The fact that ING is considering the use of biometrics for customer authentication is unsurprising. However, the fact that the industry is not already at the stage where this is commonplace perhaps is.
The inherent insecurity of all current counter-fraud systems is that they aren’t directly attached to the individual. Passwords, PIN numbers, magnetic stripes, two-factor authentication and challenge-and-response mechanisms have one thing in common – they
are transferrable; there is nothing to physically tie them to the person they were issued to. The authentication systems tasked with protecting accounts against unauthorised access are simply waiting to receive the correct series of numbers or text strings,
each of which can be copied, handed over, or even forged with a bit of effort.
The challenge for banks is that a high volume and variety of big data in their systems requires verification. Traditional authentication tokens can be provided by anyone, and quite often this may not be the person the bank is expecting. This creates opportunities
for sophisticated fraudsters to conduct their activity without being noticed.
I’m sure all of us have willingly allowed these rudimentary authentication mechanisms to be compromised at some point, either by providing a family member with the PIN number to your card, or by giving a colleague the password to your email account to check
something for you. With lax authentication measures in place, it’s not surprising that so many people are suffering from some form of fraud loss at the moment.
The darling of these authentication systems in recent years has been chip-and-PIN. However, while the impact of chip-and-PIN technology on decreasing the number of cloned cards and associated fraud losses has been huge, it was simply a matter of time before
fraudsters caught up with this technology too. The largest weakness here is that the PIN number is physically stored on the card, along with all the other information a fraudster needs to make successful purchases. Unfortunately, this also makes possible (and
is normal in the UK at least) for ‘offline’ PIN verification which means the bank is never consulted directly regarding PIN authentication once it’s been typed into a device (with the exception of ATM’s).
The fact is that all token-based authentication systems are simply not fool proof, and are inherently flawed.
The optimal answer requires a balance between customer experience and security needs. This can be achieved with a combination of biometrics and behavioural analytics. The benefits of these two innovations lie in the fact they are directly attached to the
real customer and very difficult, if not impossible, to forge. A customer has one voice, one retina image and one fingerprint, and being creatures of habit, a common way in which they go about their business.
Biometric security at least ensures that the individual presenting their identification (fingerprint, retina or voice) is indeed who they say they are. An additional safety net comes in the form of behavioural analytics, required to prevent account takeover
where biometric authentication may have failed or has been unavailable. This may happen where the individual is threatened, their voiceprints are electronically synthesised, or in extreme cases have body parts removed; although there are systems to detect
whether this is the case or not.
In a robust implementation, Big Data Analytics will look at every single aspect of an individual, from their typical transaction values, volumes and velocities right through to profiling the product/service providers they engage with. Big Data Analytics
can even take a person’s geographical movements into account. Once this profile of ‘normal’ behaviour is created, any and every transaction can be profiled against it to see if this is likely to be the behaviour of the true account owner. Modern high-performance
analytics software can now run these models in real-time, and flag suspicious behaviour instantly, meaning transactions are in no way impeded by the fraud screening.
The greatest feature of this approach is that it provides the best possible customer experience – far better than what we have today.
Customers don’t need to carry devices around or remember any passwords – they simply go about their everyday business as normal, and occasionally have to speak, look into a camera, or press their fingers on a pad.
Whilst this hybrid approach of analytics and biometrics is best suited to in-life fraud screening where the customer is a known entity, if a national database were ever to be created, this could be extended to customer acquisition and prove to be far more
effective counter-fraud strategy than we could ever imagine.