Community

The process you describe makes total sense Melvin, in particular as Chip and PIN is primarily focused on the international traveler (if I am abroad I can't present myself at my branch). It does also highlight additional potential security vulnerabilities concerning PIN resets and spearphishing.

Many thanks Melvin. You are correct that this is the process in the UK, unless of course the consumer has forgotten their PIN entirely which requires a reminder or a new PIN to be send by post. In the US the process appears to be different as the banks I spoke to don't allow PIN resets at the ATM, instead relying on a process whereby the customer must appear in person at the bank with their card and ID. 

Hi Melvin, in general today, payment card transactions aren't subject to a proximity check. So when an exception occurs, which happens frequently (in particular when traveling abroad), the transaction is declined and either the customer contacts the issuing bank, or in some cases the issuing bank pre-empts the situation and contacts the customer. Applying a proximity check can "second guess" the issuing bank's risk management engine decision to dramatically lower these false positives. On the assumption that the customer has lost the phone but not contacted the bank, the "second guess" will in all probability fail and the bank will decline the transaction (which will in any event cause the customer to contact the bank). If the customer has already contacted the issuing bank, the "second guess" can be taken off for that customer which would mean that their payment cards operate as they do today.

It’s good to see the Bank of Scotland focussing on the mobile customer experience. Clearly they see this as a significant competitive advantage, and promoting it as such, whilst also highlighting the security features of their approach. With mobile, streamlining the login process,  enrolment and activation is key if banking apps and wallets are to achieve the adoption needed. When it comes to financial services, consumers want convenience. Mobile can deliver a strong value proposition but achieving the balance between a low friction customer experience and “behind the scenes” strong security is vital. What is clearly still lacking is consumer confidence in the security of the  mobile  environment,  and every high-profile attack on the payments industry further dents consumer confidence.  So it doesn’t help at all to read headlines such as “Personal banking apps leak info through the phone” coming rapidly on the back of some of the most high profile data breaches in history. Not scare-mongering – sadly fact.  

Fraudsters are relentless and evolve their methods constantly, and it’s easy to form an opinion that the war is over and they have won. However some reassurance can be derived from the amount of research and innovation that is being invested in the security sector. The evolution to mobile creates some of the greatest opportunities we have to reengineer process flows and remove traditional opportunities for fraud. Real-time checks carried out in parallel at the point of sale can be used to detect and prevent fraud yet without any apparent linkage of the process flows. Such capability creates very complex layered security models that are very difficult for the fraudster to hijack. And even if one or more layers are compromised, the integrity of the process can be preserved.

Alongside the application of such powerful multi-factor, multi-layered invisible technologies is the emergence of innovative low friction “visible” technologies such as Voice Biometrics, with Equal Error Rates low enough to ensure widespread mainstream adoption in both online and mobile banking. Speaking is intuitive and when speaking can be combined with voice recognition and voice biometrics, but in a totally intuitive and “command driven” perspective, in high-fidelity, over the data channel (no call placement required), and where no PINs or passwords or any form of pre-determined security information is necessary, then a paradigm shift has been achieved and mass adoption is inevitable.

Such fiction is in fact reality today, and the technologies are already available, and in the process of being deployed by the most advanced technology adopters on the planet. No bank wants to be on the “bleeding edge” of any technology, but in the race for competitive advantage, and the absolute need to counter the fraudsters, no bank can afford to not be on the “leading edge”.

Once again we are sadly reminded of the vulnerability of businesses to data breaches, and we are left with 40 million customers fearing that their credit cards will be hijacked by fraudsters just in time for Christmas.

There has been a consistent rise in cyber-crime in the past few years, and traditional security solutions have proven to be inadequate to prevent this. So much so that it has become inevitable that, on occasion, card details will be stolen from businesses.

Whilst it is a difficult task indeed to prevent the theft of customer data, and we can expect to see instances such as these increase in 2014, the solution lies in real-time detection and prevention of the mis-use of such data to perpetrate fraud. The solutions exist to achieve this through low/no friction, real-time, context aware, multi-layered authentication models, which for the most part are totally invisible and intuitive.

This latest crime underlines once more the need for efficient, real-time, context-aware authentication and verification systems, but the security industry can only do so much. It remains the responsibility of financial institutions to implement these up-to-date systems and to protect their customers from future Christmases overshadowed by the fear of identity theft and payment card fraud

@Mr Ketharman, the assumption that Proximity Correlation and GPS are the same is actually an incorrect one. Your lack of knowledge is however understandable since Proximity Correlation is a new capability and as the inventors of Proximity Correlation Logic®, this patent pending technology (that has been granted a European Privacy Seal) is fundamentally different. Your points, therefore, on “formidable hurdles in front of proximity correlation” are not applicable. I am intrigued nonetheless on your view that 2-way SMS alerts are a more reliable solution - more reliable than what, specifically? By the time an individual receives an SMS the transaction has more than likely already been declined, as SMS cannot be used in the real-time authorisation process. However, as you state that you use a different SIM when travelling abroad, I’m unclear as to how you would ever receive such an SMS from your issuing bank, as they would not keep a foreign PAYG number on their systems. The upshot would be you’d end up ringing them from abroad, at your own cost, as distinct to Proximity Correlation which costs the cardholder nothing. In terms of the false-positive rates quoted in the article, I think that we all agree that it’s relatively easy to stop fraud. Simply decline more transactions. The consequence of aggressive fraud prevention strategies is that the False Positive rate goes through the roof (we have observed rates as high as 98%). Whilst Proximity Correlation can of course address the fraud issue, the real benefit to us all is that Proximity Correlation addresses the serious False Positive issue also. And it’s future proofed. As mobile payments become an increasingly common form of payment, the convergence between the payment method and the device, with the right security checks in place, provides the ultimate framework for Proximity Correlation.

UK banks are all too aware of the customer service and satisfaction implications of aggressive decline strategies in place today, resulting in high false-positive rates for travelling cardholders. The decision of UK banks to adopt this invisible and highly effective solution to prevent false-positives, without any negative impact on fraud detection is in stark contrast with a number of European countries looking to implement Geo-blocking of cards which will have a major negative impact on the cardholder and issuer alike. Reducing card fraud through blanket decline policies is not effective in terms of customer service and the cost of false-positives, Proximity Correlation is

The news has broken that hackers have stolen the personal information of two million Vodafone Germany customers from one of the company’s servers. Some of this information includes confidential bank account details, and many of these customers are now at risk of fraudsters attempting to access their accounts. Although they may not have access to all the details they need to compromise the security of the customers’ accounts, they could soon get them, through tactics like email phishing and telephone vishing.

Fraudsters will always find ways of accessing our personal information. To really secure our money, we need to ensure that once hackers have this information, they can’t use it to access our bank accounts and authorise payments and transfers. Banks need to have the controls to prevent stolen information being used, even though they may never be responsible for the actual loss of the data. In today’s electronic world, the more places your bank account and card details are stored, the greater the risk of them being hacked.

The answer is robust authentication and transaction verification, relative to the bank’s perceived risk of the transaction. It must combine speed (real-time), strong security, efficiency and ease of use, while shutting down the scope for fraudsters to benefit from their crime.

Financial institutions need to step up and utilise more effective authentication and verification systems that can protect customers’ bank accounts when their personal information has been stolen.

There are two parts to solving a telephone scam like the one that Wall St regulator Finra is warning investors about.

The first part is mutual authentication, whereby the bank has to properly authenticate itself to the customer. It could stop this style of scam at source. If, for instance, customers recorded their own greeting with their bank – using their own voice – and the bank replayed that greeting whenever it contacted the customer by phone, then the customer could have a very high level of confidence it was indeed their bank on the phone.

There is increasing emphasis on the need for customers to prove their identity to banks, but in my opinion, banks should also bear the responsibility of proving their own identity to customers. The technology already exists to do this, and could also be applied as another layer in solutions to combat online and mobile banking fraud too.

The second missing piece of the jigsaw is customer education. I strongly support the views of people like Shirley Inscoe, senior fraud analyst at AITE, who advocates banks educating their customers about the types of fraud that could affect them.

Banks not only need to highlight the types of scams in existence but also explain to consumers how security technology could work for them. Being able to get the customers’ buy-in on using the likes of voice-based mutual authentication is essential if this is to work. That is not to say security procedures should be overly onerous. The security industry already rightly appreciates that there is a fine balance between strong authentication and user-friendliness. Finding that balance can be tricky, but having a mix of visible and invisible layers of security would make the process easy for the consumer, but still sufficiently strong for the bank.

This morning, a report from the home affairs select committee has made a call to action to the UK to tackle online fraud. The committee are calling for banks in particular to wake up to the reality of online crime, and are pushing for them to report all instances of e-fraud to the police.

Beyond reporting online crime and uncovering and persecuting the criminals hiding in cyberspace, surely it is now time for financial institutions to step up and utilise effective security systems that can protect against this type of fraud occurring in the first place.

The key to this security lies in real-time detection, prevention and immediate resolution of fraudulent activity. Technology is available today to absolutely achieve this, in real-time, totally privacy sensitive, highly secure and yet intuitive from a customer standpoint. In fact, in many cases the customer is not even aware that security is being applied as many of the techniques used are completely invisible. The answer is robust customer authentication and transaction verification, relative to the bank’s perceived risk of the transaction. It must have speed (real-time), strong security, efficiency, good customer service and ease of use, while shutting down the scope for fraudsters to benefit from their crime.