Aditya Menon, Managing Director, Global Digital Strategy, Citi talks about the proliferation of devices, leading to changing threat landscape in digital banking and the big industry moves that CISOs need to keep their eyes on.
Major smartphones are working towards fingerprint and bio metric sensor.
What are the current trends in Global High Value Payment systems?
In Global High Value systems, SWIFT handles the largest volume globally. SWIFT deploys proprietary encryption and authentication technology. All certified institutions use SWIFT blackbox encryptors to connect to the SWIFT blackbone.
More recently, SWIFT supports public key cryptography over SWIFT.NET over IP, Now, they support standard internet protocols for two connections, and this covers variety of transactions, payments, trades, settlements, etc.
In terms of domestic systems, India has RTGS, which clears the largest volume of real-time payments in India, followed by NEFT, and of course IMPS the 24x7 mobile payment network managed by National Payments Corporation of India.
How is the threat landscape evolving in the banking sector, and what would be your suggestions to CISOs in banking sector in terms of identity, security or risk framework for digital banking?
There are three parts to it. Banks basically look at it as identity, security and protection. The identity part is all about matching and confirming the digital identity of a consumer. Today, banks support multiple channels and variety of different authentication mechanisms. CISOs have realized that the one of most important component of identification is the device profile and the context in which it is used. Banks are working with trusted identity providers – who are closely working with chip manufacturers to get the device signature across a variety of operating systems to identify the device uniquely.
Why I would consider it to be a good idea is: the moment a device is associated with fraud or an attempt to fraud, that device is then published on public sites – intimating that fraudulent attempt was made from a particular device. Also, any attempt to transact on those devices would be detected. There are cross institution services – the databases that manage the device identity and log potential fraudulent transactions are cross industry. So, that’s critically important because banks working individually won’t be as useful. The positive aspect is: there is already an ecosystem in place.
Another suggestion to CISOs is to give more importance to multi-factor authentication. There are two approaches to multi factor authentication – one is out of band authentication. If a consumer is doing a transaction using the internet channel of the phone, then authentication is generally carried out through USSD or a SMS on a smartphone notification framework. The second most practiced way of authentication is OTP. That’s pretty good as it uniquely identifies the device.
Also, a number of banks are looking at location as an important way to triangulate. For an example, magstripe cards are extremely vulnerable as they are easy to be duplicated. The US still has magstripe cards. So, fraudsters skim the magstripe in many other countries, duplicate them and fraudulently use them in the US. One good way to stop this is: to get card owners registered outside the United States and get their phone numbers registered so that location based triangulation places them in proximity of the card being used. Recently, MasterCard announced at MWC in Barcelona that they partner with SYNIVESE to use GSM triangulation to do this correlation – to see the phone and the card are at least in the same vicinity.
But to have a GSM triangulation, banks need to have a deal with the carrier. In India, banks need to team up with the Airtels, Vodafones to allow them to use the SS7 signaling layer and use that information to locate the phone. This is good for in-person transactions.
Is it good for online transactions as well?
It’s obviously not good for online transactions. On the online front, the biggest problem lies in the theft of people’s card credentials. The industry as a whole is moving towards tokenisation. The principle of tokenisation is that neither the customer shares his/her card details with the merchant nor the merchant shares or stores the card details anywhere.
American Express, Mastercard and Visa are working towards a scheme for tokenization of all cards. In tokenisation, when a customer logs in to pay, one time token or limited use token is created. The merchant, in turn, passes that token to the processing gateway. Only at the processing gateway, the token gets converted into 16 digit card number and in case of Amercian Express, 15 digit card number.
This is one way card fraud can be prevented in a huge way.
What are the big industry moves?
Big industry moves are happening in fingerprint, bio metric and voice bio metric. Major smartphones are working towards fingerprint and bio metric sensor. GalaxyS5 has already launched a biometric sensor. Apple has bought a company called ‘Authentec’ for over $100 million and incorporated their technology iPhone 5S. Voice Biometric, Fingerprint will define the future of identity in digital banking.
Secondly, it’s important to have an omni channel experience. I mean that most users will access their banks either with a phone or a tablet or with Internet – but possibly with all three at different times, for different needs. If I just want to check the balance or just want to see if I am registered for electronic bill payment, I may use a mobile phone. I could as well do it on my mobile when I am in an interrupted mode. If I have to do a portfolio analysis, and see how much I am spending on my cards etc. – I may want to go to tablet. And, if I want to do a wire transfer abroad, I may want to do it on my laptop. So, depending on the use, we are finding that certain kinds of devices are the best for certain purposes. Some actions are better on the mobile, some others on the tablet, most things are obviously better on the Internet.
Banks need to look at appropriate feature & functionality for each device. There is a notion that more you pack into the application, the better it is. But in mobile, it is counter-intuitive. One big challenge that the digital folks need to address is: to create a right balance between usability and features. If they can pack more features without adding steps or layers to it, it’s fine. But we need to keep one critical aspect in mind – the users. Users will penalize us severely if we make them do one extra thing than what they need to.
So, from a design and usability perspective, we need to ensure that appropriate levels of security get implemented, and use a proportional approach to security and usability.