Johannesburg - Tighter restrictions on how banking transactions are authenticated online could introduce further risks, says a software company.
On August 1 2015, the European Banking Authority (EBA) will require banks and payment service providers (PSPs) in the European Union (EU) to use multi-factor authentication for complex transactions such as payments on the internet.
This means two or more methods of authentication - such as one time SMS passcodes, fingerprints or passwords - must be used so that they cannot compromise each other.
The enforcement of stricter regulation comes amid online credit card payment fraud levels having ballooned 21.2% in Europe during 2012 to top €794m in losses, according to data released by the EBA in December 2014.
Multi-factor authentication then is intended to improve customer identity verification.
But customer engagement solutions company Aspect Software says while the measures encourage protection, they may also compromise customer experience and even expose users to more sophisticated types of fraudulent activity such as SIM swap.
“The new two-factor authentication process being suggested will require a lot of payment service providers to rethink their current models, which are increasingly using one-time passwords (OTPs) via soft (SMS) or hard tokens (small plastic devices) to complete transactions. Unfortunately, although it is popular, SMS is easy to compromise,” said Keiron Dalton, a mobile security expert and Director of Cloud Services at Aspect.
“Fraudsters have the capability to access peoples details and have been taking full advantage. For instance, with mobile banking transactions, SIM Swap is fast becoming a favourite technique; this occurs when someone unlawfully obtains a duplicate SIM card for a mobile number, fundamentally re-directing communications – including SMS – back to the hackers. Victims are unlikely to find out until it is too late, leaving their accounts vulnerable for fraudsters to take full advantage,” he explained.
To counter these risks, Dalton said banks need to ensure that they have the necessary security mechanisms in place for the likes of SMS authentication.
“SIM swap checks, divert detection, location detection – these are all simple checks that can be performed imperceptibly by the user, but offer strong authentication on the status of the mobile device being used to perform transactions,” said Dalton.
“Using the data derived from smart device use, such as geographical data, anything suspicious is subject to further unnoticeable checks that finally determine whether a transaction is fraudulent or not. The genuine user notices no interruption to their day, and has a great experience,” Dalton explained.
Dalton further told Fin24 that here are more sophisticated methods of authentication using behavioural and contextual awareness to create greater trust and verification.
“Less onus on the individual to remember passwords, more reliance on the end device and relationships between account holders and the end device,” Dalton told Fin24.