Mobile banking is becoming increasingly important. According to a study by the Lucerne University of Applied Sciences and Arts (HSLU), the number of logins from mobile devices has increased significantly in recent years, with logins from smartphones, for example, increasing by more than 30 per cent each year on average. For banks and financial institutions, this means that mobile access to banking services has become one of the most important channels for consumers. As a result, authentication and login procedures need to function as smoothly as possible. On the other hand, security standards must also be met to keep customers and their accounts safe from unauthorised access and, in the worst-case scenario, fraud. Read on to learn about the challenges banks face in this respect, typical stumbling blocks that arise in the area of customer authentication and how they can be eliminated.
Authentication in the core banking system
Authentication plays a decisive role in core banking. Highly sensitive customer data must be protected – and not just from a regulatory and legal perspective. After all, banks that do not ensure the security of financial data risk incurring severe fines as well as reputational damage. What's more, security procedures must be designed to operate as easily and seamlessly as possible for customers. Therefore, the priority is to strike a balance in this regard.
However, this is precisely where some banks are falling behind – typically by continuing to rely on obsolete login processes such as the mobileTAN method (mTAN) or hardware tokens. This is neither secure nor efficient from a customer perspective. Although these are recognised authentication procedures, multi-factor authentication (MFA) offers much greater security options. Passwordless authentication based on the internationally recognised FIDO standard, for example, using biometrics, makes logins more secure and provides a seamless customer experience.
The importance of multi-level authentication for core banking
In the past, cybercriminals have developed ever more sophisticated methods of circumventing multi-factor authentication. Even if a supposedly ‘genuine’ customer logs in using their username, password and SMS one-time-password, it is still not possible to guarantee that this customer is the authorised person.
With the help of remote access trojans (RAT) or social engineering attacks, criminals successfully and repeatedly bypass MFA and gain access to sensitive consumer financial data. The financial losses caused by these attacks worldwide amount to billions each year. This is what makes multi-level authentication in core banking such an important preventive measure for warding off unauthorised access to financial data and fraud attempts by cybercriminals.
In particular, context-based checks are necessary to guarantee security after the login and during an account session. Risk-based adaptive authentication can be used to initiate downstream login measures if suspicious account sessions are detected. This can apply, for example, if a remote access trojan tries to access a customer account automatically. Since the malware exhibits behaviour, such as a constant typing speed, which is not typically ‘human', this can be detected by means of user behaviour analysis (UBA). This behaviour is suspicious and is not typical of a ‘genuine’ bank customer, and the bank can trigger a further authentication step during the login.
However, unusual behaviour patterns are not the only indicators of attempted fraud. Login from an unusual location can also draw attention to the fact that a criminal is at work. To check this, geo-velocity can be used to determine the location of a person who is attempting to log into an account. If the geographical movement pattern deviates strongly from the usual one or if unusual transaction patterns occur across different regions and countries, this can also point to fraudulent activity.
Multi-level authentication for core banking systems offers both banks as well as customers substantially improved security.
The best of both worlds: maximum security and satisfied customers
Security as well as the user experience from a customer perspective play a key role in core banking. Since authentication is the primary guarantee of security, its fast, simple and secure operation is a critical success factor. However, the situation can become critical if security overrides the customer experience. Studies have shown that one bad experience is enough for a company to lose 20 per cent of its customers for good.
To avoid false positives, we recommend implementing a secure and FIDO-compliant login so that additional security measures can be less strict. As a result, an additional authentication measure is only initiated in response to an extreme discrepancy during the login process. This also avoids the danger of exhausting the patience of customers with excessively stringent security measures.
What’s more, the implementation of single sign-on can contribute to a positive user experience for customers. This means that they only have to log in once with an identity provider and can then access multiple applications across different domains.