Simon Rodway, UK pre-sales solution architect at Entersekt, discusses identity as security and how banks can make the authentication process easier for customers.
Improving fraud prevention is something that financial institutions continue to undertake as losses due to fraud increase, damaging banking brands and distressing customers. According to the latest Financial Fraud Action UK figures, fraud losses across payment cards, remote banking and cheques totalled £768.8 million in 2016. Risk-based authentication has become one of the most popular defence strategies used by financial organisations to improve security.
However, while risk-based authentication does reduce fraud, it also creates false positives (i.e. when a user is wrongly identified as a fraudster), leading to a reduction in the number of transactions taking place. The financial institution loses out as customers feel less comfortable transacting, and the customer is left feeling frustrated by the experience. Additionally, while analytics systems may be becoming more intelligent in how they assess risk, fraudsters are becoming more inventive in finding ways around security measures, incorporating similar machine learning techniques in their attacks. On its own, therefore, risk-based authentication is simply not sufficient.
Another solution that banks have long relied on to secure their customers’ accounts and transactions is two-factor authentication. Most of these solutions make use of one-time passwords (OTPs), which are not only frustrating to use, but highly vulnerable to phishing and man-in-the-middle attacks. If fraudsters mimic a bank’s online banking website, or the user’s browser is compromised by malware, for example, the user’s credentials and the OTP can be stolen and used to gain access to accounts, as well as to authenticate fraudulent transactions. Despite their susceptibility to interception and their poor usability, OTPs are still used by many institutions in their fraud prevention approaches.
With PSD2 coming into force earlier this year, there is a growing awareness of the need for an identification process that is secure, yet can be shared across organisations; for a customer’s identity to be uniquely linked to an individual, and for false positives to be kept to a minimum. In fact, a consortium of nine major Swiss service providers (including Raiffeisen and Credit Suisse) recently announced that they plan on providing the country’s consumers with a single digital identity to use when paying for products and services online. Other, similar initiatives are springing forth across Europe, offering ways to secure personal identity through digital signatures, increasing trust between the consumer and the service provider, while limiting opportunities for fraudsters.
In light of the flaws associated with many current security approaches, as well as the growing need for institutions to comply with regulations, organizations are looking for new ways to secure the point of entry and each stage of the transaction process. More and more, financial institutions are turning to strong, cryptographic key-based technology that cannot be easily mimicked; that is not only secure, but provides a simple and convenient experience for the customer.
Employing a solution that uses out-of-band authentication is one way to do this. Essentially, out-of- band authentication makes use of a second communication channel to protect customers: transaction authentication requests are sent via this secure channel, inaccessible to fraudsters. The user simply approves the transaction on their mobile device itself. Instead of receiving a notification after the fact – when their money has already been stolen – the user now holds the power to reject the fraudster’s attempt to transfer or withdraw funds before it happens, all from the convenience of their phone. This approach dramatically improves the user experience – a fact that is significant considering that, according to Experian’s 2018 Global Fraud Report, 30% of consumers over age 35 and 42% of millennials would transact more online if there were fewer security hurdles.
Financial institutions are being presented with numerous challenges – fraud, regulatory change, complex user expectations – but fortunately they are also offered better, simpler, and more effective ways to manage these challenges. Now is a crucial time for financial institutions to reconsider outdated approaches to security and authentication; to realise that customers want to play an active role in the protection of their identities and to invest in a security solution that also prepares them for the future.