In the face of escalating digital fraud, how can banks balance protecting their customers against overly disruptive identity authentication processes?
In the past two years of rapid digitalization where legions of people new to digital services have had to take the plunge, and where even digitally savvy banking customers have been duped by sophisticated phishing SMSes, banks have been caught in a dilemma.
Implement too many rigid log-in and identity/transaction verification measures and they may lose their customers to the increasing range of digital banks and alternative service. Educate customers with frequent reminders about password hygiene, and scammers outwit the less-savvy users with authentic-looking phishing websites.
According to Angus McDougall, Regional Vice President, Asia Pacific & Japan, Entrust, banks can take the middle ground by adopting advanced identification solutions that use AI and ML to reduce friction while increasing cyber vigilance. He tells CybersAsia more in this interview:
CybersecAsia: What the new scams and tactics used to victimize bank customers? What catch-all authentication methods can stop these new and ever-evolving threats?
Angus McDougall (AM): The various types of scams include SMS phishing (smishing) scams, impersonation scams, e-commerce/delivery scams, and love scams.
Besides scams, we have also seen attacks in the form of fraudulent account opening using valid or simulated credentials, takeovers of accounts or sessions via malware or trojan viruses; and payment fraud via unauthorized credit and debit card transactions.
Attacks also tend to target those accessing their accounts or insecure Wi-Fi networks, or banking portals or mobile banking apps that have been compromised.
Reports indicate that around 61% of breaches worldwide are caused by stolen or compromised credentials, which goes to show that multi-factor authentication (MFA) can effectively block the majority of today’s attacks.
The key thing for banks to note is to implement MFA that is frictionless (such as via passwordless access), and is adaptive, to ensure that users are not discouraged by frequent and unnecessary authentication processes.
CybersecAsia: In your view, would returning any monies lost from banking fraud be much better than losing the customers’ trust?
AM: In my opinion, the moment fraud happens, there is already a loss of customers’ trust, regardless of whether the amount is returned or not.
Financial institutions have a lot to lose from fraud. Not only the direct costs of the fraud itself or non-compliance fines, but also indirect costs such as lost customer loyalty.
Given the amount of competition in the space, today’s consumers have more options for who to do business with than ever before. To avoid losing customers, banks and credit unions will not only need to improve their security offerings, but also communicate with customers on how advanced technology keeps their payments and accounts secure.
CybersecAsia: What types of cutting-edge identity authentication solutions are available that minimize friction and even boost user experience?
AM: Best-of-breed security that maintains a seamless and cohesive client experience can begin with:
- Encrypting sensitive information at its source: First, such solutions use ‘tokenization’ and encryption—the process of obscuring personally identifiable information so it is only interpretable to systems or authorized users with the correct security key. Instead of sharing a credit card number directly, banks can provide an encrypted token for each transaction, for example. Even if there is a data breach, the customer’s payment information is unreadable and worthless to hackers.
- Strong but low-friction identity authentication: Processes such as passwordless access, device reputation management, transaction verification, identity verification and adaptive authentication are stronger defenses against banking fraud as they validate both users and devices. Also, behavioral biometrics and user behavior analytics can be used to identify bots and other suspicious behavioral patterns without adversely impacting the consumer experience. At the worst case, these solutions can proactively detect and alert customers (and their bank) about possible fraudulent patterns for quick remediation before any funds are lost.
CybersecAsia: Can we conclude that bank whose customers have been victimized have poor security?
AM: The banking industry has been slow to adopt consumer MFA over concerns about adding too much friction. Rather than focusing the discussion on whether MFA is necessary or otherwise, a better way is to look to deploy “smart authenticators,” which apply an almost invisible layer of added protection without aggravating consumers.
Some examples include:
- Behavioral biometrics and user behavior analytics that identify bots and other suspicious activities without adversely impacting the consumer experience
- Adaptive risk-based authentication that poses a step-up challenge to a user only when conditions warrant this—such as a consumer logging in for the first time from a new device or location, or at an odd time of day
Banks should also work together with the relevant government bodies and regulators to ensure a well-rounded approach to security measures. For example, in the wake of the recent OCBC SMS phishing scam in Singapore, industry stakeholders have been working towards an ecosystem approach to strengthen security defenses – which spans government ministries, banks and telecommunication players alike.
CybersecAsia thanks Angus McDougall for his insights.