Biometric authentication can prevent fraudulent transactions
According to a recent report by Financial Fraud Action - the industry's anti-fraud body in the UK - 1.9 million cases of financial fraud were reported in 2016, a yearly rise of 2% at a total cost of £769 million.
"The challenge is that online banking is more pervasive now than it has ever been," explains James Stickland, CEO at Veridium, a biometrics authentication company. "Online transactions are quadrupling and the use of cash continues to diminish. As everything becomes more digitalised, fraudsters sense new opportunities. Banks are a huge target."
The growing prevalence of online fraud and cybercrime has propelled the issue to the boardroom over the past few years. "It has become a top-five agenda item for every board of every bank," Stickland says. "I was previously responsible for global IT strategy at a major financial services company and the security spend had the highest year-on-year increase compared with any other part of the company when I was there."
Most of the attacks on banks and customers are relatively simple. Many involve decades-old confidence scams and familiar cyberattacks that exploit common security weaknesses.
"When you look at fraud and cyberactivity over the past few years, we have had swathes of things like denial-of-service attacks," says Stickland. "This happens when you throw large volumes of content at firewalls to try and find a weak point, and bring networks down. Even the recent ransomware attack was down to the National Health Service having a bunch of unpatched systems that weren't updated. Hackers can find an easy way in."
The reason banks are struggling to cope, according to Stickland, is that despite technology having transformed the way consumers and businesses interact, from a security standpoint, little has changed. "25 years ago, we were securing our devices using passwords and user IDs," he notes. "25 years on, we are still securing those devices with passwords and user IDs."
Banks do try to encourage better behaviour from consumers when it comes to the strength of their passwords. "We change them frequently; we set policy rules so that every few weeks you have to change your password; and we say that you need to use capital letters and control characters," he says.
But the effect of this can often be counterproductive, he warns: "It makes it more complicated to remember. We are all busy. We are not waking up first thing in the morning with our brand new passwords at the top of our heads. That means the average human tries to make their password as simple as possible so they can remember it. By forcing them to change every six to seven weeks, you end up making the password far simpler and customers more vulnerable. In other words, we drive an outcome that is counter to what we are trying to achieve. In the end, passwords are just an outdated way of securing anything, and bank accounts are a great example of that."
While security tokens and two-step authentication have improved security, they are also problematic, Stickland says. "They are massively complicated, particularly if you have multiple tokens," he explains. "Very recently, I met a treasurer who was working in 20 countries and had 20 tokens on him for his bank account access. He looked like a janitor pulling out 20 keys."
Biometrics to the rescue
For banks, the ideal solution to these problems is finding a way to combine security and ease of use. "What we are trying to do is create an environment where the user experience is simplistic and non-intrusive while at the same time making it highly secure," Stickland explains.
When used properly, biometrics offer exactly that solution. "We are huge proponents of biometrics because they validate who you are," he says. "You can use your fingerprints, face, voice, iris, user behaviour, even blood."
"Take the McDonald's incident as an example. In that case, the company's Twitter account posted a comment about Donald Trump having small hands. Maybe it was a hack. But maybe it was a disgruntled employee who thought that he is a bad president and wanted to write something about it. Validating a legal non-repudiatory action with biometrics is the only way to actually know that. If every Twitter handle execution used some degree of biometrics, I could validate who the trolls are by person and which people are being compromised."
With so many biometric products being produced, how should banks choose between them? "I think biometrics choices should always be relevant to the circumstance," Stickland says. "Voice, for example, is a great biometric choice for certain times and locations, but not so great for others. If you are just looking to validate who you are because you want to take a look at the summary of your bank account, it might be right. But if you are in the cinema enjoying a film, obviously, it won't be the right choice. You might also have to disregard it because voice does not have the right level of depth of legal non-repudiation."
The speed of change in the biometrics space also poses problems for banks looking to invest. "I used to work in IT strategy, and we would spend a long time making IT decisions and applying technology that was instantly outdated because as soon as I would make the tech decision, something else came along that was faster and better," he says.
An integrated platform
To tackle these problems, Veridium has created a biometric authentication platform designed to support multiple biometric modalities. "What we wanted to do was build up a platform that all of these different biometric solutions could plug into," Stickland explains. "We want to offer a spine that allows an enterprise such as a bank to keep in front of the market in terms of its consumption and adoption of new technology. When you buy our platform, you buy an open-source backbone - a single authentication spine that allows you to plug in all the relevant biometrics."
As things stand, Veridium has four biometric choices on its slate: facial recognition, a periocular solution, a user-behaviour capability and '4 Fingers', a new fingerprint technology that involves four fingerprints being scanned simultaneously using proprietary computer vision technology.
"4 Fingers is a unique product that allows us to build images of your fingers, and provide a level of precision and reliability that no other biometric can achieve," Stickland says. "Facial recognition is great, for example, but it is more readily 'spoofable' because of the accessibility of images of individuals. We are leading with 4 Fingers because we think it is as secure as you can get and it is recognised as a legal non-repudiation form of authentication."
4 Fingers can also be deployed without significant investment in additional hardware. "We tried to choose technology that was readily available in the marketplace," he explains. "We didn't want people to have to buy and carry new hardware around with them. In this circumstance, we use five-megapixel cameras in either a tablet or mobile phone. It is also operating-system agnostic."
Moving forward, Stickland says companies are working on ways to combine biometric security with new blockchain technology. "People are looking at different use cases, and wondering how they might use an authentication measure to assist and enable the blockchain," he adds. "At the front and back of those blockchains, there is a great opportunity for the industry to use biometrics to authenticate the input and output."
While biometrics are yet to take off in banks, as they move into different aspects of our lives, from homeland security to nightlife venues, Stickland thinks the banking industry still stands to benefit.
"The widespread use of biometrics is driving maturity levels around people's consumption of technology, which is good for the industry at large," he says. "From a banking standpoint, user behaviour will start to become more prevalent and we will see lots of new technology coming out. It will be a standard consumption tool for many things, including logging into your bank account, moving money and validating your payments."