BAI’s reporting on banking security issues has found that regardless of the threat and response, fraudsters are rapidly adapting not only to security measures, but also to where and how customers access their accounts. Meanwhile, financial institutions face a delicate balancing act; increase security without scaring away customers. Getting that balance right may represent the industry’s greatest challenge.
“Nobody wants to create a cumbersome or unpleasant experience for the customer, but at the same time doesn’t want to approve fraudulent transactions,” says Dave Lott, a retail payments expert with the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta. Lott, a 35-year banking industry veteran, offers his thoughts on the biggest threats that face the financial services industry and what can be done to mitigate them.
BAI: What are your security concerns over the next few years about mobile banking, given the rapidly advancing technology, myriad threats and bad actors?
Dave Lott: As mobile banking/payments options become more popular, criminals will focus more and more on this channel for their illegal activities. Mobile banking is pretty much a utility service offered by 90-plus percent of financial institutions with fairly high usage rates. Once a criminal compromises the customer’s log-in credentials, the account can easily be cleaned out through unauthorized payments. A subset of mobile banking—mobile payments—still has low but climbing usage rates. Retailers are beginning to develop their own applications with payment features and there’s concern about the security level in those applications due to the lack of any standards.
BAI: How do the regulation and compliance pieces fit into all this security consciousness for banks?
Lott: While some may see compliance and security consciousness as separate components, there’s clearly a linkage between the two. Regulatory compliance is a requirement, often with a minimum level of “must do” components. On the other hand, a risk management policy that involves external customer as well as internal bank security has a wider range of latitude—depending upon the level of risk the bank is willing to take. A strong security policy will generally exceed the minimum compliance requirements.
BAI: Talk about the importance of the entry point to the process when accounts are set up.
Lott: The authentication of the customer at the time the account is created, or when a payment card is added to a payment wallet is the most important point to stop fraud. After all, if you allow the fraudster in, you know you are only going to get fraudulent transactions. Yet this point in the process is also one of the most difficult, especially since it’s often done remotely where you don’t have the benefit of actually viewing identification documents. The industry is working hard on this attack point using tools ranging from out-of-band authentication to biometrics—physical and behavioral—to gain a higher level of confidence in the identity of the person on the other side of the transaction.
BAI: What’s the safest way to make a payment and why?
Lott: From an immediate point of transaction viewpoint, paying with cash is probably the safest. The transaction is immediate and there is no possibility of a chargeback or other type of dispute. But from a more complete point of view, cash has the risks of being lost or stolen without consumer liability protection. When considering all the factors of risk in a payment, I believe the mobile payment through one of the pay wallets is currently the safest form of payment. These methods use tokens instead of the real payment card number; they have dynamic cryptograms unique to the transaction. Even if the transaction is somehow intercepted it cannot be replayed.
BAI: What’s the least safe?
Lott: I think the riskiest payment transaction is a mail order or telephone order payment where the customer has provided their card number, expiration date and generally their card’s security code.
BAI: What’s the weakest link in the payments chain?
Lott: This is caused by a number of factors such as not locking a phone, thus allowing the criminal to use it when lost or stolen; choosing easily guessed passwords for unlocking the phone and accessing financial application; or downloading illegal or scam applications that contain malware with viruses that try to determine when the user is entering a payment card number or logging on to their online banking application. To that end, the consumer is often the weakest link.
Lott will share the latest wisdom on the topic in his presentation “Impact of Regulation on Emerging Payments,” taking place at BAI Beacon in Atlanta. A major theme of Lott’s session will be how banks can keep up with risk obligations and thus protect customers.