The way we interact with service providers – whether travel organisations, music suppliers or retailers – has changed to be almost unrecognisable from five years’ ago. From Uber to Spotify to Airbnb, digital disruptors have shaken up the status quo, breaking traditional business models to respond to a consumer that is online, globally connected, and mobile. The heavily regulated financial services sector, under intense scrutiny following the 2008 crisis remained immune to this disruption for longer than other industries. However, new entrants are now driving innovation in this sector, forcing banks to keep pace with an extraordinary pace of change.
The explosion in mobile device ownership and subsequent introduction of mobile payments is just one example of where retail banks are being forced to adopt a never-before-seen level of agility to react to – and secure – new channels and business models.
Digital banking fraud is a major headache for banks. According to Financial Fraud Action UK, online fraud exploded in 2014, resulting in £60.4 million in losses – a 48% increase on the previous year. This increase has been driven by a change in attack methods, with criminals taking advantage of the new reliance on remote authentication, to highjack and misappropriate user credentials.
New channels, new risk
This includes the use of phishing, social engineering scams, in combination with more sophisticated online attacks. The Financial Ombudsman Service recently highlighted that people aged over fifty five could be four times more likely than the general population to become victims of a telephone scam where fraudsters pose as a bank or the police – an unsurprising statistic, the modus operandi of criminals has always been to identify and exploit potential weakness in the system.
A lock and key is no good to protecting digital assets, and we are regularly forced to put our trust in people and systems without being able to see them face to face to verify their identity.
This type of scam will be a problem, for as long as user authentication relies solely on ‘something you know’ – such as a password, which can easily be found out by another user. Authentication schemes such as the fingerprint go one step further, asking the user to prove that they are who they say they are, which this physical biometric. These are generally used in conjunction with a password, in a layered approach to security. Since virtually every authentication technique can be compromised, we can no longer rely solely on any single control for authorising high-risk activity.
Sign here please… with your behaviour
This type of additional authentication factor is high up in the consumer at the moment, thanks in part to tech giants such as Apple, and banks such as Barclays embracing finger scanners for customer authentication. A technology that does not hit the headlines so frequently, is behavioural biometrics. This moves beyond authentication at point of entry, to asses that the user is who they claim to be throughout the duration of the entire session.
Rather than simply measuring what information you enter, machine learning algorithms build up a unique user of how the user interacts with the device. This covers information such as their typing speed, the angle they tend to use to swipe the touchscreen, or the force with which they hit a key.
Crucially, in a world where customer convenience is king, this method does not ask for any additional information from the user to disrupt their experience, but makes the most of the data that is created as a natural by-product of whatever it is the user is trying to achieve. With this technology in place, it is not enough for a would-be fraudster to have a username and password, they will soon be exposed when their behaviour is flagged as an anomaly against previous user behaviour patterns.
A glimpse of the future
With the rise in smartphone usage for banking, the potential for behavioural biometrics in the future of IT security becomes even more interesting. The numerous sensors on these devices such as the gyroscope and accelerometer, not to mention app downloads and usage (which give each phone a very unique ‘fingerprint’) provide a continuous flow of rich data which is ideally suited to this technique.
Transparent security that runs on the rails of existing technology will form the backbone of the next generation of security, as digital service providers fight to balance security with usability. It’s an exciting and significant shift, whereby the user becomes part of the security solution, rather than the problem.