It is estimated that there are 265.9 million mobile phone users in the United States – the engine driving a whole new digital evolution. With almost 6.5 million apps to choose from, customers are using those mobile apps to transform the way products and services are acquired and forcing a whole new paradigm in authentication.
Banks are ramping up their mobile applications to meet consumer demand for change – or fail. It is the creation of a whole new environment where convenience is king, features demanded, and transactions are instantaneous. What is also creeping into this consciousness is an entirely new way of looking at security.
In this evolving banking environment, consumers are paying about 2.2 billion dollars to cover bills annually through their mobile app or their bank website. Of the 87 percent of mobile banking customers that use alerts and notifications for fraud, deposits made, and low balances, almost 71 percent of them have taken action as the result of a mobile banking alert. A consumer study commissioned by Arxan, a security software company, found that although the vast majority consumers (86%) thought that their banks were doing as much as possible to protect their apps, 41 percent of those consumers also expected those apps will be hacked.
From the Physical to the Virtual
Like a magic trick, banks are being forced to rethink how they accurately identify a customer. Instead of verification via physical attributes and licenses, they are going to have to identify these customers in a virtual world. It is similar to ID’ing a ghost.
The stakes are high when customers can change banks with just a few clicks. Banks are now forced to build trust among their customers in different ways without making it so difficult for those customers to conduct business. Therein lies the conundrum of balancing security with convenience.
Restoring Consumer Confidence
Online fraud has dampened some of the enthusiasm of customers – bringing the issue of security to the forefront. An Accenture study shows that nearly 80 percent of customers would be willing to use biometrics if it meant tighter security.
Biometrics are now recognized as another authorization tool beyond login and password for consumers’ devices. Using an iris scan to log onto an online banking service gives consumers a convenient yet secure way to prove their identities. Biometrics also add another layer that improves security and customer trust but, they are not foolproof, and not everyone has the tools to use them, so as leading analysts are advocating, they must be part of a multi-layered or multi-modal approach that includes behavioral analytics and passive biometrics to truly secure the authentication process.
Passive Biometrics analyses user behaviors passively, reducing customer friction and adding a deep level of trust that it is the right human authenticating into a secure authenticated environment. While iris scans, or even voice recognition and fingerprints, can be valuable in identifying the user’s physical biometrics, having a full multi-layered solution to identify the user in both a passive and active state creates a nearly un-spoofable way to authenticate a valued customer.
Layered security defenses that combine multi-factor authorization that include behavioral biometrics can identify real customers versus imposters and bots versus humans. While hackers can perform account takeovers with stolen information, create synthetic identities on the fly, and even automate human-like takeovers, what they cannot do is reproduce an exact likeness of consumer behaviors, which renders the stolen data useless for further transactions. With a multi-layered approach to security, consumers receive a trusted, convenient experience while keeping their accounts and data safe online.
As banks embark up the path of implementing multi-layered authentication solutions to secure their online transactions, the next step will be continuous authentication as transactions become more automated, instantaneous and tracked across multiple platforms. Similar to a speed pass where an automatic reader charges your account as you go through a toll, the same will hold true for other online transactions from loans and bill payment to shopping or getting an Uber ride. The goods and services will be automatically charged to the consumer’s account. Implementing a multi-modal security solution will strengthen the virtual handshake with the customer by tracking individual behaviors instead of credentials to identify the true customer and make stealing a phone, or hacking credentials not worth the effort anymore – as its value is deemed worthless. Hackers can use stolen credentials and may get around 2-factor authentication, physical biometrics, etc., but they can’t replicate individual behaviors.
About the author:
Robert Capps is authentication strategist, Vice President for NuData Security. He is a recognized technologist, thought leader and advisor with more than 20 years of experience in the design, management, and protection of complex information systems – leveraging people, process and technology to counter cyber risks.
* Aite Group report U.S. Bank Bill Pay: An Update February 2017