The global pandemic has accelerated the use of digital services and capabilities in all industries and sectors. An increasing number of organizations are rapidly adopting and implementing digital solutions to serve their customers' and employees' needs. In Canada and globally, banks have quickly shifted their operations to support a surge in digitally-enabled sales, servicing, and support functions.
This rampant digital adoption brings forward a set of concerns relating to customer and employee interactions' safety and security. Recent attacks involving fraudsters using login credentials obtained through credential-stuffing highlight that most users end up re-using their usernames and passwords across multiple websites. “These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people re-use passwords and usernames across multiple accounts.” Most organizations have generally taken a stance of enforcing strict password policies; however, there is no certainty that the same combination is not used elsewhere. This highlights the increased need to tighten customer and employee authentication to make it more secure, especially as digital adoption further accelerates.
Most Canadian financial service providers rely on a combination of username, password, personally verifiable questions, and SMS/email-based authentication schemes to provide a layered approach to security. This is called Multi-Factor Authentication (‘MFA’), which uses two or more verification factors to validate the individual as the trusted user and allow access to the required online property or service. To add additional layer of protection, customers are often asked to select and choose a set of personally verifiable questions (‘PVQ’), which they are required to answer in certain scenarios.
Some institutions also use a One-Time Pin (‘OTP’) as a security layer, which is sent to a customer via SMS or email and must be entered on-screen as a verification method.
We, at Capco, believe that these types of MFA are the least secure. Evidence shows that the answers to PVQ can be easily obtained through social engineering. More importantly, once an attacker has obtained the username and password, they can easily change the PVQs, unless some form of a security challenge is required to initiate the change. Moreover, through a combination of social engineering, and a technique known as sim-swapping, where a victim’s mobile number is ported onto a new sim-card, fraudsters gain access to the SMS, and the OTP that is sent to the victim’s mobile number. Combining this with the compromised username and password, a fraudster can successfully take over several elements of one’s digital identity, including gaining access to their online banking credentials. The premise of relying on PVQ and OTP capabilities using email and SMS is not enough and slowly becoming obsolete. These legacy approaches impose a significant risk for the end-user.
We believe that using an app-based token or a hardware-based approach, which is an added layer of security, is a safer and robust approach to addressing many of the challenges and risks posed by conventional authentication mechanisms. An app-based or hardware-based approach involves using a Mobile App or a Hardware Security Key as a secure authentication element. It is harder for fraudsters to gain access to an account as they would need the customer’s password and their device or hardware. Further, an app-based authenticator uses encrypted communication, making it impossible for fraudsters to steal the code on the app.
We also believe that authentication measures should not be limited to the initial authentication process alone. In fact, our recommendation for financial service providers (‘FSPs’) such as banks, insurers and credit unions would be to take a methodical approach to step-up authentication across key account activities. Activities that involve changes to a customer’s profile and preferences, electronic transfers or payments, and addition or changes to payees are deemed highly sensitive. These sensitive activities impose the biggest risk, as they enable fraudsters to quickly deplete the available funds from the account through various mechanisms. These are the types of transactions and activities, which should be the focus for FSP’s to re-imagine and incorporate security as part of the user interaction.
In the digital age, financial institutions need to do more to incorporate MFA across a broader spectrum of their customer and employee journeys. Capco has deep expertise in the financial services industry and understands the end-to-end customer and employee experience and the various complexities of financial transactions. We recognize the importance of the optimal placement of security measures through a customer and an employee's lifecycle. We are here to help re-imagine and instill a true sense of simplicity and security that customers and employees are looking for in an increasingly digital world.