VASCO Data Security: A layered defence led by innovation - Scott M Clements

Once thought futuristic, biometrics is now becoming a familiar element in the layered security solutions that enable banks to make better use of the online and mobile channels that are so crucial to their growth. Scott M Clements, president and chief operating officer at leading supplier of esecurity solutions VASCO Data Security, explains how banks can benefit from the latest technologies.

Enabling access to online and mobile banking services is key to unlocking growth opportunities in the financial services sector because these channels can deliver enormous value through cost savings and growth in a bank's customer base. However, there are many who feel that these channels remain relatively untapped because of concerns about security breaches. Tech-savvy cybercriminals and fraudsters are eager to prey on the vulnerabilities created by the proliferation of connected digital devices and channels that modern banking customers use for financial transactions.

Therefore, it is no surprise that secure access and fraud prevention have become top priorities for financial institutions that are striving to deliver better service to individual and corporate customers in an increasingly competitive market. Mobile banking security must nevertheless be achieved without making unnecessary demands on users or making the customer experience less convenient. Regulatory compliance is, of course, essential and regulation is now driving growth in digital channels.

"The new payment services directive - PSD2 - accelerates the shift to digital banking through the requirement for banks to expose consumer accounts through APIs and due to the increased competitive pressure from the introduction of new service provider types in the banking value chain," says Scott M Clements, president and chief operating officer at VASCO Data Security. "Meanwhile, millennials, who account for the majority of new account openings, have a strong preference for banking through online and mobile channels with an expectation of ease and simplicity. This is shifting the methods of authentication towards mobile devices that can authenticate the user across multiple factors, many of which can be completely transparent to the user, with appropriate confidence levels."

Under lock and key

Currently, VASCO has more than 10,000 clients, including 1,700 international banking institutions. In fact, more than half of the world's top 100 banks rely on its products to secure online and mobile transactions. Clements joined VASCO a year ago with a brief to develop the company's forward strategy and guide its execution, which includes M&A activity, and he is also in charge of the company's emerging businesses.

Clements senses an opportunity for financial services providers to better exploit the opportunities in online and mobile services, in spite of fears of security breaches, because VASCO can offer proven anti-hack solutions that give banks a competitive edge. Biometrics solutions, including face recognition, are a key part of the next generation of tools.

"In general, biometrics is a low-friction source of additional factors of authentication that can be easily implemented in mobile device platforms. Consumer surveys show a preference for biometrics authentication including fingerprints and selfies, which is natural as many users unlock their phones with their fingerprint and millennials are the 'selfie generation'. There will be a variety of biometrics modalities that will, over time, be used to support authentication, and which exhibit different ease-of-use and security characteristics," he explains.

"Some are more focused on ease of use, such as fingerprint scans, and some deliver higher levels of security because they are more difficult to spoof, such as infrared iris scans. Some work in certain environments but not in others. For example, voice biometrics can work in quiet spaces but is less effective in noisy or public environments. So, there won't be one biometric that fits all users and situations, but over time, multiple biometrics modalities will be available on mobile devices that can be used to fit the required security level and ease-of-use demands. Banks can use passive biometrics in low-risk interactions but step up to more active biometrics approaches for higher-risk transactions."

Coordinating tools for complete security

One of the key advantages of biometrics systems is that they not only increase security but also simplify the user experience. They are far more convenient than passwords and other traditional authentication methods that require the user to know something secret or do something complicated in order to validate their identity.

"In the PSD2 world, user experience will be one of the very most important factors of differentiation and competition between service providers," says Clements.

VASCO offers a wide range of technologies for authentication and identity confirmation. Over the years, it has come up with innovative products such as CRONTO, which is a visual transaction signing solution that enables banks and other financial institutions to effectively counter increasingly sophisticated 'Trojan' and 'man in the browser' attacks. CRONTO presents a unique visual challenge using a graphical cryptogram consisting of a matrix of coloured dots displayed on the customer's computer screen. The customer uses a mobile phone camera or a dedicated hardware device to capture an image of this cryptogram, instantly decoding, decrypting and displaying transaction details for user verification.

"CRONTO increases security and simplifies authentication in a cost-effective and easy to use hardware product. We have also moved aggressively into mobile device and mobile application security and authentication with our DIGIPASS for Apps offering, which is a modular software development kit (SDK) suite that allows financial institutions and ecommerce companies to protect their mobile applications, and securely authenticate and transact with their customers," Clements explains.

"As we all know, mobile devices and mobile apps, though highly convenient, can be compromised by hackers through phishing attacks and other exploits. DIGIPASS for Apps and its runtime application self-protection (RASP) component protects a banking application and the user's confidential information even on a phone that has been infected. And DIGIPASS for Apps also securely incorporates multiple biometrics authentication modes to simplify a bank's implementation of biometric technologies," he adds.

A complete protocol

Biometrics systems will certainly play a big role in banks' security protocols in the future, but it is unlikely that they will be used in isolation. Solutions such as DIGIPASS for Apps and RASP will certainly go a long way towards improving end-point security, but other technologies will be vital in ensuring that banks and ecommerce companies are able to mount the best defence against potential fraud.

"With the typical institution interacting with millions of users, a layered defence is required. VASCO's IDENTIKEY Risk Manager helps institutions to detect abnormal circumstances when a user logs in or transacts. There are many reasons this can happen, not all of which are a result of hacking or fraud. IDENTIKEY Risk Manager can step up the security requirements and ask the user to take some additional steps to verify their identity, such as using one of the biometrics modalities. Business success requires security and a positive user experience, and smart fraud management tools like IDENTIKEY Risk Manager help banks to find that balance over time, and over a broad and heterogeneous customer base," explains Clements.

Customers increasingly expect their banks to be delivering these kinds of multilayered security solutions. They have become much more aware in recent years of the potential vulnerabilities of mobile devices, and they realise that the personal information they provide to service providers in healthcare, government and financial services is being compromised on an unprecedented scale.

"The horse is out of the barn. In this environment, security and privacy protection sells. Consumers want to know who they can trust to protect their information while getting a high level of service within a compelling user experience. Trust is the foundation. Fortunately, modern technology can simultaneously deliver security and a frictionless user experience. Institutions that lag behind in this area will be disadvantaged in growth and profitability. Innovative and frictionless security support a bank's brand message, especially for young technology-savvy consumers who have no interest in visiting bank branches," Clements observes.

Make it so

The next generation of bank customers will be even more tech savvy, and will have been brought up with online and mobile digital channels. In fact, Clements already sees digital as fast becoming the dominant channel for banking services. He believes that customers will show greater control over the information they choose to share, while also expecting solutions to be increasingly user-centric.

"Institutions that use technology to limit the transfer of personal information while meeting their regulatory requirements will have a competitive advantage. The anchor points of this future are, first, uniquely identifiable personal networks of smart mobile devices including wearables; and second, API-rich, flexible, cloud-based identity services that streamline interaction across the full customer life cycle including initial customer onboarding," he remarks.

VASCO is staying ahead of the curve with products like its recently acquired eSignLive cloud-based electronic signature offering for customer onboarding. It recognises that banks need to move quickly with digital solutions but not into uncharted territory.