With cyber-crime on the rise, and the implementation deadline under PSD2 for Strong Customer Authentication (SCA) in online payments coming up fast, banks and payment service providers are coming up with some innovative solutions. flow reports on what this means in practice
The rise of digitalisation has brought many benefits – making banking processes faster, more transparent and more efficient. More disturbing, however, is the rise in cases of cyber fraud. As virtual identities have taken on increasing value to people and their businesses, they have become natural targets for criminals – contributing to a growing need to manage the security of online accounts and combat identity theft.
Public awareness of these dangers skyrocketed in 2016, when Yahoo announce that all 3 billion of its user accounts had been hacked during a previous cyber-attack. In 2017, the business-to-business sector felt the effects of this when Maersk, the world’s largest container shipping company, was infected by the NotPetya virus – bringing its container ships to a halt at sea, culling all activity at 76 ports around the world, and incurring over US$300m in loss of revenue and recovery costs. More recently, international hotel chain Marriott was alerted in September 2018 to the fact that a massive data breach, affecting as many as 500 million customers, had been ongoing since 2014.
In view of this, banks are taking steps to implement new and more robust protective measures – keeping staff alert to suspicious transactions and requiring multiple steps of authentication for users to gain access to their accounts.
There are many measures that banks and their clients can take to minimise the risks. Both parties, for instance, must ensure that their teams are trained to spot suspicious behaviour on accounts and within teams. Robust processes must be combined with regular training and practice to keep employees switched on to the dangers and up to date with the latest hacking techniques. On top of this, some employers also call upon additional solutions to drive greater employee engagement and limit the impact on day-to-day business. For example, one of the more straightforward strategies we have heard of is to distribute mock phishing emails to members of staff, where employees taken in are immediately redirected to an online cybersecurity course. An example of employee information site explaining the dangers and remedies can be found at ‘Cyber security – you are the target!’. Another useful resource is Janine Durbin’s ‘practical approach to cyber security management’.
Further technological safeguards are also essential for any robust cybersecurity plan. In line with this, we have seen the rise of “strong” means of authentication. Monetary Authority of Singapore guidelines specify two-factor authentication (2FA) for logging into all online financial systems and the Americas have also embraced the concept of “multiple-factor authentication”. In Europe, ‘Strong Customer Authentication’ (SCA), was included as a requirement in the revolutionary Payment Services Directive 2 (PSD2) , which was passed in November 2016 by the European Union and comes into force on 14 September 2019.
In each jurisdiction, the concept is the same. Strong customer authentication must rely on two or more elements of the following three categories:
- Knowledge: something only the user knows (such as a password or PIN),
- Possession: something only the user holds (a security token, for example), and
- Inherence: something the user is (biometric data, such as a fingerprint or behaviour)
By requiring multiple means of authentication at any given time, banks make it far harder for would-be criminals to amass the necessary credentials to break into an account – thereby reducing the risk of cyber fraud. Even if someone were to get hold of a client´s primary password, for instance, the attacker would still not be able to access the account unless they also had a secondary means of authentication.
Additional layers can be added for further security. PSD2, for instance, necessitates “dynamic linking”, whereby payment authorisation entails entering details of the payment itself. Asian regulations already have a similar requirement, known as ‘You Sign What You See’.
Furthermore, increasing focus is being placed on fraud monitoring techniques, which can spot the irregular use of a user’s credentials or anomalies in a user’s spending pattern. These can be used as the last line of defence prior to a payment being executed. For example, a user all of a sudden making a payment from a different mobile device and/or geographical location will raise the risk profile of that particular payment in accordance with PSD2 requirements. Payment providers may deal with this by triggering ‘step-up authentication’ – a concept where further identity checks are requested from the client to confirm the validity of a payment.
Two steps forward
Corporate treasurers are rapidly adopting best cyber security practices such as setting up a dedicated computer that is used only for fund transfers and no other purpose, ensuring laptops and mobile devices have encryption, and that reconciliation is automated so that problems come to light immediately.
Nicole Pfeiffer, Head of Corporate Treasury Processing & Regulatory Reporting at Deutsche Lufthansa AG tells flow, “We are increasingly conscious of the growing danger posed by cyber-criminals and are taking a number of measures to counter the threat.” Like many treasurers, she turns to her relationship bank to help combat financial crime, and 2FA is an important protective measure.
“Two-factor authentication is an important step that Deutsche Bank can take to help us combat financial fraud – and if they can do it in a way that is convenient as well as effective, then all the better,” concludes Pfeiffer.
DB Secure Authenticator (DBSA)
DB Secure Authenticator (DBSA)
DB Secure Authenticator (DBSA)
Deutsche Bank is one of a number of banks and payment service and technology providers that have responded with a secure authentication service. DB Secure Authenticator (DBSA) is a new app available on iOS and Android allowing users of its Global Transaction Banking online systems (such as the Autobahn App Market) to perform secure logins and transaction authorisations. The Bank’s Secure Authenticator app also supports biometrics thereby making full use of the options available under the Payment Service Directive 2.
Client can use either their fingerprint or face recognition, as per the user’s mobile phone capabilities, to authorise payments refining security and the day to day user experience at the same time.
Mobile compatibility also means security updates can be pushed directly and immediately to the client’s end points. It also provides environmental benefits by eliminating the need for hardware tokens.
YOU MIGHT BE INTERESTED IN
The European Banking Association’s EBAday 2020 addressed the ongoing payments transformation as the pandemic accelerates digital payment appetite. Delegates at this rescheduled virtual event agreed that Covid-19 has also sharpened resilience in financial services, reports flow's Graham Buck