With more customers shifting to digital banking, criminals are coming up with more phishing or spoofing scams. Most of the time, these scams are carried out via emails that appear to come from a legitimate source, persuading customers to click on a link or download an attachment, giving the scammers access to their password and other banking details.
According to the Anti-Phishing Working Group’s 2016 Global Phishing Survey released on June 26, there were at least 255,065 unique phishing attacks worldwide last year, a 10% increase from the 230,280 cases reported in the preceding year. Banks around the globe have been relentlessly searching for a better solution to improve the security of online banking.
“Passwords are not enough. We all know this — that’s why we use OTP (one-time passwords). But that is also easily phished, and there is no need for fancy technology to get hold of the OTP. All it takes is a simple phone call to frighten an account holder, telling him that his credit card is being used somewhere and adding some other things that would make him panic … afterwards, he would be so vulnerable that he gives out all the information,” said Maybank head of virtual banking and payments Kalyani Nair in her presentation at the BankTech Asia 2017 conference early last month.
This has led to the introduction of the dongle, a device that customers use to gain access to their accounts, apart from keying in their password. However, the device has its problems. “The dongle is a tedious process. First, we need to go to the branch to get it, then we have to keep it with us at all times. We do not necessarily do banking every day, so this doesn’t solve the problem,” says Kalyani.
To bridge the gap between providing ease of use and security, global banks are replacing the usage of passwords with biometric solutions, starting with fingerprint authentication. Since 2015, big banks such as Deutsche Bank, Santander UK plc and Bank of Scotland have been offering fingerprint authentication solutions to their customers.
In Malaysia, fingerprint authentication was introduced by Maybank in July 2015. “As soon as we enabled Touch ID, 90% of the iPhone users adopted it to check their balance. The number of log-ins immediately shot up, with those using Touch ID logging in 17 times a month whereas those who used the cumbersome alphanumeric passwords were logging in only about five times a month. The active user base also grew by 40%,” says Kalyani.
Since then, other banks such as OCBC Bank have also launched fingerprint authentication for retail customers and corporate clients to check their account balances. According to OCBC Bank (Malaysia) Bhd head of business transformation Foo Seik Chang, the solution was introduced to give customers an option to access their account information quickly and without fuss.
“Smartphones have really changed how we do everything. While computers will still be relevant, most of the activities in our daily lives will be done on mobile devices. With the proliferation of such technology that has become cheaper by the day, customer behaviour has also changed.
“The need for this innovation became clear to us as soon as we discovered from our research that checking balances ranks high on the list of things customers like to do quickly and conveniently. Today, it accounts for more than half of all online transactions. OneTouch fits seamlessly into our vision of making banking simple, fast and convenient for our customers,” says Foo.
Since it launched OneTouch in June last year, OCBC Bank has seen a take-up of 35% among all its customers who use digital banking and more than 50% among its active users. The technology is only available to customers using iPhones.
For financial institutions, one of the primary goals of digitisation is to simplify banking for the customer. In terms of password authentication, however, finding the right balance between ease of use and security has always been the biggest challenge.
Banks want to make the authentication process fast and convenient but that might compromise security. “As much as I love my security teams, I am always in this debate with them. They want to make it 120% secure, which I totally agree with, but I want the customers to have an extremely user-friendly and frictionless digital-banking experience. It is not our natural instinct to remember passwords, and we constantly have to remember different passwords,” says Kalyani. “At Maybank, we have to change our passwords every 60 to 90 days, and we can’t use the last three that we have already used. On top of that, most of us have more than one bank account and very often, the passwords are pretty similar. This is where we could be vulnerable.”
As much as biometrics would provide for a better alternative in terms of seamless banking experience, its security is debatable. This is why for most banks, biometrics is only used for logging in and checking account balances. When it comes to banking transactions, biometrics should be paired with other solutions to ensure greater security, says Kalyani.
“For a robust authentication method, there are many other things that can complement biometrics, such as geolocations and checking customer behaviour. Over the last few months, a video of a twin brother who managed to trick a bank’s voice authentication method [into believing that he was the other twin brother] has [been] circulated, but this is only because it allows them [customers] to try eight times. Therefore, while there can never be a 100% security guarantee, restrictions must be put in place.
“It is a matter of layering your security levels. What we find interesting is the fact that the adoption levels for biometrics have really gone up. There will be sceptics for security reasons, but if it can give you the same level of security that passwords can give and is frictionless at the same time, why wouldn’t you use it? Passwords can be spoofed very easily, while biometrics require you to be present and there is a liveness check — you can’t use a photo or a video. This is definitely something that a generic static password can’t offer,” says Kalyani.
With biometrics, account holders do not need to memorise passwords or carry anything around apart from their mobile phone. In other parts of the world, banks not only use biometrics in the form of fingerprints, but also voice, facial and eye recognition. UK-based Atom Bank, for example, launched both facial and voice recognition solutions in 2015.
“When a customer wants to log into his account, the instruction on the app will read, ‘Head still, big smile’. This makes it such a pleasant experience for the customer. Personally, I think the only problem is that the voice recognition asks you to repeat the same phrase, ‘my identity is secure because my voice is my passport’ [every time]. This, I feel, could be a lot better if the customers are allowed to say whatever they want, and the technology is available today to make it happen,” says Kalyani.
OCBC Bank’s parent company in Singapore has also adopted voice recognition. However, this is only used for simple banking queries over the phone. While the company is looking at the possibility of facial recognition authentication, Foo says the current smartphone technology is not advanced enough to ensure an accurate and secure facility.
According to a report released by the Biometrics Research Group on March 6 this year, 700 million users globally will make annual transactions of US$750 billion by 2020, driven by improved customer experience and security provided by biometrics. Also contributing to this is the increasing number of manufacturers of biometric-enabled smartphones and lower selling prices of the devices.
Although banks are pushing for biometrics to replace the use of passwords, Kalyani says it is unlikely that the system will completely remove the use of passwords, especially as there will always be people who trust passwords more than anything else. “Just like how we still have land lines [for phones] because our parents or grandparents still use it, passwords will never go away, at least not anytime soon.”
The way forward
In Malaysia, before any transaction is done, an OTP will be sent to the customer’s phone via SMS. However, sometimes the OTP can take some time to reach the customer — sometimes hours if there are technical problems.
“During the last fasting month, one of the major telcos was down for about three hours. When this happened, no OTPs could be received — we felt the pain on our end too. This is exactly the reason why we introduced Secure2U, which sends users mobile tokens via mobile app, instead of SMS, to approve transactions. That at least removes the friction that comes with SMS. If it can be completely replaced with biometrics, all this pain will be out of the window — but so far, we are still relying on SMS and token,” said Kalyani.
The token sends verification approvals and OTPs to the digital banking app on the customer’s phone. As long as the customer has internet connection, he can approve transactions and receive OTPs instantly.
Foo says that next year, different types of OTP that are safer and more convenient will be introduced. “The biggest beef with SMS OTP is that when people are overseas, it can get very expensive for them. For example, if you are in Singapore and you realise that you have forgotten to pay your bills, each OTP sent via SMS will cost RM1. If the OTP reaches the customer late, he might have asked for another one [in the meantime], leading him to pay more and end up not knowing which OTP to use.
“So, the banks will put in a lot of investment to overcome this problem in the near future,” adds Foo.
Very soon, Maybank will be launching biometrics for making payments. It is also planning to introduce digital ID and digital onboarding.
“Malaysia is peculiar because we need an IC (identity card) with a chip, physically insert it into a reader, and match it with our thumbprint. A lot of countries do not have this, so they can do things that are a bit more creative. How can we use biometrics to onboard full-fledged customers?
“One option is for the customers to scan their IC and take a selfie to verify, but I have got my doubts about this, since the IC can be easily photoshopped. The other option is using passports, especially now that smartphones come with near field communication (NFC) technology to read the chip on the passport. This one, I feel, could have a better use case, because we know that you are actually holding the passport instead of just scanning the info from the front page,” says Kalyani.
She adds that since the company has been keen to introduce more biometrics solutions, there have been many financial technology (fintech) players and full-fledged vendors who have given their pitches. However, each time a new vendor makes a pitch, newer and more interesting options are introduced, so much so that the bank simply cannot catch up with the technology to narrow down to one solution.
“Technology is moving at such a fast rate that there are so much things that can be done to make onboarding and the whole customer experience a lot easier. However, the challenge is that each one of them works differently. For example, some may need to scan the whole face for facial recognition while others only take the key points of the face. It can be quite difficult for us to sit down with the security, compliance and risk teams to figure out which computation works. But we have no doubt that the technology is extremely exciting.”
Exploring the possibility of this technology is very important as the bank is acknowledging that using the branch as a channel to acquire customers is not going to be efficient anymore, says Kalyani. “Many of us do not want to come to a physical channel to start a relationship with a bank, so we can use biometrics as a method to acquire these customers and to create a delightful customer experience. I’m sure no one likes going to a bank, pressing [a button for] the queue number, and waiting to be attended to,” she says.