Community
“Customers appreciate security” is something I’ve heard time and again. When a big credit card associations wanted to increase user registration to a new eCommerce authentication program some ten years ago, they did a ‘focus group’, and people told them it would be really swell if the bank enforced the new security rather than made it optional. “It shows the card company takes security seriously” was the quote, if I remember correctly. This got me smiling; our own data showed that when you force people to use the new scheme, 20% abandon the eCommerce transaction. I shared that info with the card association, and thankfully they dropped the idea.
I heard it again when UK banks deployed CAP EMV, which are smart card readers that users of online banking must use to send money out of their accounts. Five years later, the only folks who seem to like these controls are the fraudsters who found clever ways to circumvent them. Users don’t really like them, and many of the banks I talked to want to get rid of them.
I’m hearing it again nowadays in relation to a new trend that is hitting the cyber streets: one-time-password codes sent via an SMS (a text message) as a second factor of authentication, proving you’re in possession of the phone on record. Again I’m hearing “customers appreciate security”: I mean, if the bank sends you a one time code because you come from a new location/device, you’re going to appreciate it, right?
The technology first took root in Europe, where several banks in countries such as UK and Spain adopted it several years ago. Australian banks began using it as well, and by now many countries use the method. In the US, text messages were not as prevalent and the secondary authentication remained secret questions (e.g. where did your parents meet?) in most cases.
This is now changing because of a regulation update from the FFIEC, a super-regulator in the US, who says secret questions are rubbish, and something better must be used as a step-up authentication. They are right, of course, but I don’t think anyone considered the usability implications. Banks that must discard secret questions and move to text messages are about to discover the Dark Side of Security.
Sending a 6-digit one-time code via text is a brilliant idea – if it works. Trouble is, there’s a 15%-20% chance it won’t. The following things may go wrong:
Note that I’m not even talking about the level of security SMS codes provide (hint: not that great. Fraudsters have been bypassing it for years using methods like Zeus in the Mobile – Zitmo for short – and more basic stuff like socially engineering the victim to give the code to the fraudster, or doing call forwarding, or changing the user’s phone number at the bank etc.) – I’m just talking about the impact of moving to SMS authentication.
So, what can banks do about this?
The main thing is to reduce the number of high-risk transactions you need to handle with a text message. Today the banks use monitoring technologies that fall into two buckets: transaction-focused intelligence, which looks for anomalous actions, and device-focused intelligence, which looks for a new device, a strange IP geo location or signs that the device is infected with something. Using these controls, the banks get to about 5% of high-risk scenarios that require a secondary authentication. This translates to millions of login events per month or daily (depending on the size of the bank). Every 1% represents thousands of frustrated customers eager to do business with the bank online and failing to do so… But getting it below 5% while not letting fraudsters in is a daunting task, because that’s the practical limit of current risk analysis technologies.
No; cutting the high-risk handling must be done with a new sort of monitoring. Something that goes beyond transactional or device focused traits. Good candidates are technologies that track user behavioral traits, trying to profile the user and see if their interaction with the site is consistent with the past; or technologies that focus on fraudster behavioral traits, which means analyzing the fraud cases for any repeat characteristics in their interaction with the application.
In any case, if banks don’t think ahead of this move, they might find the whole thing turning into a Message from Hell…
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Kathiravan Rajendran Associate Director of Marketing Operations at Macro Global
10 December
Scott Dawson CEO at DECTA
Roman Eloshvili Founder and CEO at XData Group
06 December
Daniel Meyer CTO at Camunda
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.