Oh, a storm is threat'ning
My very life today
If I don't get some shelter
Oh yeah, I'm gonna fade away
Gimme Shelter, The Rolling Stones
Gone are the days of waiting. In the digital universe – whatever you want is already there, immediately available. A generation is growing up in a world where everything – photos, flights, hotels, taxis, movies, tickets, music, books, cars, houses, finance friends and relationships – is at the tip of your fingers, available in real-time, 24/7, wherever you happen to be.
But despite the openness of the digital generation to share personal information, they still expect the same protection of their online identity.
Unisys has monitored New Zealanders’ security concerns since 2006 and research consistently shows that – more than the threat of terrorism, health epidemic or threats to personal safety – online fraud and identity theft are still major concerns of most Kiwis, regardless of age, gender or location.
Nowhere is this more important than with banking. This is because banks and financial services business are looking to differentiate themselves and build loyalty by offering a seamless, convenient customer experience – an omnichannel service – where they can undertake all their banking regardless of device or location.
But one of the biggest challenges they face is protecting customers from fraud and identity theft. And without better, more flexible protection, a storm is threatening.
Forgotten your password? Click here.
Passwords just don’t cut it. Like New Zealand, Britain is a nation under siege from passwords. A recent UK survey revealed that the average Brit now has to remember six different passwords, while a quarter have memorised more than ten. More than 70 percent of those surveyed admitted that they struggle to remember their passwords, and on average have to click ‘forgotten password’ links twice a month. The same number said they want more security but don’t want to add to the number of passwords or PINs they have to remember. Almost half say there are now simply too many passwords.
And the universal “Forgotten your password?” prompt for those suffering from password fatigue simply highlights the vulnerability of mobile phones. If a bad actor can access your phone they can easily access almost every password-secured site you visit, simply by opening your email account.
Do biometrics offer an acceptable alternative? New Zealanders regard them as appropriate for use in certain scenarios, among them, banking. In 2010, the Unisys Security Index found that New Zealanders are discerning about what circumstances they feel are appropriate for biometrics to be in place and the sorts of organisations that they are happy to be using them.
The majority of Kiwis surveyed supported the use of biometrics to access bank accounts (66 percent), health records (58 percent), welfare payment information (55 percent) and to complete or submit tax returns (53 percent). They were less supportive of using them to pay utility bills (36 percent), use public transport (21 percent) or enrol in an education class (27 percent).
And the organisations they support are primarily government organisations and banks, rather than other commercial organisations: Standouts organisations that Kiwis supported to use biometric information to prove their identity included the Ministry of Health (73 percent), banks (67 percent) and Inland Revenue (58 percent).
Banking gets a thumbs up on biometrics.
Calling all fingerprints
With mobile devices offering universal fingerprint recognition, there would seem to be an obvious solution. A number of banks, including Westpac, St George and Suncorp across the ditch, are starting to offer customers the ability to manage their finances on the move, using fingerprint login instead of a passcode. Not only is this hugely convenient for customers, who don’t need to carry around their ‘number generator’ keypads, passwords or pins, it’s also a more secure way of ensuring that the person is who they say they are.
But is it secure? There are flaws to using fingerprints to secure mobile devices which may concern banking customers. Search YouTube, for “fake fingerprints iPhone” and you’ll find numerous workarounds including using graphite-enhanced moulds and even Gummy Bear sweets to replicate fingerprints and fool mobile phone security. While it’s difficult to imagine how a real fraudster could take advantage of this, nevertheless it does represent a real vulnerability.
In other words, single factor biometric authentication isn’t reliable. In fact it carries an additional threat. If your phone should get compromised, or your account gets hacked, you can quickly change your password to prevent fraud. But you can’t change your fingerprint. So does that mean you need to buy a new phone and start the process again? Or wipe your phone of all its data? Fingerprint banking loses some of its allure.
A more secure solution would involve using a second biometric authentication factor. Unisys’ biometric data management solutions already support multiple types of biometric data including behavioural, fingerprint, iris and vascular recognition.
We are working with Nationwide Building Society in the UK on prototypes for using behavioural biometric technology to identify mobile banking customers more securely, help prevent fraud and improve the user experience in the future.
To develop this Unisys has partnered with BehavioSec, whose behavioural biometrics solution analyses customers’ smartphone or tablet usage to form uniquely identifiable behavioural profiles based on traits including the force with which users hit a key, the angle they use to swipe a touchscreen, or their typing speed.
When combined with other methods of authentication, such as passwords or PIN codes, the customers’ behavioural biometric profile provides an additional level of security based on the natural interaction with their smartphone or tablet. This offers financial institutions the potential to provide a frictionless customer experience and a more secure service without asking customers to remember or input any additional information. And when that happens, secure, frictionless transactions are all “just a click away”.
Eric Crabtree is vice president and global head, financial services, at Unisys.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.