Andrius Sutas, CEO and Co-founder of AimBrain looks at the limitations of secrets-based authentication and the three simple steps that banks can take to enhance security and facilitate innovation.
In this digital world, security is more challenging and demands more resources than ever before. Customer centricity – remote onboarding and eKYC, faster payments, greater interconnectivity between FS providers and any other customer-first initiative – offers unprecedented convenience for the consumer, but places immense pressure on banks and FS providers to offer such services quickly, cost-effectively and, most importantly, securely.
Mobile banking, for example, is undoubtedly one of the greatest things to have happened to the sector. Reducing branch spends, rapidly enabling new products and greater segmentation, remote onboarding…it has been a pivotal step for the industry. But never failing to miss an opportunity are the criminals that seek to dupe, coerce and attack. Mobile banking is particularly susceptible to fraud; Trojan attacks doubled in volume last year against 2016 and increased 17-fold compared to 2015. McAfee also said that it had detected 16 million mobile malware infestations in Q3 2017; double the number of the same period in 2016. Supplement these attacks with omnipresent, large-scale data breaches and you’ve got one marathon migraine coming on.
So, it is no wonder that banks now find themselves in a position of having to pool resources just to defend against mobile account fraud; and that is a single channel in the customer engagement journey. On-device biometric authentication is a patch fix for a problem that is only going to grow; the fact is that the only way to be utterly certain of an individual’s authenticity is by verifying the person, not the device.
Passwords don’t work. It’s not rocket science. Anything that can be intercepted, guessed, hacked, teased out – does not work, and the more enterprises continue to rely on passwords and secrets, the more resources they will find themselves throwing at the problem. What’s left? Hardware is antiquated, OTPs via SMS have proven themselves to be dangerously easy to intercept, and push notifications rely on the physical proximity of a device.
So how can banks truly secure customer data, act compliantly and have the freedom and flexibility to innovate? We believe that the strength lies in layering on security, in a simple and easy-to-configure model that is fit for both today’s fraud and the challenges of tomorrow.
Biometrics (how someone behaves, looks or sounds) can fulfil these requirements, and more. Unlike securing the authenticity of a device, biometrics assure the authenticity of the person themselves. And better still – unlike passwords – they are not secrets. They are everywhere! We leave fingerprints wherever we go, our faces are on show, we talk into devices all day long.
This might seem counterintuitive, but it’s not the data, but the way in which biometric data is treated that creates the security. We’re not just talking about templating it using algorithms – pretty standard methodology across the industry – but about how to keep it secure.
If someone has your password, they have your password. It’s black and white. If they have a video of you, or a recording of your voice, this might be enough to beat some authentication gateways. So, the key is to continually add challenges to beat the fraudsters and make it impossible for someone to pretend to be the customer, whilst keeping it simple for the customer.
How? We think it boils down to three steps.
- Passive bot detection: feeding industry or enterprise-specific annotated fraud data into a passive anomaly detection module that provides an early warning for behaviours that could signal fraud, as early as at the onboarding stage, whether manual or synthetic.
- Configuring multiple biometrics: combine and layer biometric challenges; behaviour, bot detection, voice, face and any blend thereof, to create unique combinations of step-up/step-down security rules and weightings on specific outcomes. Use in-session risk-based assessments rather than the binary yes/no of passwords to ascertain a user’s authenticity in an ongoing way.
- Combining simple and smart tests: use the latest stringent anti-spoof and liveliness detection (that it is a user and not a representation of a user) that marry simple user challenges with time-sensitive outcomes underpinned by artificial intelligence, such as combining facial authentication with an in-session audio prompt. Simple and secure, and a strong indicator that even though biometrics are public, technology can render them worthless to fraudsters.
These steps will keep banks ahead of the capabilities of even the most sophisticated presentation attacks. We recently launched AimFace//LipSync, which combines facial authentication with a voice challenge and lip synchronisation analysis. A customer can enrol or access simply by taking a selfie and simultaneously reading a randomised number. Nothing exertive. Pretty simple really. But – we think – impossible to spoof by any method available today. It’s about staying one step ahead of fraud, in a way that minimises inconvenience to the user, and your biometrics partner should have a solid roadmap in place that demonstrates consideration for the fraud we haven’t yet seen.
The password is not fit for purpose. Secrets are dangerous. Biometrics are a simple yet secure way of authenticating the person and keeping their valuable data and assets safe.
AimBrain is a BIDaaS (Biometric Identity as-a-Service) platform for global B2C and B2B2C organisations that need to be sure that their users are who they say they are.