Retail banks around the work are trying to get to grips with a difficult challenge. How to make their identification and authentication processes secure enough to protect them and satisfy the regulators, but at the same time balance that with the desire of customers to have a frictionless experience. This was one of the key issues that was debated at a one day conference held at the Department of Business Innovation and Skills in London last week.
Attended by experts in e-identity and authentication, those working in some of the largest banks in Europe, as well as representatives from the European Commission and the European Banking Association (EBA), the event was held a few weeks after 24 out of 28 authorities from EU member states signed up to the new EBA guidelines for online payment security. Coming in to force from 1st August 2015 these guidelines require banks to have stronger authentication whereby a customer must provide non-reusable security details. So, unsurprisingly online payments was a red hot topic of conversation.
The problem with online payments today is when consumers buy something online they reach for their debit or credit-card. However, these cards were introduced when there was no Internet and where designed to be presented at the point-of-sale. As a result banks are having to deal with huge amounts of fraud from online card payments, costing huge sums of money and draining resources.
Since their introduction cards have evolved, such chip-and-pin, and more recently contactless payment technology for low value transactions, but the later makes these cards more, rather than less susceptible to crime. So it is interesting to see how the rapid uptake of this innovation, which suggests customers are willing to trade a level of security for convenience, in much the same way as they opt for easy to remember passwords for their online accounts.
The problem for banks is that whilst customer may be happy with a trade-off, the banks and its regulators are not. However, they know that to gain and retain customers they need to find ways of delivering a more frictionless online experience. Hence, whether you are a business or a retail customer you may have seen the need to for your card reader or key-ringer number generator (otherwise known as a hard-token) diminish in favour of more convenient methods of online authentication. Of course, this is also great news for banks as the cost to administer these devices is very high indeed.
However, during the conference it was clear that banks are eager to find ways to strengthen their identification and authentication processes in a friction free manner, and worryingly many explained how they are investigating the use cases of biometrics in all its forms.
In my opinion, there are a number of significant stumbling blocks when it comes to biometrics. Not only the level of investment and management that is required, and the sophistication of biometric readers on the current crop of ‘smart devices’, but also the challenge and cost of on-boarding all new and existing customers. This is far from the frictionless experience that customers are wanting, and banks are replacing one costly technology with another! Also, these readers currently feature on the higher end devices, alienating the majority of customers. And, as one speaker was quick to point out – what happens if a customer using biometrics is a victim of fraud? Criminals will undoubtedly find a way to cheat the system. So, how does a victim then go about proving they are who they say they are?
One of the most insightful observations of the day was that banks can choose to add as many ‘layers’ of security as they wish, but if they are going to satisfy the customer they need to make the customer feel like they are using just one, any more and they feel like barriers. So, whether they are logging on or transacting via a website, on a desktop PC, a browser on a smartphone or tablet, or via an app, the process needs to be convenient, reliable and of course trusted.
This is why the username, password and memorable information approach has been well adopted as it is device agnostic. So, if you want to have stronger security (and whilst this approach it strong it could be stronger) you need to find a solution that can also work in this environment, and currently biometric readers are neither robust nor ubiquitous enough to satisfy these requirements.
However, there was unanimous consensus that using smart/mobile devices was undoubtedly the way forward. Using these devices presents a way to improve the authentication process for banks, without adversely impacting or burdening the customer. Yet, rather than biometrics, these device can be used to replace card-readers or key-ring tokens, by augmenting the username and password login in with a one-time code generated through an offline app residing on the device.
From the banks perspective this approach is relatively inexpensive when compared to hard-tokens and biometrics. It can be rolled out rapidly at a regional, national or international level and it ease the possible friction for the customer.
Another great benefit of this approach is that as well as being used for logging on to online bank accounts, it can also be used for swift online transaction verification, meaning online card payments can be afforded a far greater level of protection, which is great news for the banks who can save millions in reduced fraud incidents and the customers who are less likely to be innocent victims. Author: Steven Hope, CEO, Winfrasoft