Source: Ian Pratley, ValidSoft
Ian Pratley, head of Emea sales and marketing at ValidSoft urges banks to take a flexible approach to authentication based on risk assessment at an individual user, transaction and channel level.
Several recent surveys and press articles suggest consumers may be steering clear of online services due to security fears. In order to retain confidence and improve services, banks are looking to implement strong security measures that are easy to use, economic to deploy to the mass markets and also that enable business automation.
However, combating online fraud and meeting new regulatory requirements at a time when all budgetary expenditure is being closely scrutinised, presents complex challenges.
At the same time, traditional methods of combating fraud – such as hardware fobs – are struggling to keep pace with increasingly sophisticated attacks. Emerging fraud, such as 'Man in the Middle' attacks, can now defeat many methods of authentication, resulting in the need for more elegant and intelligent solutions.
Additionally, hardware devices are expensive to deploy and administer, may not cater for the disabled (e.g. visually impaired) and the question of who – bank or consumer – will carry the cost of such projects is still being debated. In addition, most authentication solutions are one-way only; ie the bank does not authenticate itself to the customer. Consequently the customer does not have peace of mind that they are indeed dealing with their bank.
Flexible approaches to authentication based on risk assessment, at an individual user and transaction level, would ensure the customers’ experience is simple and compatible with their personal requirements. Solutions are now available that have the flexibility to apply discrimination to user authentication invocation, thereby minimising disruption to the customer.
This approach is consistent with that currently used to verify credit card transactions. With fraudsters now attacking multiple banking channels – Internet, telephone banking, smart device/mobile phone banking, new product application and card purchases – banks may wish to implement a consistent authentication 'experience' across these multiple channels.
Stronger security is imperative, and there is no doubt that a holistic approach to fraud prevention is required. Ultimately, from an online banking perspective, customers will want a security solution that provides convenience coupled with peace of mind.
Some customers have multiple bank accounts and may prefer a single authentication device capable of being used for multiple banks and/or credit card providers. Banks may also want to retain their own corporate branding which could be difficult with an industry standard device.
For many banks the price of a solution may currently exceed the cost – or perceived cost – of fraud (consumer confidence and reputation issues notwithstanding). For organisations with millions of customers, the cost may appear prohibitive. However, when viewed as a competitive business enabler this argument can be reversed. Call centre and help desk overheads would be decreased, the customer experience would be improved and consumer wallet share could be increased.
No one can predict the future, however as many traditional two-factor authentication solutions have inherent weaknesses that can be exploited by sophisticated emerging fraud, banks need a solution capable of evolving as fraud itself evolves. Hardware devices tend to be relatively static and wholesale redeployment/upgrading may be required to overcome emerging or unforeseen fraudulent techniques.
Authenticating via a secure second channel, such as the phone, provides an intelligent and flexible model that requires no additional deployment to the mass consumer market. The mobile phone is becoming the ubiquitous device on which the mass market is converging. People rarely leave home without their mobile phone and phones (mobile and landline) are now being seen as the potential device of choice for secure, out of band, two factor authentication for such multiple channels.
Implementing insecure and obsolete technology carries an obvious risk and cost. As does alienating an increasingly aware customer base through the mandating of devices or solutions that may cause inconvenience, confusion and a misplaced false sense of security. In reality, Banks – and the consumer – will ultimately benefit from supporting a number of solutions based on metrics such as the type of client, the risk of a transaction and the individual customer preference.