WHY BEHAVIOURAL BIOMETRICS IS THE KEY TO DIGITAL BANKING SECURITY
Source: Finance Derivative
By Richard da Silva, VP EMEA at Revelock
More and more people are switching to digital channels for a convenient banking and payments experience. 14 million Brits already had a digital-only bank account back in January 2021, and this is projected to grow by an additional 10 million over the next five years. Banks and other financial institutions naturally want to uphold a smooth customer experience for these digital users. However, as cybercriminals seize upon the opportunity presented by an increased pool of targets, banks are inevitably caught between a rock and a hard place – balancing a seamless digital experience with stringent fraud prevention methods.
To make matters worse, fraud teams are up against an increasingly complex, intelligent, and rapidly growing field of bad actors – and traditional fraud prevention techniques simply can’t keep up. Banks cannot afford to compromise on their customers’ safety, so they need to find a way to protect users at every stage of the online journey, whilst still maintaining a frictionless experience. The best way in which to do both at the same time is to employ the latest innovations in fraud prevention technology to analyse behavioural biometrics across the user journey.
What are behavioural biometrics?
From unlocking their smartphones to facial recognition at passport control, many online banking customers will already be familiar with authentication that utilises physical biometrics – which can include a scan of a fingerprint, a face, or any other physiological feature which can serve as user identification. Physical biometrics can certainly improve digital banking security, especially when used alongside other methods as part of a multi-factor authentication approach.
Alone, however, physical biometrics are relatively easy for bad actors to undermine, as they can simply replicate these physical features – especially in a social media age when many people’s images are publicly available online. Moreover, the recent emergence of technologies such as voice-cloning and the creation of ever-more convincing ‘deepfakes’ means it is becoming more and more common for fraudsters to replicate their victims’ physical traits – which they can then use to carry out all kinds of online banking and payments fraud, and ultimately run away with customers’ money.
Behavioural biometrics analysis, on the other hand, looks at a user’s pattern of behaviour during their online interactions – such as their typing speed, touchscreen pressure, or the way they move their mouse – which is completely unique to each user and cannot be replicated in the same way as physical biometrics. By leveraging solutions founded in behavioural biometrics, banks and other financial institutions can analyse thousands of parameters surrounding a user’s behaviour throughout every online banking session, to ensure to the highest degree of accuracy that the user is who they say they are and is not being impersonated or manipulated.
An innovative, adaptive fraud prevention solution
Behavioural biometric analysis works most effectively when it is implemented as part of a multi-faceted fraud detection and prevention solution which focuses on a Know Your User (KYU) approach. Traditional fraud prevention methods usually compare users and their behaviours to bad actors to determine if they are genuine, which can lead to false positives and thereby unnecessary customer friction in the form of stepped-up authentication.
Instead, behavioural biometric analysis can be combined with device, network, and threat intelligence data to build a BionicID – essentially a digital fingerprint – that is unique to each online user, whether a genuine customer or bad actor. In short, this KYU approach asks the question “are you really you?” and assesses this on a granular level, comparing every user interaction to their own previous behaviours as well as that of bad actors to establish the user’s identity as a genuine customer. This approach is highly accurate in verifying the user, with as little as two interactions producing an accuracy of over 90%. What’s more, this KYU approach utilises deep learning technology to ensure the identification of each user becomes increasingly accurate with every interaction.
Complete end-to-end protection
Banks need to ensure complete security at every stage of the online customer journey, as bad actors will look to exploit vulnerabilities at every opportunity. Fortunately, this is where a behavioural biometric-based solution once again comes in handy. Banks can implement continuous authentication by analysing each online user’s BionicID at every interaction – from login, to transaction, to logout, making it near impossible for any threat to slip through undetected.
Implementing this approach ensures that digital processes will remain frictionless for genuine customers, as the behavioural biometric analysis occurs ‘behind-the-scenes’, without the need for increased user interaction. Fraud teams can also use this technology-led approach to calibrate automated fraud responses based on the risk-level of the threat detected – meaning the volume of false positives and associated customer friction will be dramatically reduced.
Once fraud has occurred or funds have been stolen, the damage has been done – trust is broken, reputations damaged – even if the money can be recovered. A configured automated response based on behavioural biometric analysis allows financial institutions to take a proactive approach to online fraud – in effect preventing such attacks before they can even occur.
Why it’s risky for financial firms to rely on mobile device authentication
Source: Finance Derivative
Niall McConachie, regional director (UK & Ireland) at Yubico
Using mobile phones to sign into online services can offer people a sense of security and convenience. However, when their devices are damaged, lost, or stolen, they can quickly experience why relying on mobile authentication methods is not the best choice when it comes to protecting their online identities.
Despite this, many financial firms and institutions in the UK continue to encourage their customers and employees to use this form of digital authentication when accessing sensitive data. With cyber attacks being the most cited risk to the UK financial system, it is important that leaders understand the increased risks that they take on with continued use of ineffective authentication and poor cyber hygiene practices.
Limitations of mobile devices and passwords
Aside from being easily lost, stolen, or broken, the effectiveness of mobile-based authentication can be limited depending on the user’s location. For example, depending on where the mobile devices are being used, people may not have the reception needed to authenticate into an account. Additionally, they could be locked out of their accounts simply due to the device’s battery running out. However, even without these issues, mobile devices still pose considerable cybersecurity risks.
Indeed, findings from our recent State of Global Enterprise Authentication Survey, show that mobile SMS-based authentication (20 percent), push authenticator apps or mobile one-time passcodes (OTPs) (23 percent), and passwords (23 percent) are believed to be the most secure forms of digital authentication by UK respondents. As financial firms use these methods so often, it is understandable why customers and employees would come to this assumption. However, this is a misconception.
While any form of authentication is better than none, passwords and mobile-based authentication methods – including SMS verification, OTPs, and digital authentication apps – are all vulnerable to many modern cybersecurity threats. These include SIM swapping, phishing, password spraying, man-in-the-middle (MitM) attacks, and ransomware attacks which can all lead to possible data breaches, imposing serious consequences on UK financial organisations.
Improved cyber hygiene practices and training for employees
According to the survey, the primary ways that UK employees signed into their business accounts were with usernames and passwords (53 percent), mobile SMS-based authentication (24 percent), and push authenticator apps or mobile OTPs (19 percent), indicating that UK employees are not choosing the best form of authentication methods. These practices leave their accounts easily compromised by bad actors.
Additionally, it is important to note that no authentication solution can be fully effective in mitigating emerging cyber threats if used alongside poor cyber hygiene practices, which play a significant role in reducing an organisation’s cyber resiliency against external threats.
Overall, it appears that UK organisations are not properly enforcing best-practice cyber training amongst their internal staff. Findings show that only 42 percent of respondents are required to go through frequent cybersecurity training. The report also revealed significant lapses in employees’ cyber-hygiene practices. For instance, over the previous 12 months, UK respondents admitted to using a work-issued device for personal use (49 percent), allowing their work-issued device to be used by someone else (33 percent), not reporting a phishing attempt (31 percent), having an account reset due to lost or forgotten credentials (58 percent), and using a personal device for work (58 percent).
These poor habits should be concerning for finance firms because if an employee uses a personal device for work, bad actors can compromise that device and use it as a point of access to target their employer. As 73 percent of UK respondents claimed to have experienced a cyber attack in their personal lives within the previous 12 months – this and other similar scenarios are highly possible.
Moreso, the combination of weak authentication methods and poor digital habits make organisations especially vulnerable to cyber attacks which can directly target their customers, employees, and third party partners as well. Therefore, better cyber hygiene practices should be enforced on a regular basis to protect organisations fully and effectively from emerging threats.
Benefits of alternative authentication methods
For finance businesses looking for alternative methods, it is important to note that there are some forms of multi-factor authentication (MFA) and two-factor authentication (2FA) that are more robust than others. For example, some require users to authenticate with either a hardware security key or identity credential that is unique to the individual user like a fingerprint. With the help of FIDO protocols – globally recognised standards of public key cryptography techniques to deliver stronger authentication – stronger authentication methods like these provide users with a seamless experience when accessing their digital accounts by removing the need for passwords or mobile devices.
The National Cyber Security Centre (NCSC), recommends hardware-based security keys as a phishing-resistant solution against modern cyber attacks. In addition, a growing number of global companies and UK banks have implemented passwordless authentication. Apple, Barclays, Co-operative Bank, Google, HSBC, Microsoft, NatWest, Twitter, and the US Government are just a few reputable organisations which have opted for passwordless authentication.
Customers and staff should not be solely responsible for adjusting their own cybersecurity practices. It is also up to organisations to enhance their digital security by implementing phishing-resistant passwordless solutions. Whether using biometric identifiers or hardware security keys, these solutions are more effective and user-friendly than conventional authentication methods. They also offer robust authentication across multiple devices and accounts, reducing the number of times a user needs to sign in. However, most importantly, implementing business-wide passwordless solutions helps to reinforce an organisation’s security posture and significantly decreases the risk of emerging attacks.
Mobile-based authentication, OTPs, and passwords are some of the most widely used authentication methods but are not the most secure. As the finance sector continues to prioritise passwordless authentication, this will likely change customers’ and employees’ perceptions of what secure authentication truly is. Ultimately, providing users with the most secure authentication possible should be a top priority. With it, financial firms can experience the long-term benefits of improved data security, better user experience, and considerable ROI.
982/750 word minimum
Unlocking the Power of Data: Revolutionising Business Success in the Financial Services Sector
Source: Finance Derivative
Suki Dhuphar, Head of EMEA, Tamr
The financial services (FS) sector operates within an immensely data-abundant landscape. But it’s well-known that many organisations in the sector struggle to make data-driven decisions because they lack access to the right data to make decisions at the right time.
As the sector strives for a data-driven approach, companies focus on democratising data, granting non-technical users the ability to work with and leverage data for informed decision-making. However, dirty data, riddled with errors and inconsistencies, can lead to flawed analytics and decision-making. Siloed data across departments like Marketing, Sales, Operations, or R&D exacerbates this issue. Breaking down these barriers is essential for effective data democratisation and achieving accurate insights for decision-making.
An antidote to dirty, disconnected data
Overcoming the challenges presented by dirty, disconnected data is not a new problem. But, there are new solutions – such as shifting strategies to focus on data products – which are proven to deliver great results. But, what is a data product?
Data products are high-quality, accessible datasets that organisations use to solve business challenges. Data products are comprehensive, clean, and continuously updated. They make data tangible to serve specific purposes defined by consumers and provide value because they are easy to find and use. For example, an investment firm can benefit from data products to gain insights into market trends and attract more capital. These offer a scalable solution for connecting alternative data sources, providing accurate and continuously updated views of portfolio companies. Using machine learning (ML) based technology enables the data product to adapt to new data sources, giving a firm’s partners confidence in their investment decisions.
But, before companies can reap the benefits of data products, the development of a robust data product strategy is a must.
Where to begin?
Prior to embarking on a data product strategy, it is imperative to establish clear-cut objectives that align with your organisation’s overarching business goals. Taking an incremental approach enables you to make a real impact against a specific objective – such as streamlining operations to enhance cost efficiency or reshaping business portfolios to drive growth – by starting with a more manageable goal and then building upon it as the use case is proved. For companies that find themselves uncertain about where to begin their move to data products, tackling your customer data is a good place to start for some quick wins to increase the success of the customer experience programmes.
Getting a good grasp on data
Once an objective is in place, it’s time for an organisation to assess its capabilities for executing the data product strategy. To do this, you need to dig into the nitty-gritty details like where the data is, how accurate and complete it is, how often it gets updated, and how well it’s integrated across different departments. This will give a solid grasp of the actual quality of the data and help allocate resources more efficiently. At this stage, you should also think about which stakeholders from across the business from leadership to IT will need to be involved in the process and how.
Once that’s covered, you can start putting together a skilled team and assigning responsibilities to kick-off the creation and management of a comprehensive data platform that spans all relevant departments. This process also helps spot any gaps early on, so you can focus on targeted initiatives.
Identifying the problem you will solve
Now let’s move on to the next step in our data product strategy. Here we need to identify a specific problem or challenge that is commonly faced in your organisation. It’s likely that leaders in different departments, like R&D or procurement, encounter obstacles that hinder their objectives that could be overcome with better insight and information. By defining a clear use case, you will build a real solution to a challenge they are facing rather than a data product for the sake of having data. This will be an impactful case study for your entire organisation to understand the potential benefits of data products and increase appetite for future projects.
Getting buy-in from the business
Once you have identified the problem you want to solve, you need to secure the funding, support, and resources to move the project ahead. To do that, you must present a practical roadmap that shows how you will quickly deliver value. You should also showcase how to improve it over time once the initial use case is proven.
The plan should map how you will measure success effectively with specific indicators (such as KPIs) that are closely tied to business goals. These indicators will give you a benchmark of what success looks like so you can clearly show when you’ve delivered it.
Getting the most out of your data product
Once you’ve got the green light – and the funds – it’s time to put your plan into action by creating a basic version of your data product, also known as a minimum viable data product (MVDP). By starting small and gradually enhancing with each new release you are putting yourself in the best stead to encourage adoption and also (coming back to our iterative approach) help you secure more resources and funding down the line.
To make the most of your data product, it’s essential to tap into the knowledge and experience of business partners as they know how to make the most of the data product and integrate it into existing workflows. Additionally, collecting feedback and using it to improve future releases will bring even more value to end users in the business and, in turn, your customers.
Unlocking the power of data (products)
It’s crucial for companies in FS to make the most of the huge amount of data they have at their disposal. It simply doesn’t make sense to leave this data tapped and not use it to solve real challenges for end users in the business and, in turn, improve the customer experience! By adopting effective strategies for data products, FS organisations can start to maximise the incredible value of their data.
HOW SMALL BUSINESSES CAN FIGHT BACK AGAINST POOR PAYMENT PRACTICES
Source: Finance Derivative
SMEs across the UK are facing a challenging economic environment and late payments pose a severe challenge to maintaining cash flow. Here, Andrea Dunlop, managing director at Access PaySuite, explores the challenges facing small and medium sized businesses, the risks that late payments carry, and what can be done to secure timely payments, in full.
It’s estimated that UK businesses are currently owed more than £23.4bn in outstanding invoices. For all businesses, managing the outward flow of products and services with a steady incoming cash flow is a fine balance – with unexpected disruptions and complications capable of causing catastrophic problems.
Late and delayed payments have been identified as a significant challenge for SMEs – an issue that has scaled over recent years. In fact, in its latest report, the Federation for Small Businesses (FSB) stated that the UK is “almost unique in being a place where it is acceptable to pay small businesses late”.
The FSB also states that this “will remain the case without further action” and, as such, has called for government action to put a stop to these damaging trends.
Small businesses form a vital part of the economic ecosystem – in 2022, it was estimated that 99% of UK businesses were SMEs – so poor payment systems not only present a very real threat for individual businesses, but for the UK economy as a whole.
Despite this strong case for urgent action to be taken, changes to legislation can be a slow process and, in the face of ongoing economic pressure, small businesses need more immediate solutions.
Although businesses are at the liberty of their customers and clients, there are a number of actionable steps SMEs can take to increase the rate of prompt and complete payments.
The impact of late payments for SMEs
Published in Q4 2022, research published by the ICAEW demonstrates that around half of invoices issued by small businesses are paid late.
More often than not, small businesses operate within a chain of regular suppliers and customers. These chains can include multiple business links, stretching across sectors and regions. As a heavily interwoven ecosystem, if one ‘link’ in the chain is damaged by late payments and unreliable cash flow, the delays can quickly escalate and create a domino effect of complications across the whole system.
With a lack of consistent income, SMEs are more likely to be prevented from paying their overheads and suppliers on time.
As late payments add up and push multiple businesses into a negative cash flow, the problem can continue to snowball.
Simply put, extended periods of unreliable and heavily reduced payments put whole supply chains of companies in very dangerous financial positions – especially as running costs remain high.
Combined, the complexities arising from late payments and the vast scale of the issue, demonstrates a clear need for systemic change.
Current government action
At the end of January, the government published a review of the reporting of payment practices first introduced in 2017 .
This review stated that the government is committed to “stamp[ing] out the worst kind of poor payment practices within the business community”.
The 2017 Payment Practices and Performance Regulations require all large UK companies to report publicly on their payment policies, practices and performance, to ensure accountability.
Following its review, a new consultation has been launched, seeking the opinion of business owners on current regulations – asking whether this existing policy should extend beyond its current expiry date, 6 April 2024. This consultation is part of a wider examination of payments in the UK.
Delving into issues including the emotional and psychological impact of late payments on small business owners – as well as analysing how banks and technology can help – the government’s review is a welcome development, but SMEs need to take more immediate action to strengthen their payment processes.
What can SMEs do?
With the government consultation finalising at the end of April, the future of the payment landscape in the UK will soon be made clearer – but what actions can SMEs take to immediately strengthen their payment processes?
For many SMEs, payment systems are low down the list of priorities, and the fear of disruption or additional costs can lead many to turning a blind eye to problems with their existing systems. But, with challenges around cash flow increasing, investing in a flexible and comprehensive payment system could be an incredibly worthwhile investment.
Issuing regular invoices takes a lot of time, and when working across different clients with different payment frequencies invoicing can lead to unnecessary complexities.
Instead, systems that enable customers to set up direct debits ensure payments are completed on a set date, reduce additional paperwork and still allow bespoke schedules for each client or customer to be arranged.
In many SMEs, missed payments can easily get lost in piles of paperwork and human-error can result in problems down the line. When using digital payment systems, should a missed payment occur, automated capabilities ensure the issue is flagged, and any outstanding challenges can be resolved in a timely manner.
With payments and invoicing automatically managed in a centralised database, countless hours that would otherwise be spent on repetitive and laborious administrative work are saved.
As well as reducing the amount of staff time spent managing processes and tracking financial activity, a reliable payment system delivers benefits for customers too, and contributes towards greater service and boosting brand loyalty.
In the coming weeks and months, new government guidance should clarify legislative expectations for businesses regarding payments. But, with smart investment in specialist software solutions, our country’s vital SMEs can take the necessary safeguarding steps to boost payment security and thrive through this tough financial time.