In battle, the best way to win — to place an unwitting victim at one’s mercy, to surprise and make off with the spoils — is to attack the weakest point that offers access, and the element of surprise. So, it is in banking with fraudsters and their victims, where attacks leverage weak points inherent in existing technologies and processes. The access lets the bad guys steal identities and drain bank accounts.
As Karl Kilb III, CEO of identity verification firm Boloro, told PYMNTS, when it comes to online banking, the single point of failure is the internet. It’s an inherently vulnerable platform upon which to interact and transact. Fraudsters intercept the one-time PINs and passwords that pass for security in today’s world.
“If you look at all the security problems out there (everything involving the internet, breaches, malware on your operating system), the internet and the operating system are inherently insecure. And why would you want your banking built on that inherently insecure system?” he asked.
Separation and authentication of those transactions are critical, he said, in an age where banks want to tap into a demographically desirable population: millennials.
As the executive told PYMNTS, millennials are enthusiastic about adopting online banking as their key conduit to everyday financial life, and the mobile phone is their instrument of choice. However, the younger generation will only be enthusiastic about forging digital relationships with their banks if they can be assured that their identities — and accounts — are secure.
Offering a user-friendly, instantaneous way of securing transactions, even before they happen, will spur more adoption of digital payments, and cement relationships between consumers and their banks, said Kilb. For Boloro, he said such security efforts “require multi-factor and multi-channel” safeguards in establishing digital identities.
The shift toward mobile banking done across phones also carries with it the promise of financial inclusion. As Kilb noted, countries like India can benefit from phone and PIN-based systems, where “you still have many people in rural areas [who] do not have internet access. And there are also many people who are still using feature phones.”
Eliminating Entry Points
As has been relayed in these pages in recent months, hackers don’t actually break into banks and individuals accounts. They gain access.
Boloro, explained Kilb, takes “an ATM-like approach” to verification, reliant on a memorized PIN (known only to the user) that is used to authenticate a transaction before it is processed, eliminating fraud. The firm uses the memorized PIN and a separation of authentication from the internet as arrows in the quiver against fraud, utilizing the secure signaling layer tied to mobile phones to deliver a flash text message that describes the transaction taking place, and prompts the user to authenticate their memorized PIN. The flash text, temporary and ephemeral, disappears, with no remainder of its contents or the user’s PIN on the device.
Eyeing GDPR And PSD2, Too
The confluence of factors at play here — namely, having a device in hand, along with the PIN known only by the user — helps satisfy the mandates of strong customer authentication (SCA), which is part of PSD2 and debuts in September. Those authentication mandates that extend to European firms require merchants and financial firms to establish that customers are who they say they are through something they have, something they know or something they are — two of which must be satisfied for transactions to continue, or friction is introduced into the process.
The Boloro methodology satisfies the first two of the three aforementioned criteria, Kilb told PYMNTS, as there are vulnerabilities inherent even with biometrics today (which, once they are compromised, can never be truly reliable). “You should not rely solely on biometrics. If you use biometrics to enter your phone, you should definitely authenticate transactions with a separate means,” Kilb said.
The transactions themselves are frictionless because mobile numbers (and IDs) are validated at the point of the transaction’s origination, he added.
As PSD2 creeps ever closer, Kilb said, opportunities abound for the firm. “The banks are now figuring out, and getting involved in, how to address PSD2,” he said. In his own interactions with European firms, “they are well aware of the deadline, and, now, they are looking for a solution that is easily implemented that will solve SCA across the board,” while solving for GDPR’s edicts on protecting data and privacy. Authentication processes that decouple the internet from authentication do not store personal data, he noted, and so comply with GDPR.
Beyond Online Banking
Perhaps not surprisingly, this “ATM-like approach” to mobile banking works well at ATMs.
Kilb noted that, in his firm’s conversations with banks, ATM-skimming is an ever-growing problem, and is “growing as a use case for Boloro. We're working with banks to have the customer insert a physical ATM card at the ATM [location] the way they traditionally do,” he explained. “But the message to authenticate themselves would be sent to their physical mobile phone[s] instead of to the ATM screen.” The memorized PIN is entered on the secured handset, instead an ATM’s screen or pad that may be compromised.
“Any time there is a single point of failure, it becomes easier for a fraudster. In an online context, the single point of failure is the internet. In the ATM context, the single point of failure is the screen,” he said, noting that whether banking is done online or in a physical brick-and-mortar setting, “your authentications should be done through a separate, secure channel.”