The one-time password — OTP for short — was an ingenious cybersecurity stopgap that worked for a while. But fraud never sleeps, and they’ve cracked the OTP code.
It’s taken on such an important role in identity verification that fraud fighters must now evolve again with innovation to the next barrier to trip up fraudsters. Entersekt Chief Strategy Officer Dewald Nolte and John Ainsworth, president and CEO of credit union service organization (CUSO) Bonifii, joined PYMNTS’ Karen Webster to discuss what the next moves will be.
As to why OTPs are no longer the digital deterrent they once were, Nolte put it down to changing technologies and the sophistication of fraudsters. “If you’re in the security business, you have to evolve. Fraudsters keep changing tactics. Over time, you learn where vulnerabilities are. And if we look at the SMS one-time password, the reality of it is this technology hasn’t changed in any meaningful way over the last two decades.”
That’s a few lifetimes measured in tech cycles, and he conceded that “we just haven’t kept up with the way of protecting that. It’s a good time to be in fraud,” he said, adding that “we’re fighting battles with gear that’s more than 25 years old. We have to evolve and equip our financial institutions with better technology to keep the consumer safe.”
Webster invoked the frequent criticism that anti-fraud tools tend to protect the financial institution primarily, and Ainsworth added some math around the point to illustrate.
“If you look at the dollars spent, say it’s $10 on cybersecurity, you’ve probably got a good $4 to $5 of that protecting the institution. You’ve got a good $4 protecting the actual transaction. Maybe you’ve got $1 or $2 actually focused on protecting the consumer,” he said.
The panel agreed it’s an imbalance in priorities and investments that doesn’t favor consumer safety at a time when protecting the consumer has moved up to job number one for FIs.
Visibility Over Friction
Ainsworth reinforced his point with this one: suspicious activity alerts, almost by definition, come after someone has tried to compromise an account. That order must change.
He said, “Great. You sent me an alert that there may have been a suspicious transaction. Now I as the user have to call my issuer. I have to report it for fraud. My life is still the same.”
His point? Alerting people after the fact isn’t progress: “The technology should support that from a user experience before that actually happens, and that makes my life a lot easier.”
Asked how this gets fixed, Nolte said part of it requires a mindset shift where FIs acknowledge how digital payments and banking are worlds away from the time of the FI-first approach.
Saying that friction is often used (or misused) as a justification for lax security, he noted that consumers are smart enough now to expect a little friction in their transactions, rather than kicking the can down the road friction-wise and not detecting it in real-time.
“If you look at that, a modern authentication solution needs to be able to have visibility across channels and have real-time capabilities to look at things like has there been a SIM swap, for example,” Nolte said. “Is the behavior of this user consistent with what I’ve seen before? Is the device’s reputation consistent with what I would expect from it?”
That’s also a function of consumer choice and preference in authentication, where systems with visibility across different channels can make better decisions based on risk signals and context. “That’s something we’ve been investing a lot in, to bring that reality to the financial services industry. That’s how you equip them with this modern toolset to fight the latest fraud,” he said.
“That context then allows you to make the right decisions and protect the user. That’s what we refer to as context-aware authentication, and that really enables you to protect the entire user journey by looking at those signals and taking into account the user’s preferences,” Nolte said.
Safeguarding the Ecosystem
Ainsworth said things got to this point due to a “Rubik’s cube” approach of everyone doing their own thing without common standards governing authentication.
“We didn’t really have a common layer until W3C came in and said we’ve got to get this right. That’s helped a lot, because everybody can interact with everybody’s APIs, and a decade ago that just wasn’t possible. I think that gives a lot better opportunity, at least to have the participants talking the same language in the same format,” he said.
When done well, Ainsworth added that strong security needn’t disturb the user experience. “Underneath all of the different connection points we have between the institution and the device, between the providers, there’s a lot of spaghetti connections,” he said, “but for me as a user, it’s just, are you doing this? That’s the most simplistic experience.”
As to who the intermediaries are behind the scenes in a well-ordered and interoperable ecosystem around fraud prevention, it’s traditionally fallen on the issuer. With the advent of things like EMV 3-D Secure, there’s more of an industrywide compliance framework.
Still, to harmonize the three main channels today — FIs, payment processors, with API gateways facilitating — the task is bringing them together into a single platform for the visibility it provides, and to preserve consumer experience while safeguarding accounts.
This kind of authentication orchestration ecosystem is bringing some semblance of what both panelists think the future of fraud-fighting must evolve into to please all parties.
Noting that the FI focus on KYC and KYB is morphing into “KYM, know your machine or KYD, know your device,” Ainsworth said “credit unions are not known for building their own technology or owning the technology. The goal is to make sure that credit unions or community institutions can provide the same level of technology as a Citibank or an HSBC or a Santander. But the roadmap goes back to how do I keep [the consumer] from becoming a victim of fraud?”