Security controls are an everyday fact in all corporate banking activities. Indeed, identification and authentication are now expected components of doing business across all channels of interaction. And yet financial crime still happens.
For Jonathan Williams, Principal of payments, identity and fraud prevention firm, Mk2 Consulting, the simple explanation is that the criminals are very good at looking for loopholes in the way systems are configured, and they understand how to exploit people as the weakest link in the security chain.
The shift to e-commerce and immediate payments systems has increased the strike-power of criminals. Fortunately, the European Union, as part of its PSD2 deliberations in 2012, responded to the need to tighten up security. This aligned with work commencing at roughly the same time in the card space that looked at 3D security for e-commerce. But whereas fraud prevention has improved in this space over the past decade, criminals seeing a more secure card space started shifting their attention elsewhere, says Williams.
The targeting of corporate payments, ERP and TMS systems and even treasury personnel, is now a real threat. Attacks of this nature have grown over the past few years since Condé Nast was defrauded of around US$8m back in 2010 through social engineering (although this wasn’t an authentication failure per se but a failure to identify the supplier, or rather, the fraudster).
Identity and authentication processes try to ascertain who a business is really dealing with. In the treasury space, many treasurers use security devices to log on to each of their banks. Although these have proven fairly secure over the years, they have failed to enhance the user experience; any multi-banking treasurer knows all too well about the desk-full of tokens. It’s been a great driver to move to the inherently secure SWIFT network, says Williams, but accepts that not every treasurer has this option.
It is personal
The challenge remains to deliver the best experience for treasurers accessing their accounts, either online or on the phone. Some systems are secure enough, for now, but the highly motivated criminal makes success a moving feast, says Williams. “Authentication is trying to keep up, and we are seeing more processes geared specifically to the payment-service user,” he notes.
In making it personal, the industry is trying to create the same level of trust across electronic channels that existed naturally when people used to present in-the-flesh at the bank to conduct business. To reach that level of trust, authentication is moving towards the combined use of several factors which are demonstrably independent of each other.
These include three primary categories: knowledge factors such as passwords; possession factors such as one-time passwords or authentication tokens; and inherence factors such as biometrics. For business transactions in particular, biometrics are increasingly being adopted to authenticate the individual, alongside at least one of the other two factors. This is a notion referred to as multi-factor authentication.
With the advent of more automation in bank/corporate interactions, between ERPs/TMSs and banking systems, authentication of systems rather than individuals becomes essential. Herein lies another challenge, because currently legislation implies someone has to approve an automated transaction unless otherwise exempted.
In changing a bank mandate or adding new signatories, the bank still needs to know it is the corporate treasurer, or other authorised individual, actioning that. Biometrics is currently the best way to provide that confidence. Access to the right knowledge and possession factors do not in themselves offer conclusive identification; these could have been acquired by foul means.
Biometrics as part of multi-factor authentication processes work well. A treasurer using a mobile device to access a payments system may therefore use the device’s identity (and its registration to the individual), the fact that the right password or one-time code is being used, and that the individual can offer up a correct biometric identity (a fingerprint, facial recognition, an iris scan or even how the phone is held).
Whilst the combination of these factors can deliver a higher degree of confidence that the individual is the real customer, it becomes more challenging when an extended sign-in process is demanded, such as where multiple signatories are required to make payments over a certain threshold.
Here, the principle underpinning success requires an understanding of who needs to be involved in the transaction, what level of confidence is needed in the identity of each individual to authorise the transaction, and what means each has at their disposal to prove it really is them, notes Williams.
And one caveat for biometrics, he notes, is the quality of the technology used to read biometric data; not all sensors are the same. Technology is progressing rapidly but with every innovation, only when it is deployed to a mass market will it reveal its true strengths and weaknesses. This pressurises the development process.
“Banks are now in a situation where they feel forced to use biometrics – and they do want to use it from a customer experience point of view – but they remain wary of putting all of their security ‘eggs’ in one basket,” he comments.
Instead, they are rightly considering what security factors, including biometrics, best support their own and their customers’ needs. Given that usable provenance only comes from mass-market adoption, banks and other FIs will need to be agile and flexible in their development programmes. They will also need to learn from real-world feedback as quickly as they can, because criminals will constantly be trying to undermine them.
BSI PAS 499: a joined-up approach
The range of different approaches to security suggests a lack of coherence across the financial sector. Understandably, each organisation bases its response on its own risk appetite and assessment of which solutions work best; this is likely to continue. The area where a more standard approach is desirable is around the documentation of authentication processes and procedures.
Launched in July 2019, British Standards Institute (BSI)’s Publicly Available Specification (PAS) 499, Digital Identification & Authentication Code of Practice (of which Williams was one of two authors) builds a risk model around authentication, addressing the elements that should be considered when trying to ascertain identity with the right level of confidence.
In essence, PAS 499 provides standardised recommendations and principles for security in online transactions and services. It covers identity, validation, verification and authentication. “Even where procedures and processes are different in each payment provider, PAS 499 offers a system of documenting them in the same way,” he notes.
Mindful that the same sorts of challenges are being faced by these organisations, and that they are therefore likely to come up with similar, if not the same, solutions, this set of guiding principles around factors such as strong authentication, anti-money laundering and biometrics, means the whole industry can begin moving in the same direction.
If implemented widely, PAS 499 at least gives regulators a level of confidence that participating FIs are taking the same security steps for each customer base, from consumer to corporate. It may even usher in the more collaborative approach that could ultimately offer multi-banking treasurers an easier time as they access their different platforms.
Whilst there are many steps that can be taken to try to correctly identify an individual, confidence in the systems being used remains a potential issue in that it’s not possible to know with complete certainty that, for example, the mobile being used to transact has not been corrupted in some way.
“What we can aim for is making sure that the confidence of authentication matches the confidence needed for the transaction,” suggests Williams. “Doing so at least enables industry in general to reduce fraud levels. But I don’t think we are ever going to reduce them to zero, or ever know with absolute certainty that every individual is who they say they are.”
Indeed, there is always a theoretical chance that even if ten security factors are used, they have been compromised. Of course, the more factors that are used, the more obstacles are put in the way of the criminals, lowering the risk of fraud. But some of the more advanced technologies available also make it possible to detect fraud and financial crime before they have happened.