In the past year, identity theft has skyrocketed – a worldwide trend that has not gone unnoticed by the public. A report from earlier this year showed that consumers are looking for more security from their banks: 56% want more security measures for non-routine transactions, and 47% want more even for routine transactions.
Clearly, it’s in the best interest of any organisation, but especially financial institutions, to constantly review and update their security systems. But what exactly should this involve? Paul Carter-Brown, Co-founder and CTO of fintech enablement partner Ukheshe, says there are broad components to digital financial security, referred to as the three A’s:
- Authentication: Is the person logging in who they say they are?
- Authorisation: Are they allowed to do what they’re trying to do on this account or platform?
- Accounting – Creates a record of what they do for potential future queries.
Authorisation and accounting happen largely in the background. But authentication requires the user to interact with the security system and features. And even though most consumers say they want absolute security, organisations need to be careful to strike a balance between security and user-friendliness, says Carter-Brown. “Authentication usually uses a combination of three puzzle pieces: Something you know (for instance, a password), something you have (the device you’re using), and something you are (biometric elements, such as fingerprints). A combination of all three is considered the most secure because it’s very difficult for a scammer to get hold of all three particulars. But that level of security is also burdensome for the user – imagine having to do voice recognition, take a selfie, enter a password and a username, and then find and input an OTP every time you want to log in to your online banking. You would avoid it.”
Organisations should look at their typical customer’s risk profile to find this balance, he says. “An app that processes small transactions but is aimed at wealthy customers, such as a tipping app, for example, shouldn’t have five authentication steps because those customers favour convenience over the risk of losing the R10 value of that transaction. They wouldn’t use the app if it was cumbersome. But should the app also process larger transactions, they could consider a tiered approach that requires additional authentication for larger amounts.”
But that should never be the end of it. Security, and especially identity security, must be constantly re-evaluated and updated, he warns. “Fraudsters are always on top of their game and consumers don’t and can’t always keep up with the latest phishing and fraud tactics. So, companies like Ukheshe proactively provide tools to prevent scammers from getting or using consumers’ credentials. These tools are constantly updated to get ahead of the newest fraud trends.”
This continuous tussle between security providers and fraudsters results in the fast-paced evolution of the market. For instance, fingerprint authentication, once considered cutting-edge, had vulnerabilities that fraudsters exploited. To address the challenge, newer biometric devices now employ advanced measures like fingerprint temperature measurement or using light to check for blood flow. Similarly, facial and voice recognition methods are also facing redundancy due to AI advancements, such as enabling the generation of voices with minimal samples or the creation of realistic videos using photos of a person’s face. To maintain robust security, continuous updates and advancements are essential in staying ahead of potential threats.
For larger financial institutions such as banks, accessing newer authentication tools and building them into their legacy systems can be a challenge, says Carter-Brown. “Fintechs, exemplified by Ukheshe, endeavour to make it as simple as possible to add newer methods automatically through an API as opposed to backend development. More and more financial institutions are now outsourcing that function to expert fintechs to ensure they stay ahead of the game.”
Whether you do it yourself or outsource it, there is no room for error, he says. “Trust is earned over time by always being at the forefront of the latest technology. And, unfortunately, it takes one big breach to break that trust – even if it’s not your organisation’s fault. You need to ensure you are always ahead of your competitors.”