SOLUTIONS: Better methods of authentication

This article first appeared in Personal Wealth, The Edge Malaysia Weekly, on December 10, 2018 - December 16, 2018.
-A +A

Over the past year, some Malaysian banks have replaced the use of passwords with biometric solutions to bridge the gap between offering convenience and providing security for customers’ bank accounts.

However, biometric authentications currently only allow users to view their bank account balances and check the status of incoming and outgoing funds. A password is still needed for other transactions.

One organisation is trying to change that. And in doing so, provide greater protection for individuals when they perform financial transactions online.

Infinitium Group of Companies — which introduced payment technology solutions to banks, including card-not-present (CNP) transactions and one-time passwords (OTPs) — have already started pilot programmes with two Malaysian banks to enable biometric authentication for online payments.

According to Infinitium founder and CEO Ho Ching Wee, Malaysian consumers will be able to make payments using either their fingerprint, face or voice to authenticate payments beginning the first quarter of next year. “During the checkout process, users will no longer be prompted to ask for an OTP. Instead, they will receive a push notification to choose which authentication method they want — biometrics or the usual SMS OTP,” he says.

Biometrics is a better authentication method for payments as it is more convenient and secure compared with the current OTP system, says Ho. “It is able to solve several problems that the current checkout system has. For example, overseas travellers are currently not able to get their OTP if they do not turn on their data-roaming service as it is tied to their [local] SIM card.”

Biometrics will also provide users with added security, he says. OTP is vulnerable as it can be read by anyone holding the device. “If a user’s phone is stolen, the thief can easily make transactions on an e-commerce site’s mobile app and authenticate the payment. If the user enables biometrics as an authentication method, the thief stands no chance of completing the transaction, save for chopping the user’s finger off,” he adds.

Ho’s decision to introduce the solution came after seeing a massive behavioural change among consumers to mobile-based transactions from computer-based ones. As this segment values convenience and efficiency, banks stand to lose them if they do not ensure that their technology keeps up with the latest trends.

“A study has shown that 60% of millennials only use the mobile platform when buying things online. If banks keep sending OTPs via SMS, this segment of consumers will not be happy with the user experience,” says Ho.

“If they buy something using an app, they will have to wait for the OTP SMS, close the app temporarily to memorise it, then reopen the app to submit it. To this fast-paced segment, the whole process is just not efficient enough.”

While he thinks many consumers will appreciate this technology, he acknowledges that not every consumer will be willing to use it. So, Infinitium will give them the option of receiving normal OTP SMSes and disabling the biometrics authentication.

“Ultimately, we want to empower consumers to decide how they want to authenticate their payment transactions. We want to provide them with options,” says Ho.

He is positive that the technology will provide a better customer experience. However, he acknowledges that there are several challenges to its adoption. For instance, only fingerprint-authentication technology is fully mature. The rest — facial, iris and voice-authentication technologies — have not reached that stage. Also, there are external factors that may interfere with the technology’s accuracy.

“What device users have also matters. For example, if their mobile phone is the lower-end kind, the front camera may not have a high resolution. So, the facial biometric recognition may not be very accurate. We understand that during the initial adoption period, we cannot get a 100% success rate. But what we are trying to do is balance out between convenience, functionality and security,” says Ho.

To ensure the security of the biometric solutions, Infinitium complies with the standards of the Fast Identity Online (FIDO) Alliance, he says. FIDO is a consortium of the world’s leading technology companies dedicated to changing the way online authentication is done. It establishes technical standards that make interoperable mechanisms far more secure and easier to use than passwords.

Core to the FIDO approach is the use of a personal device, such as a smartphone or token that uses a set of cryptographic keys, to securely access FIDO-enabled services like Google and PayPal. The authentication data is never stored with the service, which protects users’ privacy and shields their login credentials from hackers.

“Typically, ID passwords are sent to the server for authentication. If the same thing is done to handle biometrics, the user’s credentials can be compromised, especially as they cannot change their thumbprint the way they can change their passwords. Under the FIDO Alliance’s standards, the biometric data never leaves the device — what is sent to the server is just an algorithm key,” says Ho.


How e-payments have evolved

Despite being a major player in Malaysia’s payment processing system today, Infinitium had humble beginnings. Before Ho founded the company, he majored in corporate finance at a university in the US and planned to dabble in equities and bonds when he returned to Malaysia. However, the Asian financial crisis struck just as he was about to graduate.

“In 1997, I was jobless and had too much time on my hands. I had to find something to do so I chose to do something related to the internet because that was what I liked the most during my university days. So, I started Infinitium, an internet company,” says Ho.

“At the time, our core business was helping companies go online because back then, even having an email address was a big deal. I rode the dotcom boom, helping companies create websites and build their own e-commerce platforms. Our first foray into e-payments began in 1999 with Secure Socket Layer (SSL), which provides payment services to these small merchants.”

Then, the dotcom bust happened. Ho realised that his business would not be sustainable if he kept relying on market booms. So, he thought of serving an industry that tended to have a longer shelf life — the financial sector.

“Naturally, we started talking to banks to determine how we could provide them solutions. It was not easy because the industry is highly regulated. Normally, banks do not tell you their pain points as a certain level of trust is expected. Luckily, they knew us from our previous work. So, some banks gave us the opportunity to prove ourselves,” says Ho.

Today, Infinitium is in its 21st year of operation. About 90% of its business is related to banking. The organisation serves 50 banks across the region, 15 of which are based in Malaysia. It also serves 180 million users, providing close to 12 million authentications, every month.

Infinitium’s solutions include payment gateways and fraud detection servers for enterprise merchants, Bank Payment Gateway, Recurring Payment System and 3D Integrated Mobile Secure (IMS) authentication platform for banks. It has also expanded into tokenisation solutions, business-to-business procurement and two-factor authentication (2FA) service.

“There was no authentication required for e-payments 20 years ago. If you wanted to buy something, you just entered your 16-digit card number, expiry date and three-digit card verification value (CVV) number and got charged. That is why consumers were constantly worried about their cards being stolen. If the cards were stolen, then anybody could use them. That is the reason the older generation are still scared to make online payments today. It was not as secure as it is today,” says Ho.

To combat unauthorised transactions, Visa and MasterCard created 3D Secure, a standard that assured CNP transactions online 15 years ago. At its initial stage, each user is given a static code that needs to be submitted when making payments online, effectively adding a layer of security. However, e-commerce was not as common as it is today. So, cardholders may have only performed online transactions every few months, causing them to forget their static codes.

“At the time, a lot of users had to call their banks to reset their static codes. This caused a lot of shopping cart dropouts. When we saw this problem, we came up with the IMS 2FA, which sends an OTP to users’ mobile devices,” says Ho.

“We showed it to Visa and MasterCard, which showed it to the central banks of Malaysia, Singapore and Indonesia. After a short while, the Malaysian and Singaporean central banks mandated that all e-commerce transactions had to be two-factor authenticated.”


Using intelligence for IoT transactions

Ho thinks technologies such as the Internet of Things (IoT) and artificial intelligence could help make payments even more convenient for consumers. “Today, we possess a lot of IoT-enabled devices, such as smartphones, smartwatches and smart televisions. Soon, all of your devices and appliances, such as your fridge and your speaker, can speak to each other and even do transactions on your behalf,” he says.

“For example, you watch a TV commercial and you like a particular product. Usually, you would have to go online to look for it and purchase it. Soon, you will not need to. You can simply tell the TV to make the order and pay for you. It will be able to do so, providing you with convenience like never before.”

It may sound farfetched, but players like Visa and MasterCard are already at the tail end of developing a tokenisation solution for devices to complete such transactions, says Ho. Dubbed 3D Secure 2.0, the protocol is expected to be smarter, faster and simpler to use compared with its previous versions and support all IoT-enabled devices.

Tokenisation eliminates the need for vital data, such as the card number, CVV and expiration date, in the transaction. So, the temporary token data is useless to a criminal. And as the transaction passes through multiple routes, the risk of compromise remains low.

According to Ho, this is further enhanced with fraud-detection intelligence, which is strengthened by data. Under the protocol, service providers will use contextual data to determine the transaction’s risk level. If a user buys a product from a familiar merchant with certain usual locations, such as their homes or offices, then the risk level will be very low. So, they may not need an OTP or biometric authentication for such transactions.

On the other hand, if the transaction is done with a merchant the users have never engaged with before in an unfamiliar location, then it may be a high-risk transaction that requires additional authentication. There are also behavioural factors such as the time of transaction, which affects the risk scoring done at the back-end, says Ho.

According to information provided by Visa on its website, 3D Secure 2.0 is able to reduce transaction time by 85%, allowing users to speed through checkout. Additionally, it is able to reduce cart drop-off rates by 70%. Ho says users can expect to see banks migrating to 3D Secure 2.0 as early as the third quarter of next year.