The pandemic has made e-commerce more ubiquitous — and more dangerous — than ever, and Royal Bank of Canada is addressing this trend by stacking layers of security, including one that many might think outdated in the digital era: the PIN.
"We have taken different types of authentication and enabled PINs for the mobile device," said Peter Tilton, chief digital officer at RBC. "It's a simple customer experience, you tap your card on the phone and you're set."
RBC has upgraded its mobile app by combining card and biometric authentication with PIN verification, a move designed to increase security as fraud jumps in Canada. Canadians lost about $300 million from fraud in 2021, up from about $80 million in 2020, according to the
The Centre also reported that incidents of ID fraud targeting financial credentials nearly doubled between 2019 and 2020, from about 9,000 to more than 17,000, with 2021's final numbers expected to show another spike in ID fraud of about 100%. And 48% of Canadians reported an increase in fraud attempts since the start of the pandemic, according to RBC's 2022 Fraud Prevention Month poll.
At RBC, Android users with Near Field Communication enabled on their mobile device can tap their debit card on their phone and input a PIN to authenticate. People who use iPhones can use Apple's biometric authentication to verify their identity, then enter a PIN.
The addition of biometrics to vet the user via their phone uses something the user "has," along with passwords and a PIN, two items the user "knows" to support user identity. It's also a move beyond knowledge-based questions that Tilton said require more work for the user.
RBC plans to use enhanced PIN verification to validate consumers for payments and a variety of other use cases over the next few months. The first released service is password resets. Users will see an option on RBC's app to reset with "Client Card PIN." (Client card refers to the debit card.) The user confirms a PIN, then enters a new password.
"We have had PINs for years. Consumers use them for all sorts of everyday transactions," Tilton said, adding the familiarity with PINs should reduce the friction of an added security step, and mitigate social engineering attacks that trick users into turning over personal information. "A PIN is a well-known asset and not something that consumers are likely to share as much as other information," Tilton said.
The use of a mobile device for PIN-based authentication is often referred to as "PIN on mobile."
Like many markets, digital payments are on the rise in Canada. Converted to U.S. currency, digital payments jumped from about $60 billion in 2019 to $73 billion in 2020, $100 billion in 2021, and are on pace to pass $122 billion in 2022, according to
The portion of digital payments that includes mobile point of sale transactions, which often use PIN on mobile for authentication, is expected to double between 2019 and 2022, jumping from about $15 billion to $32 billion, according to Statista, which converted Canadian currency to U.S. dollars in its chart.
As consumers and merchants access more use cases for digital payments, the need to expand fraud risk will also increase, RBC argues.
"The more complex the payment services get, the more you need to step up the authentication," said Ramesh Siromani, senior vice president of transformation and enterprise payments at RBC. "PIN on mobile is a way to get at that."
The use of PIN on mobile is a largely effective way to boost payment security, according to Julie Conroy, head of risk insights and advisory for Aite-Novarica, adding she has not seen a lot of bank usage of this specific combination of a payment card, PIN and mobile app.
"It would still be susceptible to friendly fraud. A caregiver or family member could obtain all of this information," Conroy said. "But this approach would be effective against the highly scaled attacks we see coming from organized crime rings."
As RBC expands to other stepped-up authentication use cases, it could also add 3-D Secure for a card-not-present authentication method, Conroy said.
RBC did not answer questions on friendly fraud, 3-D secure and plans for markets outside of Canada.
