SubscribeBanks that continue to deploy channel-specific security solutions will see customers migrating away from self-service, according to a Gartner prediction of August 2005 looking at “The Impact of Authentication on Self-Service and Web Banking”.
This finding has been confirmed in May 2006 by a study conducted by Vanson Bourne, for LogicaCMG which showed that 57% of people would be more likely to change their current account provider if all it took was an identity card and biometric to establish and prove identity.
The study spanned seven European countries and in Germany the average increased to 64%. LogicaCMG says the research shows that the introduction of biometrics could lead to much greater consumer confidence in switching between bank accounts and other financial products.
Banking customers are being asked to remember greater numbers of more complex security details. However, with the banks and card issuers all having separate security solutions there is a strong risk that customers will stop interacting with cost effective self-service facilities.
Furthermore, customers see daily evidence that security authentication methods deployed by the banks and card issuers are open to increasing levels of fraud.
The introduction of Chip & PIN, although difficult for some sectors of the community, was heralded as being necessary in the combat against credit card fraud. During its first six months of introduction in the UK, credit card fraud fell by 13% compared to the same period (to the end of June) the previous year.
However, during the same period Card Not Present fraud (that is Internet telephone purchasing) rose by 29%. Serious flaws in Chip & PIN have been exposed and, for example, Shell petrol stations had to suspend Chip & PIN payments from 600 of its UK garages after more than £1m had been defrauded from customers' accounts; whilst Tesco is changing the casings of its 2,000 ATMs to stop criminals from attaching skimming devices.
Deloitte's 2006 Global Security Survey of financial institutions found that 41% of respondents had identity management as a top priority for 2006, describing identity theft as "one of the crimes of the 21st century". Over 58% of Deloitte's respondents accepted that they will be focussing on identity theft and account fraud in 2006.
Whilst financial institutions are waking up to the potential bad publicity related to such security breaches, it is the headlines rather than financial loss which are driving them to implement change.
Facts and Figures behind Fraud
2004 Figures from the Association for Payment Clearing Services (APACS)
- There were 66.8 million debit cards held by 20 million card holders.
- There were 57,000 cash machines in the UK, 60% of which are owned by banks and building.
- Cash machines dispensed £161.3 billion in 2004 in 2.53 billion cash withdrawals
- There were 74.3 million credit/charge cards in issue to 30.6 million cardholders.
- One in every three people has been a victim of card fraud.
- Total spending on plastic cards outstripped cash spending for the first time ever in 2004.
- The number of transactions on all types of card reached 8.3 billion, totaling £463.9 billion.
- An incidence of card fraud takes place on average every 8 seconds in the UK, with around £1.4m lost every day, totally £504.8 million credit card fraud in the UK.
- Fraud on lost or stolen cards totaled £114.4 m.
- Counterfeit card fraud £129.7m.
- Plastic card spending online grew by 27% to more than £16 billion. 11 pence in every £1 spent on credit cards was over the Internet.
- The biggest fraud type in the UK is card-not-present fraud, which cost £150.8 million.
- More than £16 million was paid out by the card industry in rewards to retail staff who retained cards that were being used fraudulently.
Business Fraud
"The cost of fraud to businesses is difficult to estimate because not all fraud and abuse is discovered, not all uncovered fraud is reported, and civil or criminal action is not always pursued.
A conservative estimate of the cost to organizations is approximately six percent of annual revenue, or over $400 billion annually (Association of Fraud Examiners 1999). During 1995 and 1996, fraud and abuse accounted for over $9 per employee per day, assuming a 365 day year.
These are only estimates of the direct economic loss to business. However, legal, accounting, and increased insurance costs, and loss of productivity associated with hiring and firing employees, are additional factors that must be considered.
To quantify all these indirect costs is beyond the scope of this paper, but most experts agree that companies usually suffer similar losses and organizations are paying for them through their normal operating expenses.
Data show that the overall cost of fraud is over double the amount of missing money or assets." (Farrell, Barbara R. and Joseph R. Franco. 1999. "The Role of the Auditor in the Prevention and Detection of Business Fraud: SAS No. 82." Western Criminology Review 2/1.)
Even though business fraud is not statistically gathered and released like credit card fraud is by APACS, we still see regular evidence that it occurs.
A bank manager carried out a £21m fraud on his employers as they named him business manager of the year. - Donald Mackenzie, 45, admitted in the Edinburgh High Court to taking loans over five years up to March 2004 from the Royal Bank of Scotland by fraud. (BBC Report 6th June 2006)
Authentication Approaches
Why are the banks and card issuers not taking more urgent action in deploying better authentication across the full range of their services? It is probably because the level of fraud is so small in comparison with the volume and value of transactions taking place.
Gartner report (Complementary Security Methods Reduce Fraud and Strengthen Authentication - October 2005), that - "At about $15 per token per year in direct costs, some authentication technologies (for example, dedicated hard one-time password tokens), can cost more than to issue an maintain than the cost of the fraud losses."
However, if this response from the banks and card issuers continues then either their costs will rise because customers will reject self-services in favour of 'face to face' transactions, or customers will switch to banking institutions that offer consistent authentication across their full range of services.
Banking customers also include online merchants.
The structure of online merchant agreements has historically meant that the merchants, not the banks, have covered the cost of Card Not Present fraud.
These banking customers will drive the banks and card issuers to provide a solution, to retain the growing online transaction revenues.
The first movers in offering a solution may well benefit from merchants transferring their banking business.
3DSecure
3DSecure was proposed by Visa and endorsed by MasterCard. It has been launched as Verified by Visa and SecureCode from MasterCard. The adoption by merchants will change the cost responsibility of Card Not Present fraud being picked up by the issuing banks.
The system requires customers to register a user name and provide other memorable data to the bank, plus another password that is entered upon request.
The registration is a one-off task but has to be repeated for each payment card. Clearly attacks can be made through phishing and social engineering. The additional passwords could readily drive online customers away.
KBA
So should banks continue to use Knowledge-Based Authentication (KBA)? These continue to get used with specific data known to the banks (e.g. past transactions), or public record data that customers would know (e.g. mother's maiden name), or specifically requested data (e.g. favourite film, etc.).
Customers are over burdened by such questions and the questioning doesn't lend itself to an enjoyable purchasing experience. Further it can be easily attacked by fraudsters. So as a supplement to passwords, Knowledge-Based Authentication is of little benefit to security, but significantly adds to customer frustration.
Out-of-Band Authentication
This is the use of other devices not connected to the customer's PC, for example their mobile phone, PDA, Smart Card Reader, or other token. These can deliver/provide One-Time passwords or PINs to be used for the transaction.
This strengthens the authentication because it is more difficult for a fraudster to be the Man In The Middle, although it is vulnerable to 'fly phishing'. 'Customers least prefer using another device for authentication' (Gartner - Complementary Security Methods Reduce Fraud and Strengthen Authentication - October 2005).
PC Connected Card Readers and Tokens
Smart Cards can be used with card readers or USB tokens with an embedded smart chip to hold customers authentication credentials. These could be digital signatures, or Europay, MasterCard and Visa (EMV)- Chip Authentication Programme (CAP) for One Time PIN Generation.
All these devices are subject to loss or theft and are a greater liability because they contain more user authentication credentials than a standard plastic card.
Biometrics
Biometrics held on the smart card or token device are the only form of customer credential that renders loss useless to fraudsters. There are a number of objections put forward:
- Cost - however, banks and card issuers face greater cost if people turn their backs on online banking and online transactions
- User acceptability
- Security robustness (e.g. protection against forgery)
For banks to really respond to customers wanting protection against Identity Theft then they may have to resort to 'In Branch' Knowledge Based Authentication for initial registration. At the very least registration needs to be as strong as the other links in the secure transaction chain.
Transaction Intention
Strong authentication leads on to non-repudiation. Did I the customer actually intend to make that transaction? Did I realise that pressing the OK button was releasing my 'digital signature'? Did I intend to put my finger on the token, or was it forced there, or placed there from a lifted latent fingerprint?
A person's signature has historically been the most traditional method of demonstrating intent.
- Isn't a signature easily forged?
- Isn't that why we have Chip and PIN?
The image of a signature can be easily recreated to fool the average person checking. However, the way we sign is very difficult to forge. The acceleration, velocity, pressure and time we take all make it very difficult to forge, even if someone has an image of your signature to copy or observe you signing.
Signing demonstrates intent - strong authentication and non-repudiation. The banks and card issuers can offer this biometric solution now to their customers.
The cost of not doing so will lead to greater customer frustrations and consequently a possible rejection of online banking and online transactions.
Or perhaps for the smart financial institution the adoption of a simple and secure technology, such as biometric signatures will attract new customers and ensure the allegiance of existing customers, all of whom seek the convenience of self-service coupled with the right level of security.
KeCrypt Signature Authentication
To electronically identify an individual via their signature, KeCrypt has a patented biometric signature technique that analyses a signature by invariant dynamics, rather than by comparison with a recorded set of spatial relationships.
This means the analysis is done dynamically of he way the signature is written (speed and pressure, for example) and not by comparison with a recorded image.
This has the following advantages over other techniques:
- No signature template data is held, hence the process cannot be reversed and a signature cannot be replicated.
- Language independence.
- Highly scalable - with low demands on a host computer system, as templates do not have to be encrypted and managed.
This means that identity information can be stored on a smart card with no fear that the signature could be recreated and large computer infrastructures are not needed to implement the KeCrypt solution.
Online banking and online transactions can be authenticated using a smart card reader with writing pad. This verifies the owner of the card and transmits to the bank a One Time Transaction Code on receipt from the server of a valid digital certificate. Customers are protected against Man in the Middle Attacks.
The card generated One Time Transaction Code protects against 'fly phishing'. The signature used in the authentication process together with the site authentication by the card protects the customer and the card issuer against phishing.
Biometric signatures represent a real and cost effective alternative for the authentication of an individual within a transaction - how long can financial institutions continue to ignore such technologies?
Sources:
Deloitte: 2006 Global Security Survey
Gartner: The Impact of Authentication on Self Service and Web Banking, 2005
Gartner: Complementary Security Methods, 2005
Logica CMG: Vanson Bourne study, 2006
APACS: http://www.apacs.org.uk/resources_publications/key_facts.html
KeCrypt Systems
KeCrypt Systems Ltd is the UK's leading software security company focusing on Identity Management using proven, patented biometric signature technology.
KeCrypt Signature has already achieved considerable commercial success and is increasingly being adopted by application developers as their preferred security component.
If you would like more information, please contact KeCrypt Systems Ltd on 01438 791026 or sales@kecrypt.com.
For more on KeCrypt's history, development technology and Partnerships, please visit our website at www.kecrypt.com