In spite of regulators making banks implement additional levels of authentication such as two-factor authentication (2FA), UK Finance’s latest set of data reveals that bank transfer scams (APP fraud) is on the rise and cost Brits £456m in 2019.
In an attempt to curb the issue banks are implementing SMS verification, because it is relatively easy to implement and install the necessary software to deliver it. As a result, banks are relying on this method above all to authenticate their customers.
However, according to Chris Stephens, head of fraud and security analytics at Callsign, the fact that SMS is being used as a stopgap is a huge problem:
“SMS verification has become the global default solution for banks. However, as the criminals are aware that banks are now relying on SMS for 2FA transactions, they continue to abuse and weaken the systems in place and exploit these methods for their own advantage. Fraudsters typically practise SIM swap fraud, they pilfer personal information about the victim before ultimately contacting the target’s provider to claim that their phone has been lost or stolen.
“There are also unforeseen costs that could stack up for banks as a result of SMS verification. For example, where hiccups occur in the authentication journey, such as SMS texts not being received, banks need to be prepared for a significant increase in incoming calls to the customer service helplines, which can be expensive.
“Furthermore, SMS is not a universal solution. For instance, those living in remote or low-service locations may find it difficult to receive SMS alerts. SMS verification is not accessible to everyone and ultimately is not very customer-friendly and filled with friction. Plus, it relies on having up-to-date phone numbers for all customers, which isn’t an easy feat. For these reasons the European Banking Authority (EBA) are also recommending banks look to alternate options.
“To balance out the high costs of SMS and offer an enhanced customer experience, banks should look towards using intelligent authentication, powered by a decision engine to provide a range of more secure, dynamic, and bespoke journeys for customers. They could also opt for passive forms of authentication, which leverage GPS, biometric, and behavioural data to verify a customer is really who they say they are.”