Setting Out a Vision for Customer Authentication

We all know that "passwords suck", as my colleague Bob Meara stated clearly and succinctly in his recent blog. But what's the alternative – is the answer biometrics or something else?

We do believe that biometrics is part of the answer. However, our vision for authentication – security measures banks take when providing customers access to their services – is broader than that. Mobile devices will play a key role, but for them to be effective tools for authentication, a strong binding between customer identity and the device is essential – unless this step is done correctly, all subsequent authentication efforts are pointless.

We also contend that authentication must be risk- and context-aware. It should take into account what the customer is trying to do, what device they are using, how they are behaving, etc. and assess the risk of fraudulent behaviour. Depending on that assessment, the customer could either gain access or be asked to further authenticate themselves. And while biometrics can and will play an important role, the banks' authentication platforms need to be flexible to support different authentication factors.

We outline this vision in more detail in the report published yesterday by Celent, Security, Convenience or Both? Setting Out a Vision for Authentication. In addition, the report discusses:

  • The upcoming PSD2 requirements for strong authentication.
  • The rise of biometrics, including different modalities and device-based vs. server-based implementations.
  • An overview of various standard-setting bodies, such as FIDO alliance and W3C Web Authentication Working Group.

Also, yesterday we launched a new Celent Digital Research Panel survey, this time focused on Authentication and Identity management. The objectives of this survey are to assess amongst the US financial institutions:

  1. Investment drivers for customer authentication and identity management.
  2. Current state and immediate plans around authentication and identity management.
  3. Perspectives on the future for authentication and identity management.

If you already received an email invite, we do hope that you will respond before our deadline of August 8th. If you represent an FI in the US, and would like to take part, but haven't received the invite, please contact us at info@celent.com. We will publish the results in a Celent report, and all respondents will receive a copy of the report, irrespective of whether they are Celent clients or not. We look forward to hearing from you!

Wearable devices and the future of authentication

There is a lot of hype around wearables (smartwatches, fitness bands, etc.) and they may have all kinds of interesting potential. This potential, particularly for banking is still to be determined. However, I believe that there is a great opportunity for certain wearable devices to provide strong authentication and enhance the user experience (see this blog entry). Examples are starting to trickle out:
  • RBC recently announced that it has partnered up with a firm called Bionym. Bionym offers a wearable device, the Nymi Band, that can be used for authenticating you to all kinds of products, devices and services (see this video for potential use cases). The device will take the user’s electrocardiogram and use it for authentication purposes. RBC and Bionym are going to test ECG authenticated payments at the point of sale. Sounds pretty cool to me! The Nymi band is a $79 product that can be ordered on Kickstarter.
  • Last week, at the AFP Conference, Online Banking Solutions (OBS) showed me a demo of how they are using a smartwatch to authenticate corporate online banking transactions. When the user performs a certain function, an alert is sent to the smartwatch (the demo was shown to me on a Moto360). The user then has to interact with the watch in order to confirm or reject the transaction.
Much of this is obviously still experimental. It is however highly innovative, and a step in the right direction to killing the password.

When $250 Million Can’t Buy Cyber-Peace

Last week’s newspapers brought the unsettling news that JP MorganChase’s internal CRM systems were penetrated by unknown attackers, compromising the personal information of 76 million households and 7 million small businesses. The Bank had released a statement to its clients on Thursday noting that “there is no evidence” that account numbers, ATM PINs, or social security numbers were accessed during the cyber attack. Today, news reports indicate that four other large financial services companies including Citibank and E*Trade were targeted by the same group, thought to be based in Eastern Europe or the Middle East.  In the case of JP Morgan Chase, the investigation has been focused on the personal computer of a single employee whose system may have been compromised by malware. The incident continues to be investigated by the FBI, Secret Service, and JP Morgan’s own private vendors, so there’s no need to speculate on who is responsible or what other information may have been compromised in the attack.  Still I hesitate to note that the Bank’s soft “no evidence” qualifier gives it plenty of wiggle room should the investigation uncover additional data leakages. The point here is that like the two other large data breaches of 2014 — Target and Home Depot — the JP Morgan Chase breach occurred in its private data center, the kind that is built at significant cost to resist these sorts of attacks – or at least detect and repel them when they do. JP Morgan’s annual report shares that the bank spends more than $250 million annually on cybersecurity, and will have 1,000 employees focused on the task by the end of this year.  Most banks do not have the size or management scale to match JP Morgan Chase’s annual investment, but if even $250 million can’t buy cyber-peace, what chance do average sized banks have of protecting themselves from the next malware du Jour? I contrast this situation with the growing use of cloud services in the financial services industry.  While other industries have been quick to embrace the cost, capability, and flexibility of cloud services, the banking industry lags behind — largely based on valid concerns about information security and control. JP Morgan Chase’s announcement serves as a wake-up call to banks of every size, informing them that when sensitive client data is concerned, private data centers and public cloud providers are partners in the ongoing fight for data security.  The next bubble to burst will be the long-held presumption that maintaining customer data in a private data center is inherently safer than storing it in a public cloud. To a cyber-attacker, an IP address is an IP address.  Whether sensitive customer data is located on a physical server on the bank’s premises or a virtual server located on a public cloud is mostly irrelevant.  What really matters is how well a bank (or its service provider) monitors network traffic, detects unusual or malicious activity, and shuts down suspect traffic.  The other lesson here is that as always, a little encryption can go a long way in ensuring that customer data is safe from the prying eyes of clever and determined hackers.  

Wearables – banking hype or opportunity?

Lately there has been much fanfare around wearables. From Google Glass to smartwatches, there has been no shortage of press releases, articles and hype surrounding these devices. I must say that I personally find all of this stuff amazingly cool, and love trying out new things. I am also super excited about the Moto 360 smartwatch and will likely pick one up when it launches. My interest in these devices however has absolutely nothing to do with banking. Don’t get me wrong, I think it’s critical for banks to try out new technology in order to understand how devices are evolving and how consumers will use them. In other words, banks should proactively throw stuff against the wall in order to see what sticks! Will wearables be the next big “channel” or consumer touchpoint? I have a hard time believing that consumers are going to want to “bank” using these devices – there is a lot of hype here that needs to be filtered. Wearables, specifically smartwatches, will act as more of a companion to a smartphone. There are however a couple of specific areas where wearables can have an impact on banking:
  • Alerts and notfications. The alerts that pop up on a watch should in theory be the same ones that appear on your smartphone. Most day to day banking alerts may not be that critical, however there are some that the user may want to have access to at a glance. Security at the point of sale is also a possible use case. If a credit card is swiped an alert can be sent – it’s simpler and faster to have this appear on your wrist then in your pocket.
  • Authentication. These devices, particularly the smartwatch, represent an interesting authentication alternative. The Android platform can be configured to allow for a “trusted device” to unlock the phone or an app. In other words, the phone or app can be unlocked if the device detects the presence of a smartwatch. If the device is lost or not in the hands of the user, the smartwatch won’t be detected and the user will be prompted for a password. The Moto X smartphone currently has this software feature incorporated into its build of Android, and it can be used to unlock the device. Celent believes that devices like the smartwatch can act as a solid form of authentication and enhance the user experience. Additionally, banks have been challenged to come up with new methods of providing authentication for mobile banking, particularly since classic multifactor authentication involves something you know and something you have.
The mobile world is rapidly evolving and there is much to look forward to. Please weigh in with your thoughts and comments.

Technology and Service Providers: Different Beats, Same Tune

It’s been a whirlwind week for service provider analyst days and client conferences: Friday with Genpact, Tuesday and Wednesday with FIS, and Thursday with IGATE. Each firm is trying to differentiate itself amidst all the market noise; like banks, they’re constantly resisting the grind of commoditization. And while interaction was unique and fascinating, four common themes struck me as being indicative of the massive changes going on today in banking technology. Not coincidentally, they’re all consistent with what Celent has been saying about the evolution of the banking ecosystem.
  1. Focus
  2. Realignment
  3. Security
  4. Partnership
Focus takes on different meanings for different firms, but both Genpact and iGate were very clear about where they were going to spend time and energy, and where they weren’t (banking makes the cut for both of them). FIS may seem oxymoronic because of its product and service breadth and depth, but the company appears to be making steady progress towards rationalizing a variety of disparate products obtained through acquisition. Realignment follows focus. FIS is for the first time dividing itself into three groups: North America, International, and Global Institutions (roughly the top 30 international banks). Genpact and IGATE are both focusing on nine verticals (the specific nine vary), with IGATE putting P&L responsibility with the verticals for the first time. They will both have, however, certain horizontal practices that continue to run across their verticals. Security is a key value-add for these companies; with a broader base across which to spread costs, they tend to impose attention and discipline that many smaller banks can’t hope to match. While specifics vary, all made it a point to mention their approach to security. As the issue continues to increase in importance, we think this element of their value proposition will become ever more significant. Partnership is perhaps the ultimate defense against commoditization. Each of the three firms mentioned in their first breath the desire to work with their clients as Partners. Celent has written extensively on the transition from a vendor/customer to partner/client relationship in banking, and while talking about it doesn’t guarantee execution today, it’s a necessary first step for it to be tomorrow’s reality. What will be particularly interesting is the ongoing tension between providers’ professed desire to do the right thing and regulators’ apparent wish that contracts spell out in gory detail what will be required (including who bears responsibilities for mistakes). For more, see an interesting American Banker article here: http://bit.ly/1sAAE7j. For providers, guaranteeing that they can pass regulatory muster with minimum fuss will be a key requirement as they seek to win more business. As the year continues we’ll be watching keenly to see whether other providers’ actions echo these trends, and what banks’ reactions are. As a footnote, two of the firms have taglines, one brand new, the other a bit older: IGATE: Speed. Agility. Imagination. Genpact: GENerating imPACT FIS may have an opportunity here to help define itself; right now it’s self-admittedly one of the biggest companies that no one’s ever heard of. What do you see in the marketplace? Has my quick synthesis missed a key trend? I welcome your thoughts.

It’s so easy for bank marketing to take a wrong turn

Yesterday I came home to a strange voicemail from ING Direct Canada. I decided to phone back right away because I noted the following 3 things about the message:
  • The toll free number provided was nowhere to be found on the bank’s web site
  • The message left was with regards to “my profile and information”
  • The reference number left on the voicemail was my online banking user ID
I called back the main toll free number provided on the bank’s web site. After a brief hold I was transferred to an agent who looked me up in their system. I was told that I had to be transferred to another department and that yes, the message that I received was legitimate. The person I was transferred to was polite and friendly and wanted to sell me an investment. WHAT??? The good news for the bank is that they got me to call back right away. The bad news is that I don’t even know or care about what she offered because I was so thrown off by the voicemail. I had questions. Why was I being directed to a toll free number that I can’t find on the bank’s web site or through a Google search? Why were the details of the voicemail so mysterious? Why was my user ID being divulged over the phone as a reference number? All of my comments were noted and the rep apologized. Granted I’m not a typical customer, but it’s customers like me that can help make a difference when it comes to these issues (or so I would hope!). There’s a lot that banks can learn here – on the security front and on the marketing front. This is particularly relevant in an age where banks are so focused on marketing and offers that are based on data:
  • You can have great data, but it’s useless if you don’t master things like privacy and security
  • Customers should always be directed to call back a primary telephone number that can be easily validated. Banks are so cautious about email communication with clients – they should be just as cautious with telephone communication
  • Under no circumstances should a user ID ever be divulged. It’s a key piece of an authenticated login. It of course takes a couple of other pieces to login but that’s not the point – why give away any pieces of the puzzle? Furthermore, if a bank or customer were to suffer a breach, a fraudster could attempt to gain access to other account credentials by leaving a convincing voicemail containing a user ID (that obviously did not happen here).
I welcome your thoughts and comments. UPDATE 4/7/2014: I was contacted by ING Direct last week. They have informed me that they will no longer use a user ID as a reference number. Kudos to them for reacting quickly and switching around the process.

Finovate Europe 2014: Some Key Takeaways

Finovate just ended yesterday, and it was great to see all the new and interesting ideas floating around the financial services space.  For those who may not know, Finovate is a two-day event that showcases some of the best new and innovative things happening in financial services technology.  Over 60 companies coming from all over the world  presented this year, taking part in the rapid format that gives each presenter 7 minutes to show why their product is worth the viewers’ attention.  The event can also be a great networking opportunity, as many of the attendees are from large institutions or influential VCs.

Figure 1: Number of Presenter Products with Aspects of Each Category

 Untitled Here are some key takeaways after watching most of the presentations:
  • PFM is still going strong:  Banks have been declaring the end of PFM for years now, yet the topic is still one of the most talked about at every Finovate.  At Finovate Europe, PFM was the most prevalent.  What does this mean for the institutions?  Well, first off, it’s obvious that entrepreneurs still see the value in PFM tools.  Banks, many of which adopted PFM solutions long ago, have shrugged at the lackluster adoption, subsequently declaring PFM a failed experiment.  Financial institutions themselves are partly to blame, hiding these platforms in menus, barely showing any desire to market the products. Yet the biggest problem with PFM is shared by all, vendors and banks alike.  PFM doesn’t add value!  Let’s just assume most people want to know how much they spend on coffee each month (I don’t!). What comes next?  Where’s the action?  The fundamental problem with PFM is that the way the data has been leveraged to truly provide value has been disappointing at best.  Until the quality of the data is there, PFM won’t be in the mainstream.  A secondary concern—the misconception that most vendors buy into—is that PFM can be fun, succeeding through cleverly designed games and well-designed UIs.  I hate to say it, but PFM will never be fun! Nevertheless, there were some interesting takes on PFM this year that could offer some new ways to think about it going forward. A company called Tink takes financial data and creates insights for the user like where you spent the most money in the last year, largest one-time purchase, most frequent spending location, and others.  The difference is that these are non-intrusive ‘stats’ that show up only if a user scrolls down from the landing page on the mobile app.  Three takeaways from Tink’s product: everything is done on the bank side, it’s is more interesting than visualizations of spending categories, and the analysis requires nothing from user.  Meniga, a PFM success story in Europe, uses demographic data to help small businesses find market opportunities. It provides competitors’ sales data, locations, profitability, among other things.  It’s not PFM is the strictest sense, but that’s probably a good thing.  PFM needs a little shaking up
  • Moving Mobile Banking Beyond Transactions:  While not a new topic, this was a common theme across a variety of presentations.  The most common involved using the camera to assist in account opening or paying bills (see Kofax, Top Image Systems, and Axa Banque).  Mitek and US Bank have been at this for some time, but the rush of new start-ups looking to fill the gap in the market is telling.  As mobile banking becomes more common, and adoption increases, consumers’ appetite for mobile-based interactions will broaden.  Banks are not only beginning to offer consumers the ability to do more complex transactions via the mobile device, but they’re opening up ways for financial institutions to monetize the channel.  This will effectively make ROI much more tangible, doing away with the misconception that the value of digital channels is ambiguous
  • Replace the Password: Is the password dead? That was the question asked by Wired Magazine in November of 2012, and something that has been on the mind of Celent for quite some time. Finovate produced no shortage of companies looking to innovate on financial security.  Finovate veterans, Behaviosec, continue pushing their gesture-based biometric product that learns how the user moves and interacts with the device to create a confidence score for use behind the scenes.  Encap uses the mobile phone as an authentication device for approving transactions or logging into digital banking.  This was the second most discussed topic at Finovate.  While biometrics is already used in some places globally, the practicality of such solutions is dubious at best.  Security needs to start becoming a little more practical.  One of my favourite presentations was from Feedzai, where they use social media data scraping to assess fraud risk.  For example, if I just checked in at a restaurant in San Francisco, then it’s likely that a transaction from somewhere else is fraudulent.  A few took to twitter to question whether customers would be ok granting banks access to their social media lives.  If Citibank starts poking people, then maybe I could see the point, otherwise, it’s a practical application for enhancing security.  Besides, most social media information is already public anyway
  • Lots of Front-end, Little Back-end:  One thing Finovate teaches us all is that there is no shortage of great UI designers.  One thing Finovate doesn’t teach us is that banking is messy once you start connecting that nice-looking front-end to the messy back-end.  Are most of these front-end products from Finovate really bank-ready? I’m not convinced.  Large vendors like Misys, Fiserv, and Temenos may not have won best in show, but with integrated backend products, they’re in a much better position to succeed. One of my favorites was Five Degrees, a Dutch back/mid-office solution that runs in the cloud and offers a truly innovative BPM product.  Other than that, good examples of back-end innovation were scant
  • Social Collaboration:  It was interesting to see different idea behind leveraging crowd-sourcing and social collaboration.  Nous presented a product for investments that incentivizes users to play a game that aggregates data based on the players’ outcomes.  A company called MyWishBoard uses collaboration, similar to SmartyPig, for goals and wishlists list that can be shared via social media with friends.  Leveraging the power of crowds has been difficult to accomplish in financial services, and most social strategies have revolved around marketing and customer support. While some of these ideas may not be the best business ideas, it’s nice to see different takes on leveraging the power of social
  • No Branch Channel Innovation: Absent from the Finovate line-up were any innovative ideas around branch technology.  Celent has written a number of reports looking at branch technology, and there is undoubtedly still much to talk about in this space.  The closest the show came was with JHA’s Luminous, a Dropbox-like secure storage cloud application for bank documents.  Branches are changing, but they aren’t going away, at least not anytime soon.  Banks have been doing some interesting things in the branch channel, but there are still plenty of innovative ways to maximize the brick-and-mortar experience. Celent did a recent consumer survey showing that branch channel adoption is still very high among consumers, and the first choice for important decisions. Considering the adoption gap between PFM and the branch, the low activity is surprising
 

Improving Security of Mobile Payments

A couple of weeks ago the European Central Bank (ECB) published a draft document for public consultation on Recommendations for Security on Mobile Payments. These recommendations were developed by the European Forum on the Security of Retail Payments, SecuRe Pay. This document follows similar recommendations for internet payments, and for payment account access services. Creation of standards and guidelines around payments is always a good thing, and that applies to security in mobile payments. However, the ECB is careful not to “set specific security of technical solutions. Nor does it redefine, or suggest amendments to, existing industry technical standards.” In my view, this is absolutely correct – mobile payments remains an incredibly diverse and rapidly developing landscape, and to attempt to impose specific security requirements on all of them would be a mistake. Instead, ECB focuses on five guiding principles for mobile payment service providers:
  1. Identifying, assessing and mitigating the specific risks associated with providing mobile payment services.
  2. Using strong customer authentication and registration controls.
  3. Implementing a robust data protection mechanism to protect sensitive data wherever it is transmitted, processed or stored.
  4. Implementing secure processes for authorising transactions, as well as robust processes for monitoring transactions and systems
  5. Engaging in enhancing customer understanding and providing information on security issues related to the use of mobile payment services with a view to enabling customers to use such services in a safe and secure manner.
Most banks already have policies and processes to manage operational risk, conduct risk assessments, monitor and report incidents, etc., so for most it shouldn’t too challenging to incorporate these requirements into existing practices. The biggest challenge for them is likely to be ensuring that their partners also follow these guidelines and take appropriate security measures. However, again, banks are already responsible for managing risk emanating from third party relationships. On the other hand, the risk management framework and requirements set out in these recommendations is likely to require investment from start-ups and other new PSPs over and above what they might be doing today around security. At least on the surface, one of the potentially more onerous provisions appears to be the requirement that PSPs and mobile payment services providers implement a notification procedure in the event of security incidents. In reality, it will depend how this will be implemented. Somebody needs to be aware of all security incidents, but most providers have or will develop escalation mechanisms and reporting structures to determine who needs to get what information when. So, could these measures be the key to widespread uptake of mobile payments? I don’t think so – security is a must have rather than a positive incentive. In other words, lack of security would be a significant barrier to customer adoption, but security alone will not lead to an increased adoption – you need more tangible elements of customer and merchant value proposition and a workable business model across providers for that. To the extent that these proposals will help educate consumers and address their concerns around security, they will be useful. And if they are effective, they will play an “invisible role” by helping to prevent and manage security incidents, thus minimizing the barriers for customer adoption. I think most mobile payments providers are already taking security seriously. However, as we at Celent always say, there is usually a tradeoff between security and usability. And even the best security will not be able to prevent incidents entirely. Hence, the ECB is absolutely correct to focus not just on ensuring that incidents are minimized, but also on risk management framework and on what needs to be done when bad things do happen, as they inevitably will.

Bank Websites Under Attack!

A rash of denial of service attacks hit major US banks this week. These are scary incidents that wreak havoc for banks and their customers. For now at least, these attacks appear to be limited to online sites, and are therefore interrupting the online banking activities of the US public. Online banking is a mainstream channel – one that cannot be interrupted. Furthermore, online disruptions shake consumer confidence and can damage a bank’s reputation – financial institutions are trusted entities that are supposed to be safeguarding assets. If they can’t keep the front door locked, what does this mean for the deposits stored on the inside? What can financial institutions do and what does this mean for customers?
  • Reassure and communicate regularly with the public. This was a serious issue when Chase had a major web site outage last year. Tweet, get onto Facebook, reply directly to customers. Don’t just listen, watch, or provide generic replies with basic info. Address customers, point them to channels that do work, direct them to nearby branches, have customer service reps call them. This is easier said than done as call centers are overloaded. PNC, the latest bank to come under attack has but a handful of tweets today – all very generic.
  • pnc

  • Be prepared for round two. Right now these attacks appear to be concentrating on bank web sites. Could a completely different type of attack (e.g. a data breach) take place in the next round of cyberwarfare? Banks definitely have to be on the lookout for this. It wouldn’t surprise me to see hands try to enter the cookie jar in an attempt to steal customer information and/or assets. This isn’t happening right now, but banks have to be prepared for what could happen next.




No matter how you look at this, these attacks are terrible. We live in a world where consumers have come to rely on digital transactions (and they should). Attacks like these shake consumer confidence, and eat up precious bank IT dollars that are already quite scarce. Please feel free to chime in with your comments.

Some Facts About Data Breach at Global Payments

Last Friday, the press began reporting about a major data breach at Global Payments, a large US card processor. As always in the early stages of such events, there were plenty of rumours and speculation with various sources reporting stolen card numbers to be as low as 50,000 or as high as 10 million. This morning, as I write this, Global Payments is holding a conference call to provide us all with more information. So, this is what we have directly from the company:
  • Up to 1.5m cards records “may” have been affected;
  • The incident is contained to North America only;
  • Only Track 2 data has been taken (not Track 1 data and not customer name, address, etc.);
  • Visa removed Global Payments from a PCI compliance list;
  • The incident does not involve any merchants, ISOs or customers and occurred on some “local servers” at Global Payments;
  • Due to the ongoing federal investigation, the company can’t be specific about timelines, but did confirm that “about 3 weeks ago” it discovered that some card data “may have been taken” and immediately contacted federal law enforcement agencies and the schemes;
  • Customers are “encouraged to be vigilant”. Also, the company is setting up an information site for consumers which should be operational later today: http://www.2012infosecurityupdate.com/
The trading of Global Payments shares was suspended on Friday and the full impact on the company remains to be difficult to estimate at this stage. However, the executives on the call remained positive and stressed that the company:
  • Continues to process all card transactions, including Visa;
  • Is working with the schemes and other parties to address the situation; “~100 people are working on this”;
  • Intends to get its ROC (Record of Compliance) back “as soon as it is humanly possible”;
  • Will continue with its planned investments in other areas, but also will “spend even more on security” going forward;
  • Expects to come out stronger and more experienced as a result, and believes that their customers will recognise this.
Data breaches are unpleasant, dangerous and costly. They are also a fact of life. In our most recent payment trends report, we called retail payments security as an important focus area for 2012. As commerce environment gets more complex (online, offline, mobile, etc.) and as access points to payments proliferate, security issues are only getting more complex. What are your thoughts on how best to ensure payments security in the digital age?