Banks must innovate to increase profitability, grow market share and drive the next phase of their transformation to digital, experience-driven banking services. Success is built on a mobile-first strategy and the ability to generate rich, analytics-driven insights from which banks can personalise their approach to engage with customers and for customer acquisition.
The mobile experience also demands a more seamless user authentication method whereby customers expect their bank to keep them safe - even if they themselves behave unsafely. To satisfy increasingly demanding customers and prevent them from switching service providers, banks should consider three important business transformation strategies: offering a superior user experience, introducing more innovative services, and providing frictionless authentication.
A recent study conducted by Javelin Research showed it is 43 times cheaper for a bank to transact through mobile rather than in-branch banking channels. Customers who move to mobile banking can yield an ROI of 16%. However, customer security concerns are frequently cited as the #1 or #2 barrier to adoption for mobile banking. Furthermore, research conducted by UBS Evidence Lab, found that in most European countries, mobile banking has less than 40% uptake by customers.
To achieve desired revenue growth targets, meet risk and compliance challenges, and improve operational effectiveness banks must, in part, drive adoption of mobile channels and deliver a superior experience with increased convenience whilst improving security. This can be addressed through a multi-layered approach. The user, device, channel, transaction and back-end banking application are all authenticated with end-to-end trust.
Managing money whilst on the move is particularly important for mobile-based banking, but today's methods of soliciting customer approval before executing transactions can be confusing and annoying. Customers have difficulty distinguishing between legitimate and fraudulent websites, emails, and phone calls, making it tough to spot fraudulent transactions.
Using passwords, hardware tokens and challenge-response has proven inadequate and frustrating. The alternative has been out-of-band (OOB) verification using a one-time password (OTP) token sent via SMS to a customer's mobile device, but this has proven vulnerable to Man-in-the-Middle and smishing attacks aimed at account take-overs.
A better approach is to send a real-time alert, known as a push notification, to the customer's phone immediately prior to any suspicious transaction being applied to their account. The customer receives details about the pending transaction including time, location, amount, account payee and with a simple swipe of the finger they can immediately reject or approve the transaction – this process is known as transaction signing.
Transaction signing is performed using an asymmetric key. The architecture also requires end-to-end encrypted communication underpinned by mutual authentication between the customer's registered mobile device and the back-end online banking application. Transmission of the push notification and the subsequent customer responses should ideally be sent via two independently secured encrypted channels to minimise the possibility that the push and the transaction signing can be compromised by fraudsters.
Invalid non-repudiation of the transaction can be prevented by ensuring that the private key used for transaction signing is generated outside the financial institution's backend system and is subsequently protected to prevent extraction, cloning, or access from another application.
The approach of validating suspicious transactions just before they are authorised is best implemented within a layered authentication framework as part of a holistic, intelligence-based digital banking strategy that optimizes risk-based security. Friction is reduced by minimising the scenarios and instances in which the customer is asked to present any login or authorisation credentials.
Even just halving the number of times that a bank's fraud department needs to call its customers to check on a suspicious transaction has resulted in millions of dollars of savings per year for one particular financial institution. Implementing push notification and transaction signing can help banks to solve the dual conundrum of providing an improved user experience but with significantly reduced operating costs.
Continuous, frictionless authentication, and the ability to step up authentication when risk is unacceptable, can be used to drive today's more holistic, versatile, multi-layered authentication strategy for protecting online channel delivery. The result is a more satisfying user experience, reducing frustration by making secure online and mobile banking more convenient for customers.
By Tim Phipps
Vice President of Product Marketing Strategy and Solutions for Identity and Access Management (IAM) with HID Global