Finance Monthly: When The Infallible Becomes Fallible: Keeping Customer Payment Information Safe
As payment methods become more seamless to cater for consumers who demand a quick and easy user experience, concerns around protection of payment details have been mounting. Here Finance Monthly hears from James Romer, EMEA Security Architect for SecureAuth, on the ins and outs of customer payment information, how it’s controlled and the potentials for multi-factor authentication.
In light of recent data breaches, consumer trust in the ability of businesses to keep their data safe is at a low. Despite being well-established and active for decades, authentication techniques such as username and password for online payment portals, have been failing consumers and financial institutions for years, as they are simply no longer enough to defend against bad actors. It is clear that more advanced authentication techniques are needed to keep our finances and data secure.
Why two-factor authentication isn’t enough
To defend against increasingly sophisticated attacks on financial services, a comprehensive and intelligent approach is needed. A strategy that focuses on where most breaches occur – i.e. the identity level – and combines multiple authentication techniques that do not hinder the user is needed. Multi-factor authentication (MFA) combines a minimum of three factors: ‘something you are’ (for example, a facial scan), ‘something you have’ (such as a bank card) and ‘something you know’ (a passphrase or password) and can improve identity security both in the payment transaction process, as well as when the customer is accessing a payment portal.
To improve security around online transactions, two-factor authentication (2FA) was introduced to bolster traditional username and password methods. It involves using an additional verification step; such as information that’s unique to the individual, a physical token or an SMS one-time passcode (also known as SMS OTP). While 2FA was a step in the right direction, and might deflect the average attacker, for a motivated one it’s no longer enough. Phone-based authentication and knowledge-based questions can be easily defeated by determined attackers, as seen with the recent Reddit data breach. This pitfall, combined with the less than user-friendly experience, and delays that often accompany 2FA, financial organisations need to re-think their security strategy.
Applications in the financial industry
MFA has the potential to transform payment transactions and customer experience when accessing financial information, helping to protect against fraud whilst at the same time improving usability for the consumer. Overall, the user experience with multi-factor authentication is seamless, making a strong case for a move away from the 2FA approach for good. For example, looking at contactless transactions the end user will simply present their card, while holding their enrolled finger over the embedded fingerprint reader during the POS transaction. Verification of the fingerprint is performed on the card during the transaction, using a pre-enrolled template. If the fingerprint matches, then the transaction is approved. If the read or the match fails, then an additional challenge (for example PIN) can be offered.
But it’s not just cards that this can be applied to. When a customer is accessing an online payment portal, adequately authenticating the user is critical to protecting sensitive data. Although customers are accustomed to (and often reassured by) lengthy authentication processes, a reduced number of steps will greatly improve the quality and ease of their interaction. Forward-thinking organisations understand this and will implement modern techniques, such as adaptive authentication, where both security and user experience can be enhanced. These techniques act in the background to quickly verify different aspects of the user’s login attempt, considering factors such as location, device used and IP address, without compromising the experience.
For example, SecureAuth worked with a large UK-based financial services enterprise to secure and protect its customer portals. The company recognised that their business model was largely based on repeat custom, so aimed to prioritise customer retention through a personalised personal portal. Following detailed research into the preferences stated by their own customer base, this organisation was able to offer authentication that adapted to the user’s needs and preferences, for instance, by using demographic information to give the most appropriate authentication method based on market research. In addition, repeat users enjoyed a frictionless experience without repeat access requests, as authentication was only required at the transaction phase. This greatly reduced the amount of times that credentials were requested and improved the overall user experience, highlighting how with modern authentication approaches; increased security doesn’t have to impact user experience.
Protection of the authentication process in the financial industry is absolutely essential, as no single authentication technique is beyond the reach of malicious actors. It is only a matter of time before they find a way to circumvent traditional authentication methods. True identity security must rely on multiple factors combined with risk analysis. By implementing adaptive methods that flex and change according to this associated risk, organisations can allow access, deny, step-up or step-down users at the authentication stage. This means that even if a malicious actor possesses one aspect of the user’s unique profile, such as biometric information, then other factors will be considered to authenticate them. In this way, payment and personal information can be protected and consumer trust maintained.