A Finextra member 24 January, 2014, 12:01 0 likes

If number of log-in attempts is limited (and it should be) AND bank assumes that "secret information" has not been compromised, then even a 3-digit fixed PIN does the job. (Well, it's easier to shoulder-surf a short numeric PIN than a long alpha-numeric one, but that's another story.)

However, if phone's OS has been compromised by malware, than none of the options currently used by banks provide adequate security.

Banks seem to operate on the basis that OS allows for safe app use. In that case, a simpler user interaction makes sense.

Pat Carroll - ValidSoft - London 28 January, 2014, 13:01 0 likes

It’s good to see the Bank of Scotland focussing on the mobile customer experience. Clearly they see this as a significant competitive advantage, and promoting it as such, whilst also highlighting the security features of their approach. With mobile, streamlining the login process,  enrolment and activation is key if banking apps and wallets are to achieve the adoption needed. When it comes to financial services, consumers want convenience. Mobile can deliver a strong value proposition but achieving the balance between a low friction customer experience and “behind the scenes” strong security is vital. What is clearly still lacking is consumer confidence in the security of the  mobile  environment,  and every high-profile attack on the payments industry further dents consumer confidence.  So it doesn’t help at all to read headlines such as “Personal banking apps leak info through the phone” coming rapidly on the back of some of the most high profile data breaches in history. Not scare-mongering – sadly fact.  

Fraudsters are relentless and evolve their methods constantly, and it’s easy to form an opinion that the war is over and they have won. However some reassurance can be derived from the amount of research and innovation that is being invested in the security sector. The evolution to mobile creates some of the greatest opportunities we have to reengineer process flows and remove traditional opportunities for fraud. Real-time checks carried out in parallel at the point of sale can be used to detect and prevent fraud yet without any apparent linkage of the process flows. Such capability creates very complex layered security models that are very difficult for the fraudster to hijack. And even if one or more layers are compromised, the integrity of the process can be preserved.

Alongside the application of such powerful multi-factor, multi-layered invisible technologies is the emergence of innovative low friction “visible” technologies such as Voice Biometrics, with Equal Error Rates low enough to ensure widespread mainstream adoption in both online and mobile banking. Speaking is intuitive and when speaking can be combined with voice recognition and voice biometrics, but in a totally intuitive and “command driven” perspective, in high-fidelity, over the data channel (no call placement required), and where no PINs or passwords or any form of pre-determined security information is necessary, then a paradigm shift has been achieved and mass adoption is inevitable.

Such fiction is in fact reality today, and the technologies are already available, and in the process of being deployed by the most advanced technology adopters on the planet. No bank wants to be on the “bleeding edge” of any technology, but in the race for competitive advantage, and the absolute need to counter the fraudsters, no bank can afford to not be on the “leading edge”.