"When you don't have trusted identities for accessing your online banking infrastructure, anyone in the wild can make a request, and you have to respond to it," says Jeff Carter, who ran innovation for Bank of America and the Center for Future Banking, a joint venture between Bank of America, MIT and Harvard University, for six years and is currently chief strategy officer at EyeLock. He has a vested interest: his company's technology scans the human iris to create a "trusted identity" that can be used to authenticate users of anything, including a mobile banking app or online banking site.
"In a basic denial of service attack, there's floods of erroneous account information on your online banking site," Carter says. "In between, you have actual attacks, where there could be a compromised user name and password used. If you don't have secure identities, it's tough to prevent those types of attacks. "
Carter acknowledges the economic reality that has largely prevented banks from investing in authentication technology.
"Banks now have trusted environments to do transactions, using RSA tokens and other types of security apparatus," he notes. "Economically there hasn't been a way to scale that across many customers. We're looking for the point that you can scale it and have it be cost effective."
This week, EyeLock announced a partnership with financial services consultancy Capco, under which Capco's new Secure - Banking and Capital Markets practice will implement EyeLock's iris authentication technology.
When we mention iris recognition to people, we often hear, "Oh, that's creepy!"
Carter counters that iris scanning is a favorable alternative to fingerprinting. "With the iris, there's nothing to touch and you don't have the stigma of being associated with the FBI databases of known felons," he says. "And iris recognition is orders of magnitude more powerful and more accurate than fingerprints. You have more certainty around who you're dealing with."
Another objection to iris scanning we sometimes hear is that like any other authentication method, it still comes down to a string of numbers that dedicated criminals could potentially hack into and change.
"We have a lot of intellectual property around understanding and ensuring liveness at the point of interaction," Carter points out. "This will ultimately change the game on how security is imagined."
Banks have to do something to improve authentication, especially for mobile banking, Carter believes, if only due to competitive pressure.
Apple is expected to release a phone with fingerprint authentication in a few months. "If nothing else happens, and only Apple releases something, you'll have a fingerprint-driven phone that will be connected to 400 million credit and debit accounts," he says. "At that point, you'll have a technology company that's protecting customers' data better than the banking industry. Customers might ask, why do I need a DDA if I can use my iPhone with a Bluebird account?
"The banking industry has been pushing back on this and on anything that would be customer friendly or move the industry forward," Carter says. "They may find themselves on the outside looking in. If Bluebird and Amex was the first wave, Apple is another. Other companies are similarly looking at ways to hack the knees off every bank they can. The profit pools of banking are the largest in the world, and everyone aggressively wants to go after that." The top banks, he points out, all run their mobile banking apps through Apple, Google and Microsoft and surrender to their terms and conditions.
"If you look at the perfect storm of problems that could hit the industry, there are fee revenue pools being attacked and interchange revenue pools being attacked," he says. "The very basis of mass-market consumer banking is being torn away by companies that offer fee-free arrangements."
Most banks are focused on survival mode and reducing operational cost, he observes. "What I'm looking for toward the end of the year is which bank will break ranks and move with one of the technology platform leaders," Carter says. "Depending on what Apple and Microsoft have in store and if there is a bank tied to that directly, that's going to cause other banks to break."
