Treasury Today Country Profiles in association with Citi

Are you really who you say you are?

Business oerson in disguise, wearing a mask and stealing confidential suitcase

Criminals can quite easily assume the identities of legitimate personnel and gain access to your systems. Here’s something for treasurers that raises the bar on digital identification and authentication.

What could possibly go wrong? The rise of digital payments is almost universally celebrated. The 13th January 2018 deadline by which all EU member states will have implemented the reworked Payment Services Directive (PSD2) into their national regulations ensures a firm grip will be taken on matters of online security and customer protection. Companies will see faster payments and collections for which the working capital benefits have been made clear to all.

But all is not entirely satisfactory, says Jonathan Williams, Principal of payments, identity and fraud prevention firm, MK2 Consulting.

Where populations have shifted to largely managing financial activities online, it is becoming increasingly difficult to prove who you are. “How does an individual assert their identity without a process which creates a lot of additional friction?” he asks. “And how does a financial services provider know for sure that the authenticated individual really is who they say they are?”

Outmoded

The challenge for FIs is that they have historically had only money laundering guidelines to follow, notes Williams. These require the provision of documentation, such as a passport – these documents commonly being trusted as authentic.

But it may not be apparent to a UK bank employee checking a foreign passport that it is genuine, or indeed that it is even being presented by its legitimate owner. Where official verification documents can be forged or the real document falls into the wrong hands, the current process falls short, argues Williams. “If I’m proving my identity, how does the bank know I am the right Jonathan Williams? A document with my name on it does not necessarily have a clear relationship to the right individual. This is one of the weaknesses in the current system.”

Criminals take advantage of weaknesses. The fact that they may not have exploited this one yet is merely indicative of the fact that there are other weaknesses they find easier to exploit. The link to the cardholder in ‘card-not-present’ transactions is weak, for example. There is proof someone has possession of the card via the three-digit Card Verification Value, name and long number, but there are rarely checks to ensure this is the legitimate cardholder. Even with biometrics, which are strong authentication measures in themselves, unless the identity of the provider of biometric data is also strongly known, the authentication process is flawed.

A new way of checking

“With PSD2 acting on strong authentication and linked to identity verification, it will tighten up some of the existing security mechanisms. This will shift the focus of criminal intent to other weaknesses,” notes Williams.

Action needs to be taken to highlight these weaknesses so organisations do not put too much faith in one system. There also needs to be guidance on what measures are suitable for their specific needs.

To try to address such issues, the British Standards Institute (BSI) has been facilitating multi-agency discussions on the Publicly Available Specification (PAS) 499, Digital Identification & Authentication Code of Practice. This was in public consultation until 9th November and is now moving to the next phase.

In offering principles by which to operate, PAS 499 should be of interest to any organisation (FI or corporate) with an interest in knowing who they are dealing with. This could be when initially signing up an account and in subsequent use, suggests Williams. “It is one approach that will definitely raise the bar around digital identification and authentication.”

Treasurers, speak now…

With each financial institution choosing different technologies to use under the new payments landscape, the familiar scenario of treasurers using multiple security tokens may become more complex. As additional security information is required by FIs to fulfil their security obligations, it may even be that treasury personnel need to provide biometric data for authentication with the banks. This may be contentious, not least because recent hacks suggest systems in major organisations are still not as secure as they should be.

With banks now engaged in the understanding of technologies such as biometrics, corporate treasurers “don’t want to be on the tail-end of those lessons”, says Williams. “One of the major challenges the corporate treasurer faces is in educating their team on what will be necessary as part of the new security system,” he adds. “They want to be engaging with their banks now, to find out what technology will be used and to ensure they understand how it works so they can explain it to the business.”

PAS 499: a primer

PAS 499 provides recommendations for online transactions and services around:

  • Identity

  • Validation

  • Verification

  • Authentication

It is aimed at:

  • People and organisations creating and accessing digital accounts

  • Customers making a payment via a mobile device or other computer

  • Customers making a contactless payment using an electronic device

  • A retailer receiving such payments

  • Third-party access

  • Delegated authority

  • A bank or payment service provider administering such transactions

It will cover:

  • Privacy enhancing technologies (PET)

  • Personally identifiable information (PII)

  • Enrolment at different levels of assurance

  • Strong authentication

  • Anonymity and anti-money laundering (AML)

  • Liability

  • Device identification

  • Mutual authentication

  • Biometrics

PAS 499 will also explain practical challenges in satisfying these requirements, both now and in the future technical landscape, and offer a summary description of additional good practice that can be used in developing a compliant secure system.