Innovative User Authentication Techniques: A Shield against Banking Frauds
Sutherland Banking Insights
August 2013 1
Modern banking distribution model is evolving at a higher pace than ever Banks are reinventing their distribution channels. This effort is primarily driven by two factors – first, rising number of digital consumers, and second, declining return on investment (ROI) from bank branches. Today, banks are gradually moving away from “managing branches” to “managing distribution” across all channels to provide superior customer experience through anytime, anywhere banking service. The growing digital consumers meant development of robust online and mobile platforms for banks. Lower ROI of branches meant optimizing branches by making them effective, efficient sales point than a mere transaction point. These all resulted in growth of non-traditional banking channels such as internet banking, phone banking, mobile banking, and now tab banking. Evolution of new banking channels is not without challenges. First and foremost challenge is security of customer data. Every channel is facing an increasing number of frauds. Newspapers are full with reports on ATM, credit card, online and mobile payment frauds. India reported frauds worth USD 1.35 Bn (INR 86.5 Bn) in the banking sector during 2012-13, which is four times USD 0.32 Bn (INR 20.4 Bn) during 2009-10.1 The US loses around USD 2.4 Bn annually due to credit and debit card frauds. In the UK, online banking losses totaled ~USD 62.6 Mn (GBP40 Mn) in 2012, a 12% rise compared to 20112. Fake web sites which trick bank customers into giving away their login details are the main reason for these losses. The rise in the number of frauds indicates that the fraud prevention methods which were 1 2
RBI, 2012 Finextra, 2013
considered adequate in the past are no longer effective. Lack of effective technology is not only bleeding banks but also diluting their goodwill. Who will open an account with a bank whose accounts are being hacked, or who will choose a credit card provider whose cards are frequently abused online? So, the need of the hour is to have effective fraud management by banks, and the first step in this direction would be building robust authentication processes and systems. Authentication methods vary with channels, and with products. Effectiveness of these methods is broadly measured by three parameters – ease of use, security layers offered and commercial viability. If the methods fail on any of these parameters, their mass adoption will be questionable. Easy-to-use preventive measures like signatures (branch), magnetic stripe (cards) and password (online/mobile) are considered weak today as they are not able to prevent frauds. Chip-andpin authentication is favored over magnetic stripe, yet it faces significant resistance in the US; merchants do not consider it commercially viable. Today, efforts are being made from all corners – government, technology providers and banks – to find suitable authentication tools. Many banks have already started changing their authentication applications; many will be forced to change to adopt the same when losses will be more than to compensate the investment.
Biometric and facial recognition authentication tools are being tested in bank branches Although banking transactions through emerging and modern channels are on the rise, branch banking still commands a dominating share of overall transactions. Today, typical transactions being carried out in branches are check deposit, cash withdrawal, and safe deposit box access. The most common methods
2
used to authenticate users are signature, photo identification and thumb impression.
make payment orders without a handwritten signature.
Though the process of signature verification has evolved decades back, it is still predominantly used as a verifying authenticity tool for a check. Signature has maintained its legitimacy due to its untouchable merits like social acceptance, and it is difficult to forge than a fingerprint given the availability of sophisticated analyses.
An example of biometric verification in branch banking is implementation of facial recognition by HSBC in one of their branches in European Union for access to their vaults. This solution helps in avoiding unauthorized access to the vault.
However, signature also comes with several challenges. Signature samples from the same person are similar but not identical. In addition, a person's signature often changes drastically during his/her lifetime. Although signature is difficult to copy, fabricating or forging the signature on a check is among the most common forms of fraud committed against banks. In a fraud case in Australia, Commonwealth Bank could not recover USD 10.7 Mn outstanding on a USD 13.5 Mn mortgage loan from defaulters. The bank had relied on guarantees while sanctioning the loan and sued the customers when they defaulted. Later it was found that the guarantor’s signature was forged. Another such example is multi-crore Citibank fraud case in Haryana, India in 2011. It is one of the many examples of frauds in banking transaction using fake signatures. In this particular case, multiple checks with forged signature were used. Currently, there are several signature authentication software available using various methods to compare the signature on the documents. But the need for newer technologies to replace signature is no more latent. In fact, new and innovative technologies are being developed, which will eliminate the need of handwritten signatures for financial transaction. For example, Getin Bank of Poland is among the early adopters of finger vein biometric authentication system by Hitachi in its branch network. This will lessen the need to show identity cards, and allows customers to
Three-factor authentication will be the new model for online banking transition Growing penetration of internet and mobile, and affordable smart devices have led to Internet becoming the preferred medium for financial transactions. Apart from convenience and round-the-clock availability, online banking also introduces the unwanted security threats. Currently, verification of the online banking user is done using one or a combination of methods like “User ID and Password”, and “two-factor authentications”. Two-factor authentications add an additional security layer to the User Id and Password method of authentication. It uses a separate channel apart from the login details to identify the user. The user will begin with the login and then immediately would receive an automated notification requiring that they go through another channel to complete it. The another channel could be a token, a device which generates random number or a One Time Password (OTP), which is sent as a SMS to the registered mobile number. In rare cases, the bank also verifies the IP address of the machine form which the transaction is in effect. If the IP is different than the regularly-used machine, further authentication methods like a phone call, which prompts the user to approve the authentication are done. Even though more efficient and secure, twofactor authentication is not a foolproof method, a two-factor authentication system operated by Dutch bank ABN Amro was compromised and
3
money was stolen from the online accounts of customers who fell for a phishing scam.3 Tools using two-factor authentication have their own limitations. Tokens are expensive and are required to be carried everywhere, thereby limiting the mobility advantage that online banking offers. OTP could take time to be delivered based on availability and quality of mobile network connection. These challenges faced by the current authentication methods, along with technology advancement and wide reach of smartphones, open doors for introduction of three-factor identity verification. In three-factor authentication, along with the password and an OTP that appears on their token or mobile phone, users will have to present something that they possess, which would conclusively prove their identity. This third factor could be captured using either an application that is installed on the customers’ smartphones or an in-built feature or capability of the device. Fingerprint, retinal image and voice are some examples of the third factor. If the user device is not technically capable to capture the third factor, banks can authenticate the user by providing them a device capable to capture and transmit the biometric information. For example, a fingerprint scanner or an external camera that can be plugged into the computer. The new models of authentication in online banking are in different stages of evolution and are yet to be commercialized. Building a reliable infrastructure to capture and verify biometric information at a reasonable cost is critical to the successful creation of ecosystem for facilitating three-factor authentication. Advancement in storage technology (emergence of cloud storage), along with cheaper and technologically-advanced smartphones, is positively contributing to this goal. 3
The register
In many countries, two-factor authentication is made compulsory for performing online financial transactions, and with growing usage of online financial transaction and advancement in technology coupled with increasing penetration of these technology usage, adoption of three dimensional authentication looks like a natural progression for banks globally.
EMV technology is being adopted across the globe Presently, ATM transactions require either traditional authentication (e.g., magnetic stripe card) or two-factor authentication. Like online transactions, in ATM transactions with the two-factor authentication process, a user authenticates his identity using two factors : one is something he knows e.g., username and password, ATM PIN; and the other is something he has – that is the card ATM or debit card. Traditional magnetic stripe cards use signaturebased authentication. The customer’s account information is stored on this magnetic stripe. This method has a disadvantage – the customer’s card information is vulnerable to be copied by skimming devices. Once a fraudster skims a card, he can create a fake or cloned card with the details and use the card for purchases. Two-factor authentication is being used by EMV (Europay, MasterCard and Visa Standard) card. EMV cards use chip-based cards, which provide much greater security and are far less vulnerable to security breaches than the currently prevalent magnetic stripe cards. Unlike the magnetic stripe cards, EMV cards are encrypted in a chip that makes it very difficult to clone. It has additional level of security of personal identification number (PIN). The use of EMV cards with PIN reduces the number of fraud but does not eliminate it completely. Password effectiveness depends on its secrecy. There were many frauds registered 4
that used methods such as Trojan horse attack, eavesdropping, and also social engineering that reduced the effectiveness of this method. Recently, in May 2013, there was a USD 45 Mn ATM cash-out attack in New York. The operation included sophisticated computer experts operating in the shadowy world of internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines. Such incidents have exposed the bank’s vulnerability to frauds. Banks are required to adopt more sophisticated methods of authentication, i.e. three-factor authentication, which will also include biometric authentication. Since the biometric identifiers are inherent to an individual, it is more difficult to manipulate, share, or forget these traits. Hence, biometric traits constitute a strong and reasonably permanent link between a person and his identity. Biometric authentication can be done through fingerprints or through veins; the second option is more reliable. Finger vein pattern is a good option because vein does not leave any trace or information that can be used to duplicate the biometric data and it is completely hidden and unexposed during the authentication process. Also, it has other advantages such as flexibility, compactness, and extremely high accuracy. The challenge in implementing this process is its high cost. Upgradation of existing machine to accept biometric authentication is complicated, hence new machines will be required with the biometric feature; new machines will significantly increase the cost.
computers. Use of facial recognition, voice recognition, hand geometry, retina scans, etc. will become more common as the technology develops and the price drops. Facial recognition is being tested in the banks; the technology adds images of the customer's face via their webcam and uploads to the software. Each time the customer logs on facial-recognition technology, it will compare their face to multiple facial images to confirm the customer's identity. The obvious advantage of these biometric systems is that they make physical cards redundant, which are prone to being stolen.
Biometric authentication will reduce frauds at POS Point of Sales (POS) are increasingly becoming risky to transact as there are regular cases of customers being cheated, when it is being used at petrol pumps, restaurants or any retail shop. There is a high probability that retailers may skim the data from the magnetic stripe and use it later for fraudulent activities. For many years, the card validation code (CVC) has been the only electronic security component for payment card transactions based on the magnetic stripe technology. The challenges faced in this authentication are that CVC value is static and it does not change with each transaction. Also, CVC values can only be validated online, as they provide no data protection offline. The advent of chip card technology paved the way for using more active cryptographic technology to authenticate the card. Today, many POS use offline authentication options along with the chip card technology.
What’s next for authentication at ATMs?
Irrespective of these technologies, there have been many fraudulent activities.
Three-factor authentication using biometrics will become more popular. Fingerprint readers are already quite common on laptop
In 2011, Michaels Stores in the US had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering
5
that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. POS skimming can be done in three ways – precompromised POS terminals, fake POS devices and do-it-yourself kits that include all parts, wiring and instructions needed to modify an existing POS terminal. In case of POS too, banks have to move towards biometric authentication. Fingerprint recognition is used as the standard of identification. Besides the fingerprint recognition, the mode of password recognition can be also used for the system.
Voice Recognition is gaining ground in phone-banking operations In voice authentication, a user provides its authentication in-person or remotely via a microphone attached to a computer or through mobile or fixed line phone. Like other biometric characteristics, the person’s voiceprint is unique and can be used remotely. Since the voice process does not require users to get their retina or fingerprint verified, it is more user-friendly than other biometric authentications. Whenever the user wants to access his financial data, he will provide the sample of his voice. The authentication system will then accept or reject the authentication based on voice sample match. 4 Barclays Wealth and Investment Management has been using voice biometrics from Nuance’s voice-recognition tool to streamline authentication when clients call the bank. Nuance’s software verifies customer's voice before allowing him to carry transactions. Till May 2013, 84% of Barclays’ customers were enrolled in the system, with 95% of those 4
SANS
customers successfully verified in successive calls. Among all the biometric options available, the voice recognition will probably be the most cost-effective tool, especially for phone-banking operations. It not only streamlines the authentication system but also drastically reduces the agents’ time per customer to manage calls. In case of Barclays, the cost saving brought by the system has already exceeded its initial investments. Voice as an authentication tool is also finding its application in mobile banking. USAA, which offers financial products and services to more than 9.4 Mn members of the US military and their families, has added voice recognition to its iPhone app.5
Regulations and authentication tools Today, customers have multiple options to interact with their banks, thanks to new technologies and process innovations. However, the role of regulators around the world has been unique. The regulators not only helped the channels to evolve but also forced financial institutions to take accountability of increasing frauds on them, which brought customer-trust and further penetration of newer modes of banking. Though financial institutions are using state-of-the art authentication tools, yet frauds continue to rise, and many times only customers on the receiving end. In response to this, all regulators have come out with strict guidelines, and failure to that may result in penalties. For example, as per the guidelines issued by the Federal Financial Institutions Examination Council (FFIEC), the US banks have to use multilayered authentication system from Jan 2012. In another case, Reserve Bank of India issued guideline to capture Internet Protocol (IP) 5
American Banker
6
address as an additional validation check among others.
Conclusion As incidents of hacking and frauds continue to rise, the role of authentication tools is more important than ever. Banks are searching for the sophisticated authentication methods, and a new eco-system of technology, banking and telecom providers is evolving. Though cost of implementation has remained the biggest challenge, banks have to start with small steps. The first step could be adopting cost-effective voice-recognition system, which has proved its commercial viability. Then the next step could be use of biometric authentication tools. Regulatory guidelines, customer awareness and increasing competition will not give banks any other option.
7