By Sam Bakken, Senior Product Marketing Manager at OneSpan
Whether for checking their balance, making payments or transferring money between accounts, the consumer demand for mobile banking is showing no signs of slowing. Indeed, today’s consumers now expect their banks to provide a seamless mobile banking experience and will happily switch banks in search for the best service.
This trend is shown by the fact that nearly half of UK adults used mobile banking in 2018 and it is predicted that the popularity of mobile banking will overtake high street bank branches by 2021.
However, banks are facing some significant challenges when it comes to securing their mobile applications. For example, the number of mobile malware attacks nearly doubled in 2018 – from 66.4 million in 2017 to 116.5 million – while mobile account takeovers increased by 79%. As a result, financial institutions are struggling to protect their mobile banking apps and their customers’ sensitive data.
At the same time, fraud losses are mounting. Fraud cost the British banking industry approximately £1.2 billion in 2018, with unauthorised financial fraud losses across payments cards, remote banking and cheques totalling nearly £850 million.
Although banks and financial institutions have tried to counter these threats through the implementation of biometric technology, today’s security landscape highlights a clear need to boost authentication processes. So, what’s the next step for banks to take in the fight against fraud?
the number of mobile malware attacks nearly doubled in 2018 – from 66.4 million in 2017 to 116.5 million
It’s well known that ‘active’ biometric authentication methods such as fingerprint scanning and facial recognition have quickly become commonplace in recent years as mobile banking has increased in prominence. They have largely been effective in boosting security and are now seen as essential authentication elements.
However, the rise of mobile has also prompted fraudsters to target the mobile channel more aggressively and develop more sophisticated methods of exploiting users. This, in turn, has presented a need for a context-aware approach to authentication that doesn’t impact the customer experience – i.e. the technology should remain invisible to the user.
This is where behavioural biometrics comes into play. Behavioural biometrics takes authentication to the next level by capturing data points that provide insights into how the user naturally interacts with their device. It then generates a score assessing how well the data matches the user’s historical behaviour, or the behaviour of a representative peer group.
Behavioural biometrics takes authentication to the next level by capturing data points that provide insights into how the user naturally interacts with their device.
Instead of only relying on information from the moment of authentication, it continuously works in the background and analyses behavioural data – including metrics such as the angle at which the user holds their phone, swipe patterns and keystroke dynamics – to continuously verify the user’s identity. This provides persistent and transparent authentication throughout the banking session, ensuring that only a legitimate user is able to execute a transaction.
What’s more, the non-intrusive nature of behavioural biometrics doesn’t impact the user experience. As opposed to active authentication methods, the behind-the-scenes approach does not require any additional actions from the user, which improves the banking experience. This is all prompting many financial institutions to turn to the technology in order to reduce friction in their authentication processes and, most importantly, strengthen their ability to detect fraud attacks.
Ensuring effective integration
Although behavioural biometrics offers several security benefits, there are still some key considerations for banks and financial institutions to keep in mind when incorporating the technology into their authentication mix.
For example, behavioural biometrics is just one option to authenticate users and should be implemented as an additional, invisible layer in the authentication journey. Rather than functioning in isolation, it should be used together with a risk analytics engine and a mobile security solution to establish trust with the mobile device and create an additional layer of protection.
it’s quickly becoming clear that behavioural biometrics is the next frontier in the fight against financial fraud.
This enables the data collected from behavioural biometrics to be leveraged in a broader fraud analysis context, supplemented by other authentication processes such as push messages, biometric parameters and geolocation data. Banks will then be able to more accurately detect anomalies (e.g. a sudden change in typing pattern) as soon as they appear during a banking session.
It’s also important to keep specific use cases in mind. Not only should banks define various low and high-risk use cases and adjust the required scores for the level of risk involved, they should also decide which behavioural actions need to be measured for their use case.
Finally, banks have to remember that no single authentication method is a silver bullet. While the possibility of false positives and negatives can’t be completely eliminated with behavioural biometrics, they do play a significant role in reducing them as they ensure user actions – such as entering a one-time password or authentication via facial recognition – are only required when absolutely necessary.
Ultimately, behavioural biometrics offers banks and financial institutions an excellent opportunity to enrich their authentication processes and help deter account takeover, while at the same time ensuring a positive banking experience for legitimate users.
While the fact that traditional biometrics like fingerprints and facial recognition have become commonplace is hugely positive for the industry, it’s quickly becoming clear that behavioural biometrics is the next frontier in the fight against financial fraud.