Technology is starting to pervade in all aspects of our lives, and nowhere is its influence more visible than in the way we handle our money, whether we’re paying someone, buying something, or managing our personal finances. Unfortunately, with great convenience comes great risk, and having our personal information in the cloud to be accessed from anywhere means that it is also accessible by anyone – that is, anyone with the monetary motivation and the necessary resources.
Before the rollout of chip-and-PIN cards in the UK in the early 2000s, counterfeit card fraud was the attack strategy that dominated. Now that security measures for physical payments have been improved, card-not-present (CNP) fraud is growing.
Fraudsters go for the opportunity that offers the greatest reward for the lowest risk, and with so much shopping being done on the online and mobile channels, there is certainly no lack of targets. Anyone buying from a retailer with an insecure website or app, or one that requires no transaction authentication to the shopper’s bank at checkout, is automatically vulnerable.
It’s not just where you buy or what you spend that can make you a victim of fraud – it’s also how you pay for your purchases. Scan-to-pay (QR code payment) has been gaining enormous ground in Africa, especially South Africa, but it has not taken off in the UK since its introduction here just over a decade ago. According to Visa, Britons instead prefer tap-to-pay, with the UK currently the leader in the use of this contactless payment technology – 34% of UK card payments were contactless by June of last year. These new payment modes offer unprecedented convenience for users, and can change the way we make purchases forever. Yet without a strong authentication mechanism, an innovative payment technique is just another potential market for fraud.
PSD2’s Payment Authentification Requirements
When the payment authentication requirements of the Revised Payment Services Directive (PSD2) take effect next year, all transactions over a certain threshold value will be subject to strong authentication for approval, which may help reduce fraud.
To this end, banks are spending big on risk engines that use machine learning to classify transactions into those above and those below the threshold. But while this may seem like a saving on authentication messages, banks don’t realize that they are missing out on a chance to build a relationship with their customers.
When a bank’s brand is what customers see when they are asked for consent, that brand will be what they associate with the feeling of empowerment those requests give them. The bank’s brand becomes a visual reminder of the fact that they are protected and in control. Avoiding authentication may lead to short-term cost-cutting, but building trust by implementing the right authentication is a long-term win for banks.
Push-based Authentification Grows in Popularity
Push-based authentication is increasing rapidly in popularity because of the strong security it offers banks (and other services) without causing inconvenience to their digital users. For example, Entersekt’s authentication product, Transakt, combines push technology with digital certificates. The system generates a public/private key pair for each registered user’s mobile device which uniquely identifies that device. This means the bank and the user can both be confident that the messages they receive are from a trusted source, and have not been accessed or altered by a third party.
Whenever a digital banking user wants to execute a transaction, an authentication request containing the details of the transaction is sent (“pushed”) to their mobile device. They respond by tapping Accept or Reject, and this response is sent back to the bank signed with the device’s unique private key.
All messages to and from the user travel over an isolated, encrypted channel that is completely separate from the open Internet or mobile networks.
This avoids one-time passwords (OTPs), which can be intercepted by fraudsters during man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks. By rejecting the transaction request to their mobile phone, the banking user can stop a fraudulent transfer in its tracks. Whether accepting or rejecting a request, the user’s response is also permanently recorded on the bank’s systems to support what is called nonrepudiation: the ability to prove that a message has not been changed. Incidentally, under PSD2, nonrepudiation will need to be ensured for all transactions.
Lastly, another prevalent attack vector, one that does not occur during a payment but can still lead to monetary losses, is account takeover. This happens when the fraudster buys a victim’s security credentials (username and password) from a database on the dark web, and uses them to access the victim’s bank account online. The fraudster simply adds themselves as a beneficiary and transfers funds out of the account. These victims are not specifically targeted, and there is no social engineering involved – there are simply millions of customer records available for sale online, having been placed there after data breaches. Everyone is vulnerable, and the only way to counteract those fraudulent transfers out of customers’ accounts is to have a second factor of authentication in place.