Biometric Bank Buffers, For All

Payments Year Of Mobile Biometrics

Biometrics are increasingly giving little-loved usernames and passwords the boot, and for good reason – they’re less vulnerable to security breaches. For the latest Digital Identity Tracker™, PYMNTS caught up with USAA Bank’s Chief Security Officer, Gary McAlum, about the latest biometric security technology and why it’s critical for the financial services industry to share solutions. Find that, along with the latest news and rankings for more than 100 of the top players in the space, inside the latest Tracker.

These days, consumers can be forgiven if they feel like James Bond or some other gadget-equipped super agent. Security technology once reserved only for the stuff of spy thrillers, like fingerprint and retina scanning and other biometrics, are now widely available.

While it may sound like something out of a paperback novel, consumers interact with the tech on a daily or even hourly basis. Many smartphone users go through biometric authentication processes every time they unlock their phone using a fingerprint, and many secure applications, including banking and other financial services applications, are allowing users to log into their accounts using a fingerprint or eye scan or other biometric indicators.

These biometric features are particularly popular with consumers, with 52 percent of consumers telling researchers that they prefer to log into accounts using these modern authentication methods. But banks and financial institutions are fans of biometrics as well, because the technology is considered far more secure than the existing standard of username and password credentials. The American Banking Association reported in December 2016 that the existing authentication methods of passwords and PINs are “too easily compromised, complex and cumbersome” because passwords are easy to steal and consumers often use the same passwords on multiple accounts.

As biometrics become more popular, usernames and passwords are disappearing — USAA Bank recently reported that 2 million of its own customers have traded passwords for biometric security. And as digital identity protection and security become increasingly important to financial markets and institutions across the United States and globally, Gary McAlum, USAA’s chief security officer, told PYMNTS in a recent interview that the company is focused on bringing new and more secure authentication methods and technology to consumers not just at USAA Bank, but around the banking world.

“We are moving away from knowledge-based authentication to authenticate member interactions across all of our channels. Instead, we encourage our members to voluntarily adopt the multifactor authentication options we offer,” McAlum said.

Out with the old, in with the new

McAlum said that in order to protect customers, banks of all sizes should be reevaluating how they ensure a customer is who they claim to be and that any transactions are not fraudulent.

Pointing to a long laundry list of recent security breaches in the news, McAlum noted that safeguards that were once thought to be secure, such as passwords or security questions, have become obsolete as hackers and other bad actors have become more advanced in their methods. This is because cybercriminals are constantly inventing new ways to infiltrate secure files and gain access to static information like passwords, which can be used to infiltrate a person’s account on multiple websites.

“The threat environment is adaptable, rapidly changing, morphing and highly incentivized to find and exploit an unknown vulnerability,” McAlum said. “It’s that thing for which all of our preparation can’t anticipate that keeps me up at night.”

But McAlum sees potential for technology like tokenization and biometric indicators to improve on these static methods by making sure there is no information sitting on a server, waiting to be accessed by unauthorized eyes. He explained that because biometric information is communicated via encrypted tokens that are destroyed after use and not stored on a central server like security question answers and passwords, even if hackers are able to gain access to a financial institution’s secure data, they would not be able to access individual accounts utilizing biometric security.

“I’ll stick with biometrics over user ID and password any day of the week,” he said. “The traditional knowledge-based authentication model provides minimum security for consumers in today’s world of rampant breaches of personally identifiable information and logon credentials. Then you add in the plague of phishing and social engineering, and it’s clear that static passwords are highly vulnerable methods of validating a user’s identity online.”

Giving better buffers to all banks (and consumers)

While McAlum said that USAA Bank is focused on providing the strongest security system on the banking market, it’s also sharing some of its technology and know-how for the greater good (and a new revenue stream.)

The company recently announced it will begin to license its own security methods and technology to smaller banks and financial institutions looking to offer the latest security technology, but without the funds or other resources to build it themselves. The first to receive a license was Persistent Systems, a technology services company that offers software solutions to financial service providers.

McAlum said that along with opening a new source of revenue and licensing biometric security and other technology even to other banks and financial institutions would help boost the security of USAA Bank members. He noted that USAA Bank customers often interact with other consumers and financial institutions, meaning that its important that consumers with any bank have access to the latest security technology.

“The financial services industry is highly connected, and we want every link in the chain to be strong from a security perspective,” he said. He said that the license will focus on authentication and security solutions based on concepts such as micro-trust, risk-awareness, contextualization and personalization in conjunction with technologies related to biometrics, risk modeling and dynamic proofing.

The licensed solution, McAlum said, will allow smaller financial institutions to access much of the same technology that larger banks can afford at a smaller cost and rely on technology that has already been proven effective for larger institutions with a larger customer base.

He pointed out there are other big perks for smaller players who access the licensed solution.

“Most importantly, other banks don’t have to create their own consumer authentication solution for mobile banking applications,” said McAlum. “It will allow them to calculate the risk and trust [of a customer] in real time based on the user’s behavior.”

This allows smaller banks and financial institutions to evaluate risk and decide whether to authorize a transaction.

“Ultimately, this should reduce cyber threats and account takeovers,” he said.

Perhaps with new biometric authentication technology reaching more consumers and financial institutions than ever before, news-breaking breaches can be a thing of the past.

To download the March edition of the Digital Identity Tracker™, click the button below…


The PYMNTS.com Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identity.