The attraction of significant financial gains from cybercrime, social engineering et al, has made the financial sector one of the most heavily targeted by criminals. At the same time, banks are faced with the challenge of an accelerating switch to online banking, especially mobile, whilst providing a seamless multi-channel experience and fulfilling the customer demand for fast and easy access to personal banking services.
According to Financial Fraud Action UK, financial fraud losses across payment cards, remote banking and cheques totalled £768.8m in 2016, a marginal increase of 2% on the previous year and, in comparison, to a 26% jump in 2015. Major drivers for rising financial fraud losses are impersonation and deception scams, social engineering and online attacks – malware and data breaches – to compromise data and target personal and financial information that is used to facilitate fraud. Criminals send out emails, text messages or just call pretending to be from a trusted source - the police, a bank, or a government department - and trick their victims into revealing passwords or one-time passcodes, or transferring money directly to a fraudulent account.
Despite increased availability of innovative solutions to prevent criminal attacks - in addition to banks’ continuous investment in detection and verification systems - the number of fraud attempts being stopped has decreased.
Banks try to balance the urge for improved access security of accounts with the delivery of a great customer experience, but this has only resulted in the need for consumers to create and remember more and more passwords and pin codes. However, password authentication doesn’t scale well; it creates additional cost for help desks, and the availability of technology to crack passwords more quickly is increasing, supported by the patterns of password creation that consumers use. Therefore, new ways of authentication are being developed, explored and implemented.
As financial activity becomes more digitally-based, risks of cyber-attacks, or even loopholes in processes that criminals can use to obtain personal data, have increased. There have been a number of reports in the last 12-months, including attacks against Tesco Bank¹, where hackers stole over £2 million from customer accounts, DDoS attacks bring banks like HSBC to a standstill², as well as phishing scams³ targeting the customers of all major banks in the UK.
Every serious data breach can harm a company’s reputation, and bolster a customers’ decision to switch the bank in an ever-crowded market.
Yet, in some respects, it could also be said that the biggest risk to data and banking breaches is human error. In the effort to address this, financial services firms have all looked to create multiple layers of security, all of which - when combined - cause confusion for the customer, risking the result of apathy which could hinder digital progress.
With PSD2 and Open Banking, the risk of customer data breaches is escalated through the opening of APIs across banking and payment channels. There is currently a debate relating to ‘screen scraping’ – technology which allows third parties to access bank accounts on a client’s behalf by copying their credentials from a website. FinTech’s are arguing for screen scraping as they suggest it allows them access to customer data more efficiently. This potential practice is being heavily challenged by banking lobbies with a call for the practice to be banned. In this new world, customers will be exposed to many more companies (albeit third party providers will need to be authorised and regulated) having claim to their data. Customers will be asked to authenticate, or approve, a request for access to their banking data, yet how they do this is still to be fully determined, and biometrics is likely to be the most secure way.
There are many security measures currently available which banks are beginning to utilise – albeit only partially – to combat fraud and have a positive impact on the customer experience. Amongst these, biometrics is rapidly gaining traction - liberating users from having to remember complex passwords or from having some special hardware to hand when they want to transact.
A biometric is a unique credential that users always have with them, for example a DNA, a fingerprint, and facial features, but any attempt to use a copy, such as photographs, videos or moulded fingerprints, must be successfully detected. One example of the use of biometrics is Apple’s Touch ID. Introduced by the Bank of America, customers can sign in to the mobile banking app via their fingerprint. NatWest and The Royal Bank of Scotland were the leading banks in the UK to introduce this option to their customers offering an emerging solution and reduced friction for the user. Yet this is currently something that can only drive success on a mobile device, and there are limitations on the kinds of transaction this can authorise, often requiring a password after so many uses.
In call centres, we have seen the emergence of voice biometrics, firms developing this technology have said that every single person has a unique ‘voice print’ and the likes of HSBC and Citi Bank (who received two Gartner Financial Services Cool Business Awards in 2015 for its VBA project) are rolling this out more broadly to help bypass the multitude of login requirements to phone banking.
Fingervein technology⁴ is another example, with firms like Hitachi deploying this within their business. Hitachi’s Vein ID works with a small desktop scanner and is advantageous for larger volume transactions as it is considered to be more secure due to unique vein patterns. After being deployed across Japan many years ago, the reported instances of fraud have all but been eliminated. Indeed, areas such as building security for employment, and transactions at retailers and bank branches, have become much more secure using this technology.
In the meantime, exciting new forms of biometrics are being pioneered by firms such as iProov. Their ‘iProov Verifier’⁵ uses Machine Learning technology, which compares the face “scanned” by a front-facing camera on any device (mobile or PC) with the face originally enrolled by a customer. This solution shows an abstract silhouette of the users face to give them a feeling of ownership in the authentication process, just enough to reduce the worry about getting a nice selfie portrait. This, it is argued, is highly secure as no user ‘biometric face imprint’ data is held on the device, and – crucially - it is impervious to static photographic images and even videos of the customer played to the camera thanks to its pioneering “One Time Biometric” technology.
It is innovative solutions like these that will build customer trust in security, facilitating comfort of using it and contributing to a much-improved customer experience minimising frictions and even an element of fun.
Whilst it can be expensive to implement new biometric solutions, the cost for this must be balanced against several things;
It is time to see a significant shift in the effort to secure customer data, and harness the innovative technologies available in biometrics to deliver a step-change against criminals who wish to exploit vulnerable customers – and ultimately, enhance the customer experience. The financial services firms that get this right will see trust approval ratings increase and deliver a whole new customer base.