business-critical applications like payments. In other words, retailers don’t have to worry that their payments terminal might slow or go down just because they’ve added in-store digital features that also require connectivity, such as customer-facing tablets that let them place orders or view different options, or customer Wi-Fi.
For shops that have shifted to more of an e-commerce/delivery/pick-up strategy, SD-WAN supports secure digital payments while connecting an inventory management system to a payments system and online/mobile ordering portal, so customers can have a smooth experience, and their data remains protected.
It helps retailers embrace and secure the cloud
The cloud is a big part of digital transformation. Retailers’ own operations, like their databases or servers, might not yet be based in the cloud, but they almost certainly use services that are. Tools such as Office 365 and Google Drive, or payments apps like Square are all cloud-based.
Even if retailers aren’t there yet, their vendors are most likely going to push them there. Plus, cloud isn’t just good for the vendors they use; it’s good for retail businesses, too. Many of the aforementioned digital services like e-commerce and chatbots need the cloud to run optimally. Once they’re in the cloud, retail organisation will have a world of possibilities, but to adopt cloud, they need to solve any connectivity issues they may have.
While cloud services allow business-critical applications to be accessed from anywhere, it does add security concerns. A recent IDG survey found 98% of businesses surveyed said securing applications, data and infrastructure in the cloud is “very” or “somewhat” challenging. Almost all of the organisations that IDG surveyed (95%) feel that their current security infrastructure hinders their ability to protect data — including payments data — as it moves to and from the cloud.
SD-WAN allows retailers to lock down cloud access at a branch or location by securing direct access to the public cloud and software-as-a-service (SaaS) apps like Office 365. SD-WAN also adds the ability to boost capacity during times of high network traffic, or failover to a broadband or LTE network. Retailers can quickly deploy new cloud-based apps with secure, reliable internet connectivity.
It boosts security, including customer payments security
SD-WAN allows retailers to deliver alternative payment options such as self-service kiosks and mobile POS. For example, outdoor terminals can be used for restaurants serving patio diners, or tablets that allow staff to check out shoppers from anywhere in a store.
This flexibility regarding where and how payments can be processed is ideal for the consumer, but it can create cybersecurity risks because of more devices and more points of interaction to and from apps or internet breakout. No retailer wants to be featured in the next headline about data breaches or other cyberattacks. This means properly security controls, especially for payments, are critical.
SD-WAN gives retailers a way to securely connect all types of payments options — POS terminals, cash registers, e-commerce gateways, mobile devices, automated fuel dispenser (AFD) pay-at-the-pump systems and more, as well as any other devices and networks within a retail environment.
SD-WAN can also protect sensitive card data. Retailers should opt for best-in-class security protocols like next-generation stateful firewalls (NGFW) (including IPSEC VPN tunnels), anti-virus features, URL filtering and SSL packet inspection. Regulatory compliance with PCI DSS security credentials is, of course, also critical within a retail environment, and some SD-WAN solutions available today have been designed to incorporate PCI DSS requirements.
While SD-WAN does offer an upgraded, secure technology that can bolt on to another connectivity layer and reduce the complexity of network management, retailers that don’t have in-house IT staff may still be challenged to successfully implement one. Fully managed solutions remove the hands-on work while giving a business access to all of an SD-WAN’s capabilities. They also add an extra layer of security: with a provider actively monitoring threats and keeping an eye on the network peripherals — all the data going back and forth, and what devices are using them — retailers can keep their network, and their customers’ card data, locked down.
Solving existing and future Challenges
This year has challenging in many ways and surprises are likely to continue for the next year or so. This uncertain new reality is understandably unsettling for many retailers, but it’s also an opportunity to rethink the way they do business to ensure long-term survival and drive growth, even in a volatile environment.
Implementing an SD-WAN solution can help retailers support digital initiatives and new strategies, deploy and secure modern cloud applications, and secure payments data. With the option of a managed service provider behind the SD-WAN, stores can focus on boosting the customer experience and modernising retail operations instead of managing payments terminals or troubleshooting a network. This will save time and money at a time when everyone needs more of both.
The case for AI technology adoption in financial back-office roles to improve efficiency
By Tomas Gogar, AI CEO, Rossum
In this era, digital transformation isn’t anything new. Nonetheless, it can still cause a lot of confusion and resistance for some companies, many of which are often slow, unwilling or unable to implement the necessary changes to embrace technology. As a result, entire industries are barely scratching the surface when it comes to shifting to the digital world, and many, from the insurance industry to logistics and delivery are still catching up on the digital transformation.
The banking and financial sector have been notoriously slow in adapting to the online world. They paid the high price for it, giving way to a flurry of incredibly successful new disruptive players, built on cutting edge tech from the ground up. From Transferwise, Revolut or Venmo, to GoCardless, this new generation of fintech companies addressed consumers changing expectations in a way that traditional retails banks simply couldn’t.
To catch up, incumbent players have prioritised the user interfaces, giving the appearance of a digital offering, and oftentimes leaving the back end infrastructure untouched, and hence the processing power, accuracy and speed unaffected. Back-office functions, although they are essential to the smooth running of a business, have seen very little change and as a result, too many people in these functions are still tied up typing information into spreadsheets and software forms – in fact, manual data entry is a prime example of how much resources the offline legacy wastes. Take Accounts Payable for example, invoice data entry in this sector is estimated to eat up roughly 100 human lives worth of time every single day.
With the significant increase in the number of employees working from home due to the global COVID-19 pandemic, the back-office challenges have suddenly come to light, and finally, companies that got away with minimal changes so far, are realising that they need a structural digital overhaul, and fast. We believe the solution to this is artificial intelligence backed software solutions.
Previous technology based solutions essentially did half the job, heavily depending on human fact checking. Consequently, these solutions were actually quite cumbersome and time consuming and costly to implement and maintain, and offered only incremental improvements. Now with AI, automises data processing completely removing the need for human fact checking (and human error!). Additionally, deployment is massively simplified with an average setup time of one week, compared to about 6 months for previous technologies. AI solutions are also highly adaptable to new formats and scenarios, allowing businesses to test them in say one department and to quickly roll out a single unified solution across all functions of the business. Data can be extracted from any invoice layout with no template or rule set-up, saving significant and effort. Rather than trying to change and standardise a highly fragmented environment (there are about as many invoice formats as there are businesses), AI can work with it, and optimise the overall process and offer a unified answer to a fragmented ecosystem.
Taking Accounts Payable as an example again, this is a sector that has relied by and large on Optical Character Recognition (OCR) software solutions in an attempt to remove some of the manual labour involved in reading processing and filing invoices. Although OCR did improve the processes to a certain degree, ultimately these types of solutions still required a long and expensive set up processes and a lot of manual labour to actually capture the data accurately with templates and manual data entry. Now, with AI software, like the one we have created, this is a solution that makes data extraction simple and easy, saving time and man power, as well as building on existing infrastructure. It has the ability to transform this industry.
In conclusion, for a sector that has been slow to adopt digital change, AI is THE technology answer that is finally fixing the invisible pain points that businesses had simply accepted as unremovable. AI applied in this way offers a viable way forward and businesses that were notoriously slow and resistant to embrace the digital transition, incentivised to make a change, may actually end up at the head of the pack. Skipping ‘older tech’ and jumping straight into AI solutions, the best scenario available by far, is indeed the smartest, fastest and most cost effective way to transition into the digital world.
Three questions the financial services industry must answer in 2021
Xformative, a Mastercard Start Path recipient, shares what these questions mean for fintech partners and their innovations This year, fintechs...
A quarter of banking customers noted an improvement in customer service over lockdown, research shows
SAS research reveals that banks offered an improved customer experience during lockdown A quarter (27%) of banking customers noted an...
Is Digital Transformation the Key to Business Survival in the New World?
After a turbulent year, enterprises are returning to the prospect of a new world following an unprecedented pandemic. Around the...
Virtual communications: How to handle difficult workplace conversations online
Have potentially difficult conversation at work, like discussing a pay rise, explaining deadline delays or going through performance reviews are...
Black Friday payment data reveals rapid growth of ‘pay later’ methods like Klarna
Payment processor Mollie reveals the most popular payment methods for Black Friday Mollie, one of the fastest-growing payment service providers,...
Brand guidelines: the antidote to your business’ identity crisis
By Andrew Johnson, Creative Director and Co-Founder. How well do you really know your business? Do you know which derivative of your...
COVID-19 creates long and winding road for startups seeking investment
By Jayne Chan, Head of StartmeupHK, Invest Hong Kong Countless technology and other companies describe themselves as innovators, disruptors or...
The Bank of England partners with Appvia to assist in the design, construction and assurance of a new cloud environment
The Bank of England has appointed self-service cloud-native delivery platform Appvia to support the creation of a new cloud environment....
2020: The paradoxical year that has reshaped the future of motor insurance and related sectors
By Alan Inskip, Tempcover CEO & Founder There’s no doubt that 2020 will be remembered as the year that changed...
Leadership and management in a WFH world
By Carolyn Moore, SVP of People at Auth0 Although many of us will have settled into some kind of groove,...