We’re seeing a lot about strong customer authentication (SCA) at the moment because of the requirement of the Second Payment Services Directive (PSD2) that comes into force in September. That’s because there’s a lot of fraud online, it’s getting worse and the strong authentication of people (in this case, online customers) is seen as being a way to tackle it. PSD2 demands SCA, and this means that European banks and Payment Service Providers (PSPs) have had to up their game.
Strong authentication, in this context, means “two factor authentication” (2FA). What 2FA means is that you must present two “factors” to demonstrate you are who you say you are. The three factors you can choose from are something you have, something you are and something you know (or, in my case, something I had, something I was and something I’ve forgotten). When you buy something in a shop, for example, you present a credit card (something you have) and put in a PIN (something you know). When you enter the country, you present something you have (a passport) and show your face (something you are). SCA is already being implemented by the UK banks, although it appears to be in a somewhat random pattern:
-
Santander will send a code by text to a mobile or via their mobile banking app (which is how it should be done).
-
HSBC customers will be sent a code via text to a mobile. If unable to receive it, they can get it sent by email.
-
Lloyds will text the code to a mobile or send a voice message to a landline.
-
Royal Bank of Scotland customers can also opt for an email.
-
Nationwide will offer mobile and email options, as well as notifications sent to their mobile banking app and the use of a card reader.
I’m actually quite surprise to see that some of them are still using text messaging to send a “one time password” (OTP) to customers for authentication. It’s not because, as the British newspapers were quick to point out, people who can’t get a mobile signal or don’t own a mobile phone face, as The Guardian put, it being "frozen out of internet shopping as banks are increasingly insisting that online payments are verified by text”. This is indeed a valid concern, but what I find most disturbing about this report is that anyone is verifying online payments, or indeed any other important online transaction, by insisting that they are authenticated by text messages! With the explosion of “smishing” (ie, phishing attacks via SMS) and the daily tales of account takeover, bitcoin theft and payment fraud carried out via SMS, you really do have to wonder why text messaging is still being used in this context.
This is hardly a new issue. More than a decade ago I wrote about the comments of Charles Brookson, then the head of the GSMA security group who, when talking about the use of SMS for financial services, made the point that SMS has, to all intents and purposes, no security whatsoever. Structurally, it has always seemed to me to be irresponsible for financial institutions to rely for security on something that is not secure and over which they have no control. Given the prevalence of smart phones, you would think that SMS would be long gone, but it is only now that German banks, for example, are giving up on SMS OTP in response to the PSD2 requirements for SCA.
If we abandon SMS then what should we use instead? Well we already know that the better option is to use mobile banking apps on the mobile phone. If my banks want to contact me, they should send a message to the bank app on my phone, not send me a trivially-counterfeitable text message. Google found in their research on authentication for account recovery that
-
an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.
-
On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
How will this SMS-less strong authentication be implemented? For payments it will be through the new version of the scheme’s “Three Domain Security” (3DS). 3DS version 2 introduces “frictionless authentication” and will be the main card authentication method used to deliver SCA in Europe. It works by allowing retailers and their PSP to send many more data elements with each transaction. These data elements - such as the shipping address, customer’s device identity and their transaction history - mean that the issuer can carry out more sophisticated risk management.to decide whether SCA is needed or not. In most cases, I would guess (since the issuers will use sophisticated risk management platforms with machine learning and all that sort of thing), no further authentication will be needed. But where it will be needed, Barclaycard (for example) can send a message to the Barclaycard app on my phone and ask me to authenticate myself.
This is actually a pretty sensible way forward and it would be good if this approach was adopted across the board - not only for retail payments but for logging in to bank accounts, authorising transfers and everything else. But if customers get mixed up between expecting an e-mail or getting a text, seeing an in-app message sometimes but not other times, then fraudsters will be quick to exploit the situation. We need both a better and more consistent approach to authentication for financial services. We need to standardise on the approach and the execution and the UX so that consumers can be confident that they are communicating with their bank or whoever.
Standard Strong Customer Authentication
xxx
"To understand this let’s take an analogy. Imagine that SCA in face to face commerce had been mandated on banks, but no technological solution was provided. Instead of chip and PIN each bank created its own solution such that every time a consumer approached a PoS device the authentication method they used would be dependent on which bank they chose to interact with. Can we imagine the confusion on adoption day? But this is, in essence, the experience that has been regulated into existence with PSD2 in on-line commerce. The problem is even worse for third-parties trying to build a business using the PSD2 APIs – because in the middle of their smooth, optimised customer journey their customers are redirected to a bank SCA experience which can vary dramatically in terms of friction and user experience.
To solve this the regulators need to take a step back, temporarily drop anti-competition laws and insist that banks come up with a minimum standard for SCA in online commerce, such that consumers know what to expect and third-parties aren’t disadvantaged by variable SCA experiences."
From "Strong Customer Authentication: where are we now? | The Paypers".
xxx
It has long been clear that the best architecture for what I am now labelling Standard Strong Customer Authentication (or SSCA) is biometric authentication against a revocable token stored in tamper-resistant local storage. We all carry a device capable of implementing this design at a manageable cost: the mobile phone.
(As an aside, since the mobile phone operators control a standard item of tamper-resistant hardware in all phones — the SIM — why we are not all using a standard authentication from our mobile operators already, but that’s a different point and I don’t want to get diverted by Mobile ID Connect here.)
This point is that with really strong authentication, your bank shouldn’t be sending you a text message or an e-mail or whatever, it should be using real cryptography to send a message to the bank app on your mobile phone. So, when you ty to buy something online with your Barclaycard
If the bank (or anyone else) cannot reach the mobile app then there should be a standard fallback across all service providers which would probably be a voice call thus opening up the use of voice recognition and authentication. And if you are online buying something or transferring money to someone or closing an account and you can’t be reached via the mobile app or by a voice call well… tough, basically.
Comments
Post a Comment