Banks must master security basics or play catch-up with mobile banking fraud, says Aspect Software
Aspect Software has warned banks that are failing to meet the basic requirements of online banking authentication must demonstrate a commitment to investing in, and developing, their security across all channels in order to avoid playing catch up to increasingly sophisticated fraudsters. Its comments follow this week’s alarming Which? report and super-complaint, which found that more than half of the UK’s big banks are failing to use at least two factor authentication when customers log into online banking.
Keiron Dalton, who heads up Aspect’s mobile banking division, noted that there is a concerning gulf between those banks deploying technology to combat growing fraud risks, and those that struggled to provide more than a weaker, password-based solution on login. He said: “Earlier in 2016 both Barclays Bank and First Direct announced they would be rolling out the use of voice recognition technology in lieu of antiquated password protection for managing bank account activity. Among other criteria, these moves have earned the banks a nod from Which? in the report, as they leap ahead of others that aren’t even mastering the basics.”
Dalton continued: “It should be alarming to the whole industry that we are still struggling to universally protect customers with even adequate levels of security when banking with a computer, when the more advanced mobile banking has already dramatically overtaken in terms of usage in the last couple of years.”
In July 2016, the British Banking Association reported that desktop-based online banking had fallen for the first time, while mobile banking had risen. On average, customers logged on to banking websites 4.3m times a day in 2015, down from 4.4m in 2014, while apps went up from 7m logins a day in 2014, to 11m in 2015. Which? also reported that in 2014-2015, losses soared by 64 per cent to £133.5 million for online banking (including mobile) and 28 per cent to £323.3 million for telephone banking.
Dalton said: “The Which? banking security study looked at the 11 banking leaders in the country, which should be leading the pack. More than half need to make bigger demonstrations of their commitment to protecting their customer’s sensitive information and subsequent financial losses. We must see development towards universal frictionless and secure authentication across all channels – including mobile – which is all a customer wants when it comes to their personal banking.”
Dalton said he recognised that there are a number of challenges and influencing factors facing banks that affect their security adoption. Highlighting regulation and channel adoption, he said: “Regulation is a tricky one, because banks are not legally obligated to introduce two factor authentication into online banking; the most relevant guidelines would be those from the European Banking Authority, which state that payment services providers must use two or more authentication methods to verify transactions. Bearing in mind that the UK is set to leave the EU in the next two to three years, currently there are no similar guidelines in place from the UK Government.
“The other key consideration is that fraud always follows the adoption of channels. Mobile banking has a different set of demands in terms of authentication and of course ample opportunities for exploitation. Mobiles are also increasingly being used by banks that do use two-factor authentication as a way of uniquely identifying the customer. For example, SMS one-time-passcodes can be highly risky when used in isolation rather than part of a multi-step authentication process,” he commented.
He explained: “One interesting development in online and mobile banking is context-based security. Voice recognition should be supported by additional checks performed in a similarly imperceptible way to identify the right information, context and user behaviours to improve both the confidence of the bank and the customer that they have not been compromised. There are also more sophisticated projects in the industry making use of mobile data and geo-location information to develop imperceptible background checks to identify new types of fraud, such as SIM Swap or call divert.
“There is a lot of good work happening to combat potentially devastating fraud types that have seen growth thanks to the advent of mobile banking adoption. Banks that are not meeting these security developments put their customers at risk. They must master the basics or will face significant backlash from rattled consumers.” Dalton concluded.