From pins and passwords to biometrics and palm vein readers... are we really becoming more secure?
We are changing to new ways of identification and data security that are very depending on our physical identities. What will the impact be on our security?
Data and information security is one of the burning concerns of financial services institutions in the Digital Age. Not surprisingly.
Several factors contribute to this. Firstly, financial institutions are under increasing and stricter scrutiny than ever by regulators. Secondly, more and more day to day interactions happen digitally and involved the capture, movement and custody of data.
Thirdly, it is precisely custody of assets and personal data that is quoted by customers as one of the key values they expect to obtain from their banks.
I listened to Penny Hembrow, Global Lead, Financial Services at CGI, late last week, in an interview discussing the Financial Services Consumer Survey and its results drawn from interviews with 1452 consumers. According to her, the top of the list concern
for banking customers is protection of their data. And he introduced a very interesting fact. Our bank probably has the most "real" picture of ourselves. We can have different digital personas for different purposes, but our true identity lies with the bank,
as does the reality of how do we spend our money across our different personas.
That security is top of the list in banking agendas, both retail and corporate, is a fact.
Only this week news of multiple new developments in cyber-security being trialled by banks and financial services have filled the press:
- BNP Paribas is to pilot cards with dynamic CVV codes replacing the three-figure CVV code on the rear of a card with a small screen display that automatically changes periodically
- WorldPay is trialling facial recognition technology
- Royal Bank of Canada is rolling out conversational biometrics in call centers
- JCB, the Japanese card scheme, is trialling palm vein authentication for cardless payments.
- Mastercard is rolling out a suite of card security measures for online commerce - from 'pay by selfie' biometrics to SMS-delivered one-time passwords - under the brand Identity Check
And on the other side...also in the last 7 days...
- T-Mobile suffered as a result of an Experian data breach exposing data of 15 customers
- Online foreign exchange trading firm FXCM says it has been the victim of a hacking attack that exposed access to sensitive customer information and led to unauthorised transfers
- Donald Trump's luxury hotel chain confirmed that malware might have compromised customer credit and debit card data.
- The American bankers Association admitted that email addresses and passwords used to make purchases or register for events through its online shopping cart had been compromised.
- A hacker has accused Danske Bank of allegedly leaking confidential customer data in the form of session cookies on its public website
And this was not an isolated week. This is happening all the time.
The obvious response to increased vulnerability has been to tighten security. But my concern is whether it is really making us more secure.
Biometrics started to be used in contact centres, then extended to mobile authentication and now is being trialled in ATMs, retail commerce, etc.
While I recognise the need to increase security and the potential benefits of this sort of identification, I believe most of us would prefer their money to be stolen rather than our biometric information being in hands of some criminal organisation.
The question to me remains, how do you change your password if it so linked to who you are? I am aware it is a controversial question, but I think asking the question like that raises the right alarms.
Is it wise to increase assets security at the cost of higher risk to our "physical" personas? Are we moving towards potentially giving somebody a complete picture of the real "us" and allowing them to substitute our identity completely? Are we putting even
more data at the disposal of criminal minds and increasing the potential for identity theft that covers both our virtual and physical personas?
But then again, this might have already been thought through more thoroughly than I am giving it credit for.
Looking forward to some of your thoughts!