Comment: Mutual Authentication and Customer Education Can Prevent Fraud

Should banks and their customers share the authentication burden?
Should banks and their customers share the authentication burden?

At the end of last year we saw a wave of telephone scams in the UK. According to Financial Fraud Action UK and the UK Cards Association, they caused over £7.5 million of fraud on credit and debit cards in the first eight months of last year, affecting 1,600 people in the UK.

One affected bank, the Yorkshire Bank, addressed the problem by posting a press release on its website warning customers. In this case, customers were targeted by sophisticated fraudsters who posed as Yorkshire Bank employees to obtain customers’ bank security details. According to the press release, these details included PINs, three-digit security codes for cards (CVV codes), usernames and passwords for online banking, and information about authentication tools such as digital key fobs.

Customers were understandably lured into a false sense of security when they received calls from people claiming to be from their bank and unwittingly provided the fraudsters with personal information precisely because they had been asked to verify that they were the account holder.

So is posting a press release on a website for customers to read enough to stop this sort of fraud? I’m afraid that the answer is no. There are two parts to solving telephone scams, and also much of the fraud perpetrated through online and mobile banking. The first part is still a novel but very simple solution – mutual authentication. The second element is effective customer education.

Sharing the Authentication Onus

Mutual authentication, whereby the bank has to properly authenticate itself to the customer, could stop this style of scam at the source. If, for instance, customers recorded their own greeting with their bank – using their own voice – and the bank replayed that greeting whenever it contacted the customer by phone, then the customer could have a very high level of confidence it was indeed their bank on the phone. In the Yorkshire Bank scenario, the fraudsters, although stating they were from the bank and asking the customer to ring back, would not have been able to produce such a greeting on the first call. While there is little doubt some customers would still be taken in, the likelihood of the fraud succeeding would surely lessen.

There is increasing emphasis on the need for customers to prove their identity to banks, but in my opinion, banks should increasingly bear the responsibility of proving their own identity to customers. If banks need an increasing paraphernalia of security to authenticate their customers’ identities, those customers logically need to feel similarly confident that the person on other end of the phone really is from their bank. And in both cases the ultimate beneficiary is the bank.

The technology already exists to mutually authenticate, and as previously mentioned, this is not exclusive to telephone banking – online and increasingly mobile banking also require mutual authentication.

Although uptake so far has been limited, Virgin Money’s image recognition technology is one working example. Virgin Money customers are presented with an image they have chosen beforehand each time they log on to their online banking. This confirms to the customer that they are banking on a genuine Virgin Money browser, which aims to combat man-in-the-browser frauds.

Although this is a step in the right direction, this system is still too reliant on the customer remembering to use it. As far back as 2006, a Harvard-MIT project conducted a study after both ING Direct and Bank of America began using website authentication images. The Harvard-MIT team used an HTTP proxy to create a page that stated the authentication image stage was being upgraded and was therefore unavailable. The data showed that 96% of participants merely accepted this, entered their passwords and logged on, despite never seeing their image of authentication.

The security industry needs to develop processes that require customers to be more active in protecting their own interests. I believe that voice-based mutual authentication would be more suitable simply because it requires the customer’s participation by physically having to pick up the phone, listen to a message and act accordingly, rather than passively clicking through layers of security checks on their computer screen. Furthermore, it can be deployed very easily, at little cost to the bank, and can be deployed across a number of banking channels with equal effectiveness.

It is surprising to see that such a simple but very strong security measure is taking so long to reach full commercial deployment in the financial services industry. The slow movement is perhaps indicative of the view that fraud prevention rests solely with the consumer, and that they should go through numerous security layers to identify themselves.

As I have argued, this premise needs to be contested – banks need to share the burden if they want to keep their customers happy. Furthermore implementation of voice-based mutual authentication would not only reduce fraud and be good customer service, but it would also save banks many millions of dollars spent annually on investigating fraud.

Educating the Customer

The second missing piece of the jigsaw is customer education. I strongly support the views from people like Shirley Inscoe, senior fraud analyst at AITE, who strongly advocate banks educating their customers of the types of fraud that could affect them. However, until now banks have failed to effectively do this, and the Harvard-MIT projectbhighlighted does little to inspire confidence in banks’ use of customer education to date.

Following the attack described at the outset, Yorkshire Bank did attempt to contact its customers through information on its website. However, my concern is that just as consumers fail to read terms and conditions or delete bank emails they view as spam, this approach just doesn’t work effectively.

When educating customers, the banks not only need to highlight the types of scams in existence but also explain to consumers how security technology could work for them. Being able to get the customers’ buy-in on using the likes of voice-based mutual authentication is essential if this is to work. That is not to say security procedures should be overly onerous. The security industry already rightly appreciates that there is a fine balance between strong authentication (and hopefully, soon, mutual authentication) and user-friendliness. Finding that right balance can be tricky, but having a mix of visible and invisible layers of security would make the process easy for the consumer but still sufficiently strong for the bank.

Government-run agencies such as the UK’s ‘Get Safe Online’ or in the US are good outlets for customer education, and indeed the banking industry could learn from consumer-focused groups in their approach to educating the general public. Better still, it should work more closely with such bodies using social media and more interactive messaging that really capture consumers’ attention.


Patrick Carroll is founder and CEO of ValidSoft Limited, a wholly owned subsidiary of Elephant Talk Communications, Inc. Throughout his career, Carroll has been at the forefront of industry thinking, representing organizations on industry bodies and leading participation in industry initiatives. At ValidSoft, he leads the R&D function and is responsible for intellectual property and new patents.

Prior to founding ValidSoft, Carroll was employed as head of electronic trading technology in Europe for Goldman Sachs International. He has over 25 years of extensive financial services and technical experience and has previously worked in a senior capacity with J.P Morgan, Credit Suisse Financial Products and Bankers Trust Company.

What’s hot on Infosecurity Magazine?