= Subscriber content; or subscribe now to access all American Banker content.

Trade-Off Gets Tougher Between Security, Convenience

Editor at Large

An old dilemma is growing more vexing as cybercriminals get better at impersonating customers to loot their accounts and as regulators increasingly push banks to adopt multifactor authentication.

The stronger security features designed to keep fraudsters out — passcode key fobs, for instance, and so-called challenge questions (What was the name of your best friend in elementary school?) — can also block legitimate customers from accessing their own accounts. Many banks' mobile apps' listings in the app stores are littered with complaints from customers who had trouble logging in to their accounts. The same is true for desktop banking.

"What customers get frustrated with is if we lock them out of their online banking because they're using their cousin's computer on Christmas break, so they've logged in from a different state, on a different computer with a different IP address, and they can't remember what city their parents met in," said Dominic Venturo, chief innovation officer at U.S. Bank. "All they were trying to do was transfer money so they could cover some yearend expense. They get pretty crabby about that."

Insisting that customers provide a passcode from a multifactor token they may have lost, accidentally run through the washing machine or simply left at home won't go over well.

The challenge of toughening security without irritating customers is part of broader cultural changes in our society.

"In this new age of the digital world, customers are finding that lots of things they do are easy, like restaurant reservations, with no consequence from a liability or loss point of view," said Arkadi Kuhlmann, CEO of the startup Zenbanx and founder of ING Direct. "So the expectation is I should be able to access, move and do things with my money as easily as making a restaurant reservation."

This puts a lot of pressure on banks. "If there are losses, the customer doesn't want to take responsibility or the loss," Kuhlmann said. But if banks tighten security, making access to money more difficult, then people are unhappy.

"You are between rock and a hard spot," he said.

The impetus for tighter security is growing stronger. In a November letter to all the national bank regulators, the New York State Department of Financial Services called for stronger cybersecurity requirements for banks, including the use of multifactor authentication for customers and employees.

Yet help from law enforcement agencies is not always forthcoming, Kuhlmann said. "When we talk to law enforcement about terrorists, we get attention. When we talk to them about fraudulent activity — they only have so many resources."

Meanwhile, malware and social engineering attacks grow ever more sophisticated and effective, sometimes drawing on personally identifiable data stolen in breaches and available on the black market. Security blogger Brian Krebs described in a recent post how a cybercriminal took over his PayPal account by getting his password reset through the company's call center. The lesson, he said, is that banks ought to at least make two-factor authentication available. (PayPal does offer mobile authentication — a code texted to the user's smartphone — but doesn't require or promote it.)

"It behooves any company doing business online to at least offer two-step or two-factor authentication," Krebs said. "They don't need to mandate it, but for those of us who would take advantage of that added account security, it's a huge plus."

Krebs also acknowledges the need for a balance between security and usability.

"It makes a lot of sense for those organizations to invest in the kinds of back-end technologies that can help minimize account takeovers," he said.

Many banks do. U.S. Bank, for example, does a lot of its security work in the background, to minimize the impact on customers. Like other banks, it applies algorithmic logic to check the device identity and location and the user's behavior patterns, among other things. The bank also offers voice authentication on Apple devices, as well as the ability to instantly lock down all a customer's accounts when a device is reported stolen.

Wells Fargo and USAA also use voice recognition in their apps and call centers to confirm customers' identities and detect bad actors.

"That strikes me as a tremendous benefit for companies, because the people involved in account takeovers are generally doing this on a large scale, and will very often call in to banks and try to assume the identity of multiple individuals," Krebs said. "Rarely are these one-off cases."

Apple made fingerprint recognition popular by including Touch ID fingerprint recognition technology on iPhones and making it part of Apple Pay. Apple device users tend to complain when a mobile banking app doesn't support TouchID — they have grasped the ease of use if not the security benefits. Citi, Chase and Bank of the West are among those using it to let customers log in to mobile banking with the press of a finger.

Many banks offer authentication through an SMS code sent to the user's phone. This form of out-of-band authentication can be gamed by malware, yet it's still stronger than a password.

Atom Bank, a digital "challenger bank" in the U.K., recently announced that it is using face and voice biometrics as credentials for customers logging in. (USAA and Zenbanx are among the U.S. companies that have adopted facial recognition.)

So there are options for forging that middle way between convenience and security. But getting the majority of core banking software providers to support them, banks to invest in them, and consumers to use them, will continue to be an uphill battle for some time.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.


(3) Comments



Comments (3)
Great point -- consumer education and encouragement is key, as well as user-friendly authentication. We've written extensively in previous articles about FIDO's standards and the many authentication technologies out there. Here's one example: http://www.americanbanker.com/news/bank-technology/growing-list-of-firms-works-to-solve-banks-digital-identity-crisis-1071578-1.html
Posted by pennycrosman | Friday, January 08 2016 at 11:34AM ET
I think the only way to get consumers to adopt more secure online banking practices, such as adopting multi-factor authentication, is that the banks must publicize and strongly encourage their customers to adopt such practices. So the first thing is that banks need to be convinced themselves that it makes good business sense for them to offer multi-factor as a way of reducing fraud, rather than simply accepting fraud as a cost of doing business. But then the banks need to aggressively encourage their customers to adopt those methods. Unfortunately, banks still seem to be afraid of doing this, for fear that they will lose customers. And BTW there are more secure and user-friendly authentication methods than sending a one-time code to a cellphone. Check out the work of the FIDO Alliance, which a number of financial institutions participate in.
Posted by phobos | Friday, January 08 2016 at 9:04AM ET
Call centers have long been a source of weakness as has the consumer preference for convenience over security. No matter the feeling of security one has from fingerprints, fingerprints and voice clips are static data and can be copied. Ever pressed your finger on a piece of scotch tape? Without dynamic authentication, we miss out on the benefits of multi-factor in the long run.

The total cost of fraud to the entire system is increasingly difficult to calculate (technology, law enforcement, lost revenue, consumer disruption, consumer confidence in the broader system, regulation - the list goes on). For the consumer who is often made whole by 0% liability benefits, there seems to be a sense that the responsibility for data security belongs solely to the banks, merchants and the organizations that hold their data. In order to change that, the consumer's attitude towards their own data and privacy must undergo fundamental change. I just wish I knew how to accomplish that.
Posted by KThome | Thursday, January 07 2016 at 4:10PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.