Customer engagement solutions expert Aspect Software has warned banks and payment services providers (PSPs) not to use SMS alone for one-time passcodes to authenticate mobile and online transactions, as it could leave users open to identity fraud.
From 1st August 2015, the European Banking Authority’s (EBA) latest guidelines for better protection of online and mobile transactions require PSPs to use multi-factor authentication for complex transactions such as payments. The rules state that the two or more methods of authentication must be independent so they cannot be compromised by each other.
Keiron Dalton, mobile security expert and Director of Cloud Services at Aspect, believes that although these new rulings will rightly encourage PSPs and banks to focus more on security when it comes to mobile and online banking, it may compromise both the customer experience and potentially open holes to newer, more sophisticated types of fraudulent activity such as SIM Swap. He said: “These rules will bring about major changes in digital banking. No longer will banks be able to simply provide solutions to customers on the basis that they are quick, they are also going to have to consider how secure their systems are and how much they are protecting customers’ interests.
“The new two-factor authentication process being suggested will require a lot of payment service providers to rethink their current models, which are increasingly using one-time passwords (OTPs) via soft (SMS) or hard tokens (small plastic devices) to complete transactions. Unfortunately, although it is popular, SMS is easy to compromise.
Dalton continued: “We just need to look at the figures to see that digital banking has left customers vulnerable. A report from FICO in 2013 revealed that Card not Present was the biggest cause of fraud, with over £300million being taken and banks’ focus on customer experience being the main cause.
“Fraudsters have the capability to access peoples details and have been taking full advantage. For instance, with mobile banking transactions, SIM Swap is fast becoming a favorite technique; this occurs when someone unlawfully obtains a duplicate SIM card for a mobile number, fundamentally re-directing communications – including SMS – back to the hackers. Victims are unlikely to find out until it is too late, leaving their accounts vulnerable for fraudsters to take full advantage,” he explained.
Dalton believes that banks need to act now if they are to be prepared for the implementation of the guidelines in August, and to pay attention to any increased risk surrounding channel choice when it comes to authentication processes.
He said: “PSPs and banks must consider whether an easy and quick mobile banking app is better than a secure one, and the risks that go hand-in-hand with that, or, they can choose to try and strike a balance. Hard and soft tokens are proven to be fit for purpose, but interrupt the natural flow of the transaction; after all, consumers are busy people. With the importance of the customer experience rising thanks to seven day switching and the changing expectation surrounding convenience, technology has a big role to play in almost undetectable verification.
“SIM Swap checks, divert detection, location detection – these are all simple checks that can be performed imperceptibly by the user, but offer strong authentication on the status of the mobile device being used to perform transactions. Using the data derived from smart device use, such as geographical data, anything suspicious is subject to further unnoticeable checks that finally determine whether a transaction is fraudulent or not. The genuine user notices no interruption to their day, and has a great experience,” Dalton explained.
He concluded: “If anything, the EBA guidelines should prompt PSPs and banks to work to retain the ease-of-access approach that has become such a key component of modern banking, but also take responsibility for the protection of their customers. If a provider can’t do that, customers can and will go elsewhere.”