Australian banks finally began introducing tougher authentication over the past few years, and are now making their first forays into biometrics. But Shaun Drummond finds they are responding more to customer inconvenience, and perceptions of risk than actual losses
In Steven Spielberg’s Minority Report, set in 2054, iris scanners are the identity verifier of choice – for employer and product marketer alike.
But various forms of biometrics are already being used, albeit for limited applications. Iris scans have been used to replace passport checks in British airports for several years now and the NSW Police Service is planning to introduce mobile fingerprint checks from next year.
Colin Whittaker, the head of security at the UK Payments Association, is unconvinced, however, that customers are going to be asked to present body parts to withdraw or transfer cash any time soon. He says biometrics’ primary application should be to establish identity in the first place, which is usually done by government departments.
“We see the value and the importance in government carrying out biometric enrolment and registration for the critical identity documents that society relies upon to make trust and risk decisions,” he told Risk Management. “It is highly unlikely that financial institutions would accept to enrol biometrically their entire customer segment, but they would do so in specific use case scenarios.”
The most practical scenario so far is voice recognition, which has been used for several years in government departments requiring high levels of authentication for access to sensitive documents. St George Bank also uses voice biometrics for issuing and resetting internal passwords and at least one bank in Australia is now trialling the technology for its customers, according to vendor VeCommerce.
With some exceptions, the tougher “two-factor” methods now being implemented by the banks are mainly for high-value or higher-risk transactions, such as transfers to external accounts. The most common so far usually involve giving customers a token that generates random passwords synchronised with the bank’s server, or – a cheaper option – just sending an extra code via SMS to a mobile phone, which lasts only a short period.
VeCommerce CEO Paul Magee suggests that these and other one-factor authentication techniques – referred to as “something you know” – could be replaced by or used with two-factor authentication – ie ”something you have”, such as a phone, be it a mobile, landline or VoIP phone. (Biometrics is thought of as three-factor because it involves “something you are”.
Fraud rates, however, remain low in Australia compared to Europe and the US, with the latest survey from the Australian Payments Clearing Association (APCA) finding Australia’s rate of payment card fraud in 2007 was still less than a quarter the UK’s at only 28 cents in every $1000.
Online fraud is on the rise, however. Rob Goldberg, a partner at KPMG, says moves to invest in these extra authentication methods after a long period of relying just on account number and password for online transactions is driven largely by more online fraud, high-profile data breaches and security-based competition, both local and global.
In combination with much more visible attempts to steal access codes via phishing, Goldberg says banks here don’t want to be seen as the weak link in a global banking system, with lower standards than their offshore counterparts.
Magee, however, thinks banks at the moment are responding more to customer inconvenience, privacy concerns and perceptions of heightened risks due to much more public attempts to access private data.
“For people in the contact centres who are trying to identify customers, half of their time is spent identifying people and half actually doing what the consumer wants. Finally, [there are] security issues,“ he says. “People are making decisions based on their perceived and real sense of security.”
The newly merged Bendigo and Adelaide Bank is now implementing a system that will ask their customers for differing levels of authentication based on a range or risk factors, including the amount being withdrawn or transferred and where the request is coming from.
Paul Dewsnap, Head of Information Risk and Governance at the bank, says stronger authentication has to be allocated according to risk or they are unlikely to achieve an adequate return on investment. One of the chief risks, however, is that a security measure will just turn away their customers, so choice must be provided. However, he says this must always be balanced with maintaining confidence in online banking.
“Tokens were a tactical response to a growing threat. It did its job, it was very expensive. When you look at the true cost of ownership; I’d like to see the equations on that,” he says.
“But it is also about inspiring confidence in your consumer market. We let that channel rot, and there’s fraud and there’s [too] much concern about; we’ll go back to banking in branches. And no one in the banking community, and I’m sure no one in the community, wants to, because of the cost and the inconvenience.”
News