An old dilemma is growing more vexing as cybercriminals get better at impersonating customers to loot their accounts and as regulators increasingly push banks to adopt multifactor authentication.
The stronger security features designed to keep fraudsters out — passcode key fobs, for instance, and so-called challenge questions (What was the name of your best friend in elementary school?) — can also block legitimate customers from accessing their own accounts. Many banks' mobile apps' listings in the app stores are littered with complaints from customers who had trouble logging in to their accounts. The same is true for desktop banking.
"What customers get frustrated with is if we lock them out of their online banking because they're using their cousin's computer on Christmas break, so they've logged in from a different state, on a different computer with a different IP address, and they can't remember what city their parents met in," said Dominic Venturo, chief innovation officer at U.S. Bank. "All they were trying to do was transfer money so they could cover some yearend expense. They get pretty crabby about that."
Insisting that customers provide a passcode from a multifactor token they may have lost, accidentally run through the washing machine or simply left at home won't go over well.
The challenge of toughening security without irritating customers is part of broader cultural changes in our society.
"In this new age of the digital world, customers are finding that lots of things they do are easy, like restaurant reservations, with no consequence from a liability or loss point of view," said Arkadi Kuhlmann, CEO of the startup Zenbanx and founder of ING Direct. "So the expectation is I should be able to access, move and do things with my money as easily as making a restaurant reservation."
This puts a lot of pressure on banks. "If there are losses, the customer doesn't want to take responsibility or the loss," Kuhlmann said. But if banks tighten security, making access to money more difficult, then people are unhappy.
"You are between rock and a hard spot," he said.
The impetus for tighter security is growing stronger. In a November letter to all the national bank regulators, the New York State Department of Financial Services called for stronger cybersecurity requirements for banks, including the use of multifactor authentication for customers and employees.
Yet help from law enforcement agencies is not always forthcoming, Kuhlmann said. "When we talk to law enforcement about terrorists, we get attention. When we talk to them about fraudulent activity — they only have so many resources."
Meanwhile, malware and social engineering attacks grow ever more sophisticated and effective, sometimes drawing on personally identifiable data stolen in breaches and available on the black market. Security blogger Brian Krebs described in a recent post how a cybercriminal took over his PayPal account by getting his password reset through the company's call center. The lesson, he said, is that banks ought to at least make two-factor authentication available. (PayPal does offer mobile authentication — a code texted to the user's smartphone — but doesn't require or promote it.)
"It behooves any company doing business online to at least offer two-step or two-factor authentication," Krebs said. "They don't need to mandate it, but for those of us who would take advantage of that added account security, it's a huge plus."
Krebs also acknowledges the need for a balance between security and usability.
"It makes a lot of sense for those organizations to invest in the kinds of back-end technologies that can help minimize account takeovers," he said.
Many banks do. U.S. Bank, for example, does a lot of its security work in the background, to minimize the impact on customers. Like other banks, it applies algorithmic logic to check the device identity and location and the user's behavior patterns, among other things. The bank also offers voice authentication on Apple devices, as well as the ability to instantly lock down all a customer's accounts when a device is reported stolen.
Wells Fargo and USAA also use voice recognition in their apps and call centers to confirm customers' identities and detect bad actors.
"That strikes me as a tremendous benefit for companies, because the people involved in account takeovers are generally doing this on a large scale, and will very often call in to banks and try to assume the identity of multiple individuals," Krebs said. "Rarely are these one-off cases."
Apple made fingerprint recognition popular by including Touch ID fingerprint recognition technology on iPhones and making it part of Apple Pay. Apple device users tend to complain when a mobile banking app doesn't support TouchID — they have grasped the ease of use if not the security benefits. Citi, Chase and Bank of the West are among those using it to let customers log in to mobile banking with the press of a finger.
Atom Bank, a digital "challenger bank" in the U.K., recently announced that it is using face and voice biometrics as credentials for customers logging in. (USAA and Zenbanx are among the U.S. companies that have adopted facial recognition.)
So there are options for forging that middle way between convenience and security. But getting the majority of core banking software providers to support them, banks to invest in them, and consumers to use them, will continue to be an uphill battle for some time.
American Banker Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.
- These Cyberthreats May Be Coming to a Local Bank Near You
- White House Pushes Industry on Cyberthreat Data Sharing
- What Obama's Latest Cybersecurity Push Means for Banks