Interview with Xavier Larduinat from Gemalto on Seamless financial services: the challenge to deliver both security and convenience
Since the dawn of the smartphone just over 10 years ago, consumers’ approach to banking and payments has changed radically. For many, the ability to access account information or make payments via an app has become so prevalent that physically visiting a bank branch is a novelty. While specific services might still need to take place face-to-face, for most people a smartphone represents the ultimate convenience – the vast majority of the banking services they need, but in a form they can take with them anywhere they go.
The rise of “invisible security mechanisms” for banking services
Developments in technology have moved us towards invisible security mechanisms for banking services, i.e. software verifications that do not require any action from the end-user, but rather verify the context of a given transaction to assess its risk. By analysing things like time, location, device type and even biometrical behavioural factors such as the user’s typing pace, a score can be allocated to a given transaction. A policy manager can trigger additional authentication steps whenever that risk score is low. The benefit of such invisible contextual verification is that most users repeat the same typical sessions over and over. For such genuine usages, risk scoring can lead to less actions required to the end-user.
Biometrics bring a more intuitive and comfortable user experience
We’re now entering a new phase where biometric data can be used to authenticate users, and in the process make even more aspects of banking invisible. Use of fingerprints is already commonplace, thanks to Apple, Samsung and many other smartphone manufacturers including a sensor in their devices for the past four years or more. But now other biometric authentication techniques are emerging – from facial recognition and iris scanning, through to reading the veins under your skin, or even analysing the way you walk or type. Your unique biometric data is an intrinsic part of who you are, not something you have to remember like a password. As such, using biometrics to authenticate banking activities can offer greater security while contributing to an even smoother customer experience.
Multi-factor authentication is now a mandate from regulators. PSD2 for Europe will make it mainstream in 2018
The ongoing battle against cybercrime means that simply adding biometrics to the list of possible authentication factors isn’t enough. As technology develops, cyber attackers continually devise sophisticated new methods to hack or scam banking customers. To maintain the trust of their customers, banks have to address and protect against these risks. The solution is to migrate from one single authentication factor to at least two, among three main groups of authentication techniques: “What I know” i.e. secrets or passwords, “What I have” i.e. devices that are in my possession and “What I am” i.e. biometrics. In Europe, the forthcoming revised Payment Services Directive (PSD2) will compel banks and other financial institutions to do this.
Tackling the security vs. convenience paradox
The answer to the security vs. convenience paradox lies in combining the authentication techniques we have today with the new breed of biometric technology, and then applying advanced risk assessment and machine learning to help banks make dynamic decisions about when and how much authentication is needed. For example, sophisticated software can now create a far more realistic picture of a user’s payment behaviour and use a tailored approach to validation based on a more holistic view of fraud risk. Today, it’s quite common for banks to temporarily lock a card, or for a consumer to receive a call from their bank when an unusual transaction is detected – for example, the first purchase you make after travelling to another country.
With machine learning and biometrics, these occasions can be dealt with far less disruption. If the system recognises a normal, low-value transaction (the cup of coffee you buy every morning on the way into work), contactless payment might be fine. If however it detects a 30% likelihood of fraud (you make a larger than usual payment to a new supplier, in a new place), it might just initiate an additional fingerprint check. Whereas if it thinks it’s 60%, it might require biometrics plus a PIN, or if its 90% it might lock the card and institute a phone call to the fraud helpline.
Securing banking services must protect privacy flawlessly
The journey to completely invisible security verification for banking services will continue to improve with new contextual analysis techniques. Solutions must be scalable and ready to welcome those new AI modules as they come, in a hub approach. Consumers will enjoy an even more seamless experience, but the industry must exercise extreme caution when working in this area. Biometric data is arguably the most personal and private data that anyone has. And unlike a password or PIN number, you aren’t able to change it. If personal biometric data is compromised or lost, the impact on consumer confidence in the technology could be catastrophic. A recent study we commissioned showed that 44% of consumers would leave their bank in the event of a security breach, and 38% would switch to a competitor offering a better service. That’s why banks and other financial institutions interested in using biometric technology must work with partners who have the security and technology expertise to ensure every link in the chain is protected. If they don’t, their own customers won’t accept it, and overall confidence in biometrics could be damaged – preventing the technology from ever meeting its full potential.
The battle against cybercrime is not going to stop. Preventing their customers from being exposed to cyber risk should be right at the top of banks’ agendas, along with improving the customer experience. The two are not mutually exclusive, as combining biometric techniques with machine learning shows. But the margin for error is small. Consumers will not accept their banks treating their biometric data with anything other the utmost care and protection, so banks in turn must ensure their security strategy is robust and ready.
Continue this discussion at the www.biometricscongress.org in London on the 1-2 November 2017.