In an age where consumers turn to the internet for everything from banking to commerce to health care, bill pay and social interaction, password security best practices seem like a no-brainer. Despite handling sensitive data and processes in online channels, passwords remain a notable weak spot across internet users.
The typical consumer has been found to maintain 27 different logins. To reduce the complexity of having to remember them all, many recycle a single, simple password. Some even share passwords or, worse, don’t have passwords at all. All of this leaves them vulnerable to hacks.
As the number of cyberattacks rises on a global scale, password compromise is often to blame.
PYMNTS’ Karen Webster recently hosted a digital discussion with Hannah Preston, solution strategist at CA Technologies, to unpack the multinational software corporation’s work to eliminate the need for passwords altogether by creating a range of secure authentication alternatives in an ever-growing online world.
Introducing new authentication factors is more complicated than it may seem, said Preston, considering how problematic passwords have become. But it’s not as simple as beefing up security. Developers need to look at how to introduce new authentication measures without introducing friction into the consumer experience.
Additionally, they need to anticipate where fraudsters may look to attack in the future and assess the vulnerabilities of new authentication practices. This includes predicting key risks as the number of sales and transaction channels financial institutions leverage grows.
“We’re experiencing one of the greatest global authentication upgrades that we’ve ever seen,” Preston said. “All of the solutions that we have designed, available to banks enables them to give their customers easy, simple authentication options, making transactions happen as quickly as possible while preventing fraud.”
Most banks in Europe, said Preston, require customers to make no effort at all. In the background, CA Technologies profiles the device examines consumer behavior and analyzes the transaction, comparing the data to a portfolio of millions of device fingerprints, card profiles and merchant data.
“Banks use a risk score to determine whether to accept that transaction,” Preston said.
This approach gives banks more control over what they do with each transaction. If a transaction receives a high-risk store, banks can send customers an SMS, activate an app or deny the purchase, thus completely blocking criminals.
As with many things in the payment security space, it’s not always simple to make significant changes to core processes as it requires consumer adoption, which can be challenging to communicate to cardholders.
Preston identified a few key risks that have arisen as financial institutions as eCommerce channels expand. Consumers sometimes put themselves at risk. Preston noted the #myfirstpaycheck scam, wherein a fraudster created an Instagram hashtag to trick unsuspecting users to post selfies with their first pay slip, providing fraudsters everything needed to take out a payday loan in the victim’s name.
“If you think about the selfie,” Preston said, “we need to think about the behavior that we’re encouraging for our account holders. How do then you protect yourself when you’ve given away something — your face and your personal information? You can’t take it back. It puts you very much at risk and makes you feel very vulnerable.”
Another risk Preston identified is listening tools like Adobe’s software prototype. With 20 minutes of recorded audio, it’s possible to make the software manipulate the voice to say anything. These capabilities are cause for concern especially in light of the fast-growing trend of voice-activated authentication.
“If Adobe can create this technology,” Preston said, “it’s possible with enough motivation to develop a similar capability. If you think about the capabilities of machine learning, these sorts of tools could potentially be created by fraudsters.”
Amazon’s voice capabilities also open up the transaction capabilities of the IoT to some new devices. But with this comes the need to develop ways to authenticate devices beyond smartphones, PCs and tablets.
Preston noted the collaboration between Amazon, Starbucks and Ford to enable voice ordering.
“Maybe we’ll start to see touch ID pads in cars or authentication by the uniqueness of the driving style,” Preston said. “We will soon see many more devices making transactions.”
Multiple Authentication Options Key
There is a broad range of authentication options to choose from today — biometrics and back-end behavioral analytics, app-based protocols, and hard and soft tokens, among others.
Preston defines two distinct categories: physical authentication, like SMS or hard/soft tokens, biometrics, etc., and silent authentication, consumer behavior, device information, location, and the data that people make available about themselves.
“In any strong authentication strategy,” Preston said, “you should look to those silent authentications to give you confidence those physical authentications can be trusted.”
If financial institutions send an SMS to a compromised device, then the SMS is not secure; if someone has registered a face that doesn’t belong to them, then biometric authentication can’t be trusted. Having a flexible, adaptable and multi-authentication approach involving looking at the data and behavior creates a serious challenge to criminals.
“What you want to do is give the customer the convenience and the choice,” she said. “I would recommend supporting various authentication methods to personalize the customer experience and provide the consumer with the choice. Banks can take advantage of commercial opportunities to increase transaction rates by making the consumer feel safe while delivering simplicity — one solution rarely fits all.”
Some of the strongest contenders to replace the password are app-based authentication protocols. They provide robust encryption security, whereas the internet is an open platform where anyone can buy a domain. Before publishing an app, it goes through rigorous checks by the App platforms. The app platforms tightly govern the entire app ecosystem. Likewise, it’s difficult to inject messages into messages, which is why users don’t see things like fake push notifications sent out through CNN alerts.
In the digital discussion attended by a largely U.S.-based audience, listeners ranked biometric followed by behavioral authentication as the top two most secure methods. Of the biometric options, listeners reported liking fingerprint authentication the most.
Conversely, in the U.K., Preston said that in-app authentication protocols would outrank all other methods, with institutions across the pond warier of biometric capabilities.
3D Secure 2.0 And PSD2
The latest update of the 3D Secure authenticated payment system adds another layer to strong authentication in an increasingly mobile and IoT-based commerce age. The latest edition has come a long way from the original 3D secure protocol, designed in a pre-smartphone era.
“3DS has to be natively compatible with mobile, and all of the other devices that we use now which 3D Secure 2.0 addresses,” said Preston.
Preston noted that there’d been a global collaboration globally between large merchants and big banks to design that is going to allow consumers to transact in the way we want and by leveraging the authentication protocol they want, whether it’s biometric, soft token or SMS.
Predictions are that 3D Secure transactions will rise significantly on a global scale, linked in part to PSD2 in Europe. While the regulatory standards have yet to be finalized and put into law, PSD2 will likely require all card-not-present transactions over €30 to be strongly authenticated, said Preston.
Banks can take advantage of risk-based exemptions and rely on background soft authentication for most transactions, but that comes with having to meet aggressive fraud targets.
“At the moment, there’s only really the 3D Secure protocol that can enable that sort of communication,” Preston said. “3D Secure has been very successful in Europe and other parts of the world — the U.S., for some reason has resisted, but they should reconsider.”
One of the reasons the U.S. market didn’t take a liking to 3D Secure was that it required a password for every transaction, leading to a poor customer experience. Consumers were forgetting their passwords in some cases led to 20 to 30 percent abandonment.
But looking at the abandonment and the failed transactions at some of the biggest banks in the U.K., the failure and abandonment rate is 1 percent or 0.5 percent or less in some cases.
“This is because they’re risk-based,” Preston said. “Most transactions are silently authenticated. If you’ve got a trusted device and they’re making a normal transaction, you can make a smart decision on whether that is or isn’t the customer. With a lot of those transactions, the risk of failure is minimal.”
The simpler authentication methods that are adopted, the less they have to worry about than abandonment, said Preston. And with the latest 3D Secure upgrade, the friction on the consumer end has been cut back with risk-based analytics and smart authentication.
Regulations and mandates that are making a move to strong authentication a high priority across major financial institutions. Preston gave the example of a big bank that went live with SMS OTP authentication. Within a week, the bank increased their fraud prevention by 90 percent as fraudsters dispersed elsewhere.
CA Technologies has already seen many make a move, said Preston, and some others are making the switch in 2017. Others, however, are taking their time, which makes them easy targets for fraudsters.
“One of the things I hear most frequently, one of the biggest challenges for most banks is that they don’t want to do is decline transactions or have calls into the call center and have to manage that,” said Preston. “People feel quite strongly about strong authentication. It’s political, and it’s difficult to get consensus and make that first step.”
Of the digital discussion attendees surveyed, half were undecided as to when they would roll out strong authentication protocols. This doesn’t mean that the change won’t happen, noted Webster, but rather that there are some factors to wade through before making the leap.
In closing, Preston reiterated that financial institutions making the transition to strong authentication need to give themselves flexibility in the methods they can apply and to have an adaptive, multilayered approach to the process. Additionally, she stressed the importance of involving silent authentication such as device fingerprinting and behavioral authentication as an essential tactic to validate strong methods.