SubscribeUK Banks expose customers to fraud for the sake of a signature
The UK Banking industry is proving to be increasingly unable to protect its customers' accounts from theft and fraud. A recent survey* found that one in every three people has been a victim of card fraud; that a UK customer falls victim on average every 8 seconds - and that card-not-present crime is now the biggest type of fraud in the UK
To combat what is now a fraud industry stealing over £½ Billion annually, Banks are resorting to a muddled mix of ever more complex security measures that infuriate customers and barely slow down the thieves. So why do they continue to ignore the most effective way of authenticating a transaction - biometric signature verification?
(*APACS 2004)
A Question of Identity
It used to be so simple. Your signature on a cheque was all it took to authorise payment. But then along came online banking, so you needed a number to identify your bank account and a password to confirm that it really was you, and your account would be secure from intruders. Except of course, it wasn't.
So Banks then asked customers to remember where they were born, or their birthday, or their favourite colour, book, film or pet's name. They introduced extra devices that could be lost or stolen. But while that made access more tedious for genuine customers, it barely seemed to slow down the criminals at all.
All this time, however, KeCrypt has been developing a biometric verification system that cannot be faked, fooled or forged. It's 100% secure and it takes the whole process a full circle, because all it requires is a signature!
So how much longer can financial institutions continue to ignore it?
Biometrics is good for business
Online payment or account management is a very attractive and cost effective process for banks and customers alike. But with the banks and card issuers all having separate security solutions, there is a strong risk that customers will lose patience and simply stop interacting online.
Even more worrying for the Banks is that a recent study (May 2006) by Vanson Bourne for LogicaCMG showed that 57% of people would be more likely to change their current account provider if all it took was an identity card and biometric to establish and prove identity.
The study spanned seven European countries and in Germany the average increased to 64%. LogicaCMG says the research shows that the introduction of biometrics could lead to much greater consumer confidence in switching between bank accounts and other financial products.
Chip & PIN - A false dawn
When the Banks finally turned to new technology, it wasn't biometrics they chose, but Chip & PIN. Initially it seemed a good move, with banks claiming that counterfeit card fraud has been cut by £60m - a drop of 24% - in the first year. Unfortunately what may have happened is that fraudsters have simply moved away from face-to-face transactions. In the first six months alone, Card Not Present fraud (that is Internet telephone purchasing) rose by 29%!
Technically, the banks continue to play catch-up with the criminals. Serious flaws in Chip & PIN meant that, for example, Shell petrol stations had to suspend Chip & PIN payments from 600 of its UK garages after more than £1m had been defrauded from customers' accounts; while Tesco is changing the casings of its 2,000 ATMs to stop criminals from attaching skimming devices.
Even the Banks themselves are no longer secure. In 2005 a Manager for the Halifax was convicted of stealing £7m from the accounts of 85 private investors. In 2006 a Bank Manger was convicted of defrauding the RBS of £21m. Introducing biometric authorisation into the workflow process would probably deter such frauds in the first place.
Recent highly publicised cases have shown that banks are not even able to guarantee the security of customer data, with confidential information being discarded in skips!
The Cost of Customer Security
Why are the banks and card issuers not taking more urgent action in deploying better authentication across the full range of their services? It is probably because the level of fraud is so small in comparison with the volume and value of transactions taking place.
Banks often see no benefit in investing in securing customers' accounts. A Gartner report (Complementary Security Methods Reduce Fraud and Strengthen Authentication - October 2005), concluded that - "At about $15 per token per year in direct costs, some authentication technologies (for example, dedicated hard one-time password tokens), can cost more to issue and maintain than the cost of the fraud losses."
With other security measures, Banks have shifted the liability to the merchant and the customer. Just such a system is called 3DSecure, the adoption of which by merchants changes the cost responsibility of Card Not Present fraud from being picked up by the issuing banks.
Like all Knowledge-Based Authentication (KBA) systems, such solutions rely on additional layers of data provided by customers that give the impression of added security. In fact, they are all vulnerable to phishing scams, social engineering attacks, theft and threats. Apart from that, they are tedious and unpopular with customers.
The use of devices as opposed to KBA has, as Gartner has concluded, cost implications for the Banks. So one way is to get the customer to pay for it. For example, to use their mobile phone to verify an online transaction. But once again Gartner has discovered that 'Customers least prefer using another device for authentication.' (Gartner - Complementary Security Methods Reduce Fraud and Strengthen Authentication - October 2005).
Other devices, such as Smart Cards and USB Tokens, hold authentication credentials and connect directly to the customer's PC. Perversely, because all these devices are subject to loss or theft and contain more user authentication credentials than a standard plastic card, they are actually a greater liability!
Conversely, Biometrics held on the Smart Card or Token device are the only
form of customer credential that renders its loss useless to fraudsters.
Biometrics - the Banks' Case
So what is the banks' argument against biometrics? Well, cost for one. But banks and card issuers face greater losses if customers turn their backs on online banking and transactions. Other objections are User acceptability, vulnerability to forgery and the question of customer authentication for the initial registration.
The Banks also suggest that, as with other systems, biometrics are vulnerable to coercion. So the customer may have been forced to provide the iris scan or the fingerprint. Or the fingerprint could have been placed on the reader from a lifted latent. Or even in error!
KeCrypt Signature - 100% Secure
So what's so wrong with the most basic biometric of all - a signature?
The answer is nothing at all - provided it's a KeCrypt Signature, the only biometric verification system that cannot be faked, fooled or forged.
Uniquely, KeCrypt Signature only ever records the way the signature is signed - the acceleration, speed, pressure and time - and not the way it looks. This ensures that it's virtually impossible to copy, and makes the stress of coercion counterproductive.
For the customer, authentication by signature is natural and the ultimate expression of intent. The biometric data can be held on a Smart Card with no possibility that the signature itself can be recreated by anyone other than the genuine customer. Online verification then only requires a Writing Pad that incorporates a Smart Card reader.
Back to basics
The strength of the KeCrypt Signature biometric solution is that it makes all the other security measures redundant. You don't need to remember passwords, numbers, or your favourite anything. It can't be lost, stolen or forgotten and customers can't be tricked or forced into revealing it.
Finally, it's the way customers actually prefer to authorise their financial transactions, whether that be online or face-to-face. And that's what Banks have to face up to.