By Hooman Mazaheri, director, global service partner outreach, GSMA
Mobile network operators and banks have a history of working together in authentication and combating fraud; this will continue long into the future.
As online digital payment and financial services evolve and more customers use the internet for financial affairs, banks are under increasing pressure to provide secure authentication and reduce the risk of fraud.
According to a recent report by Financial Fraud Action, losses from online banking fraud in the UK rose by 48% in 2014 compared to the previous year. Consumers are equally demanding a fluid and uninterrupted user experience, with quick ‘step up’ authentications that are kept to a minimum.
SMS authentication exposed
For many years, banks have responded to this conundrum by using mobile network operators to assist with authentication. One of the most widely used ways in which banks use operators is via SMS authentication, whereby banks, if they judge a payment to be unusual, send a text message to the user’s telephone number which asks them to authorise the payment.
This method of authentication is easy and cost effective for banks to roll out, whilst at the same time, the customer is subjected to a simple process which doesn’t overly disrupt the user experience. SMS messages can also be delivered instantly to any part of the globe.
Email has been used to fulfil a similar role, but was found to be less effective. For example, the Reserve Bank of India mandated that email could also be used a means of ‘step up’ authentication, but the real time nature of SMS meant it was more effective than email as a method of payment authentication.
However, the SMS method has been compromised significantly by fraudsters performing ‘account take over’. In this scenario, the fraudster uses personal data they have gathered to call bank call centres and change to the mobile number associated with the account, leaving SMS authentication exposed.
Location data possibilities
Banks are also trialling the use of customer location data to make transactions easier when a customer travels abroad. In this instance, banks contact operators when a payment or withdrawal is made in another country, and operators are then able to confirm instantly, where they have the customer’s permission to do so, whether or not the customer is in the same country as the card being used. As well as confirming that phone and card is in same place, authentication requirements can be increased even further with a simple challenge to enter a PIN code, for example.
This trial is indicative of the move towards data as a means of authentication, and the role of operators in providing such data. Recent industry events such as Biometrics 2015 and Money 20/20 have focused heavily on the use of data to authenticate payments, with many experts judging data to be the second-factor authentication that the industry needs.
Banks already use data on consumer spending behaviour to reduce fraud, and use step up authentication, such as SMS, when a payment is judged to be unusual. However, the use of data as a means of dynamic and non-invasive authentication could become much more reliable, and widespread, with the increasing use of mobile.
Mobile data verification
According to GSMA Intelligence, there are currently 3.7 billion unique mobile phone subscribers; by 2020, this will climb to 4.5 billion. As mobile plays a greater role in peoples’ everyday lives, mobile data can be more easily used for verification. Mobile is already becoming the primary means by which people use the internet, mobile payments are sharply rising, and the use of mobile is increasing across a range of other use cases such as transport services.
All of this data can be collated and used to determine consumer habits with much greater accuracy and reduce the risk of fraud. Data authentication would be highly convenient for the customer as it would decrease the likelihood of step up authentication, and thereby lead to a more streamlined user experience.
An operator-developed authentication solution could play a key role in facilitating the use of adoption and use of the technology more broadly. They have an established relationship with their customers and can easily collect user attributes such as location, account and usage history, which in turn could be used to help verify transactions.
Transparency and user consent is at the heart of operators’ principles around attributes. When relying on their operator for authentication, the user always knows what is being shared, building trust in the operators’ service.
Operators are also completely updated on their customers’ details whenever they order a new handset, which is currently, on average, every 18 months. Moreover, as mobile phone ownership increases, operators will also gain an understanding of new customers.
Moreover, operator data can also help minimise the risk of account takeover, proving the number is linked to a new SIM or phone, for example, or has put all calls on permanent divert. The operator can also determine if the original mobile number is still in use by the customer, making an attempt to change it suddenly very suspicious.
Operators are becoming more sophisticated at gathering data, and for this reason they are an invaluable ally to banks and other potential service providers who need secure, convenient authentication.
The GSMA represents the interests of mobile operators worldwide, uniting nearly 800 operators with more than 250 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and Internet companies, as well as organisations in adjacent industry sectors.