[I]t all boils down to one key distinction: which credentials can be hacked and which cannot. A one-time code is a human-readable, transferable identifier, which means it can be phished and used to steal accounts in the same way as passwords. Multi-Factor Authentication via [mobile phone text messaging] is an easy compliance option for banks and distributors under strict regulations like PSD2 [a European regulation for electronic payment systems], but this approach can and must change. Regulatory changes take longer than industry awareness, but mindsets are likely to change over the next year. --Andrew Shikiar, “FIDO Alliance Predictions 2023” [1]

In its 2020 Survey of Household Economics and Decisionmaking (SHED), the Federal Reserve Board staff asked consumer participants about problems they experienced in their banking and credit activities. “Overall, 29 percent of adults said they experienced at least one of the five problems asked about. The most common problem, fraudulent transactions, affected 16 percent of adults. This was followed by unexpected fees (11 percent) and customer service delays or problems (8 percent). The remaining issues, closed accounts and credit limit reductions, were less common, affecting fewer than 1 in 20 adults.”[2]

Notably, all demographic groups identified fraud as the leading problem they face, with higher income respondents identifying fraud as their biggest issue at a higher rate than lower income respondents. With pressure from Congress and bank regulators growing, the industry is weighing changing its practices governing customer reimbursement for fraud losses. In candid moments, bankers acknowledge their dilemma. They depend on customers’ trust. Yet nothing breaks trust more quickly than fraud or other loss of money from accounts believed to be safe.

Adverts for mobile banking tout convenience and ease of use. Yet those attributes and customer ignorance about loss prevention make fraud artists’ work child’s play. Previous posts to this blog covered P-to-P payment system fraud (November 7) and the rise of generative artificial intelligence as a threat to security systems used by the financial services industry (September 12).

Despite universal use of dual factor authentication, cybersecurity professionals like the above-quoted Andrew Shikiar say more is needed. He is executive director of FIDO Alliance, a non-profit organization that seeks to standardize authentication at the client and protocol layers. He writes, “Smishing, or text phishing, saw massive growth in the second half of 2022, and it should continue to invade our notifications next year. Additionally, these attacks could become even more difficult to spot as criminals refine their techniques. The proliferation of personal data available online, along with improved AI and tools for extracting that data, will make these attacks more convincing and fool even those who think they are well-informed. The silver lining: As smishing spreads, consumers will trust [smart phone text messaging] as a communication channel less, clearing the way for service providers to adopt other tamper-proof authentication methods.”

His argument is the gist of our September 12 blog entry. Many software developers herald biometric authentication as the next wave of security technology. Comparing users’ fingerprints, face scans or voiceprints to on-file customer data for those biometrics is offered as the most-secure authentication tool available. We recently spoke with the head of a voice-recognition company evolved from U.S. government-sponsored activity in that field at Carnegie Mellon University. The company’s systems build on linguists’ decades of work cataloging and classifying languages throughout the world, including regional and local variations. For example, the Dictionary of American Regional English [3] is a compendium of word usage, dialects, and grammar from which it is possible to identify American speakers’ demographic profiles. Linguistic scholars including my father have contributed to DARE’s development since the 1950s.

Hurdles to adoption of biometric authentication include the lack of agreement on which biometrics to use, the cost and time needed to build reference databases, and the scale and complexity of the U.S. legal system, including need for a statutory means to allocate losses when inevitable database breaches occur. In other aspects of data security for financial services, Europeans have advanced further than Americans.

Sweden’s banks and government created BankID in 2003 as a secure e-ID at a time when Sweden led the European Union. BankID can be used for identification when traveling within the European Union, as well as to enable secured financial transactions including filing tax returns. Eight million Swedes have a BankID, three-quarters of the nation’s population.[4]

Great Britain’s TSB Bank in 2019 began offering customers a “Fraud Refund Guarantee.” The bank’s website says, “This [product] is a first in UK banking and it goes further to cover TSB customers against fraud than anything that has come before it. At other banks, on average only 47% of stolen money is refunded to fraud victims. Under our fraud refund guarantee, we refund 98% of claims.”[5] The maximum guaranteed amount is £1 million.

Europe’s Payment Services Directive 2 (PSD2) requires Strong Customer Authentication. Account users must authenticate their identity with at least two of three factors: something you own (e.g., a mobile phone), something you know (e.g., password) and something you are (e.g., biometric data). The authentication factors must be independent of one another. U.S. banks, Mastercard and VISA have adopted the same standard, referred to in the U.S. as 3-D Secure 2.0. Industry professionals, however, remain divided as to whether two factor authentication is sufficient and what forms it should take, as reflected in Andrew Shikiar’s comments at the top of this column.

As internet banking was born, the Federal Reserve Bank of New York in March 2000 issued a white paper, “The Emerging Role of Banks in E-Commerce.”[6] Two-plus decades later, the paper’s assessment seems one part spot-on and another part naive. “Banks are also planning to offer a product that would protect e-commerce participants against fraud arising from the misrepresentation of identities. Using encryption technology, each bank would certify the identities of its own account holders and serve as the intermediary through which its account holders could verify the identities of account holders at other banks. In this way, both sides of an e-commerce transaction would have some assurance that they were not dealing with an impostor.”

We may get to that promised land someday. For now, though, internet financial services remain a world where consumers too often do not understand the risks they are taking until it is too late.

[1] https://www.globalsecuritymag.fr/Predictions-2023-de-l-Alliance-FIDO.html.

[2] https://www.federalreserve.gov/publications/2021-economic-well-being-of-us-households-in-2020-banking-and-credit.htm (emphasis added).

[3] https://www.daredictionary.com/

[4] https://www.bankid.com/en/

[5] https://www.tsb.co.uk/Fraud-Prevention-Centre/Fraud-Refund-Guarantee

[6] https://www.newyorkfed.org/medialibrary/media/research/current_issues/ci6-3.pdf