The competition continues unabated between traditional brick and mortar banks and Fintech companies keen to break each other’s monopoly. Within the EU, the Payment Services Directive 2 (PSD2) mandates open banking, providing leverage for new market players previously denied access to account information for their innovative, competitive offerings.
These ‘neobanks’ also challenge incumbents by providing digital-only banking via smart-phone apps and online services. Built from the ground up on digital technology, these new entrants differentiate themselves from traditional big banks via superior innovation and agility.
Interesting then, was an announcement from the UK neobank, Monzo, requesting that almost half a million customers reset their PINs due to a potential security breach. This vulnerability could allow certain internal staff to access customer PINs unencrypted.
While they might be providing advanced features for handling finances and moving funds, the neobank lags when it comes to strong customer authentication. And they are certainly not alone in the neobank landscape.
Securing Digital Wallet Providers
Digital wallet providers are yet another category of fintech’s seeking to disrupt traditional payment models in an open-loop marketplace.
These providers come in several flavors
- wallets linked to prepaid cards issued by the wallet provider itself, or
- links to bank-issued debit and credit cards.
In emerging economies, the unbanked and underbanked provide enormous growth opportunities for wallet providers. These typically pre-paid resources fill the gap when traditional cards and account services are simply not available.
However, where money goes, fraud soon follows. Wallet providers, in effect, leverage the emergence of a handheld computer in the form of the smartphone, with its always-on communications capability. This constitutes a digital payments ecosystem—one that should not be compromised by weak authentication solutions. These anachronistic models have proven inadequate, and even “old guard” institutions have largely jettisoned them.
For those providers allowing online initiation of transactions and apps, the same uncompromising standard of identity assurance is essential.
Protection for Providers in Unbanked Regions
Reliance on obsolete Knowledge Based Authentication (KBA) is a high-risk approach in the online payments landscape.
The only biometrics authentication methodology that can satisfy strong security requirements on all channels is voice.
- Most accurate of all biometrics, voice is a natural fit for the smartphone app.
- Voice can be used directly in a web browser with no other devices or phone calls.
- Voice is the only effective modern way to secure the contact center.
Protection for Providers in Regions Lacking Banking Access
In regions that lack banking access, those companies providing payment resources to smartphone-using customers face unique challenges—including unreliable data network coverage. However, Unstructured Supplementary Service Data (USSD)-based payment services can still be biometrically authenticated with a simple phone call.
Some wallet providers seem happy for their users to authenticate via the handset using inbuilt fingerprint readers or facial recognition. Nevertheless, these models are not enforceable, can be bypassed and can evade control of the wallet provider. People cannot be ‘forced’ to lock their phones, creating a potential problem with lost and stolen handsets, or those simply left lying around.
Precision Biometrics Closes the Security Gap
PINs can be forgotten, guessed, and stolen, but the human voice cannot. Apart from inbuilt algorithms that detect recordings, the combination of random digits pushed to the app and spoken by the customer provide Precision Biometrics.
This technology combines the strength of the biometric authentication with the random nature of digits to create a security model exponentially stronger than either of its component parts.
From a customer’s perspective—and regardless of a payment provider’s internal security flaws or breaches—the discovery of an unencrypted voice biometric template database would represent no threat to template owners or their mobile wallets. They certainly would not erode customer confidence to the degree that a PIN reset would.