The purpose of mobile banking is to make banking more convenient for customers. As competition in the UK retail banking industry continues to build, customer experience will become increasingly important as a differentiator within the market. Mobile banking should form a major part of that change but, even as the majority of large banks expand the scope of their mobile banking programmes, so the escalating arms-race with the fraternity of hackers and cybercriminals threatens these improvements. However, banks need to strike the right balance by ensuring customers are protected, while still providing them with the convenience of mobile banking.
In terms of the security/convenience trade-off that the user must make when choosing their password, mobile banking is as vulnerable as the desktop and perhaps even more so. The USB card reader, so effective in combating keystroke-logging software, would detract significantly from the convenience of mobile banking. Similarly, the randomised split password is rendered useless if the same password has been used to login to another service, and has become known to fraudsters. Furthermore, a password of sufficient complexity to be useful is always going to be relatively difficult to remember; and since almost all smartphones have a relatively cramped keyboard, the temptation is always to choose a shorter, simpler password which does not involve switching to the ‘shadow’ keyboard.
Until recently, mobile security did not loom particularly large in the minds of security officers, as the percentage of smartphones infected with malware was much smaller than that of PCs. However, cyber-criminals are now very much aware of the opportunity that mobile banking affords them, and Android malware is now beginning to make its presence felt on the market. As the percentage of retail banking customers using mobile banking continues to climb, we will only see more of this, and we are certain to see malware targeting other operating systems as well. As criminals become increasingly sophisticated, and customers demand the slickest experience possible, it becomes clear that we need a new approach to security in mobile banking.
Options are relatively limited, but biometrics offers the greater possibilities, as customers cannot lose or forget their biometric characteristics. Similarly, they cannot be copied or compromised and, as the biometric reference and verification engine can be hosted in the cloud, a hack of any description on a customer’s device would not be capable of compromising the system. The problem with conventional biometric verification systems has historically been hardware – smartphones’ touchscreens are not sensitive enough to read a fingerprint accurately, nor are front-facing cameras good enough to resolve an iris pattern in the necessary detail. Another challenge is that no matter how secure the information may be, the general public are simply not used to having biometric details such as fingerprints and iris scans recorded in this way.
Most people, however, are used to having their voice recorded (“this call may be recorded for training and security purposes”), and the voice is as unique a biometric characteristic as the iris, the fingerprint, or any other part of the body. Moreover, all smartphones have a microphone able to record a voice sample for biometric analysis and, as the actual data in an audio sample is considerably less than in an image, it is much more suitable for processing on a remote computer. At Nuance, we’ve been providing voice biometrics for use in telephone banking for some time, with both Barclays Wealth and Investment in the UK, and Bank Hapoalim in Israel using voice biometric analysis for customer ID and verification. Because the processing takes place in the cloud, the user-facing ‘front-end’ of the technology is relatively simple, and can be made available as a developer plugin (such as Nuance’s Nina), which can be added in to the appropriate part of any app. For example, organisations such as USAA in the US are pioneering the use of voice-controlled personal banking assistants in retail finance, but the logical next step is to add in voice biometric verification as a seamless part of the user-experience.
This also means that it can be used to secure other banking services that the bank may provide through a mobile platform. For example, banks that provide insurance for their customers can control the security of purchases and claims by handling them through their own app and verifying them with (biometric) security credentials which they control and maintain. In this way, a bank can deal with the security flaws that come from an externally managed insurance offering, by tying together a customer’s identity, bank details and additional services in a manner that is much more secure than knowledge-based credentials, and which cannot be compromised by those attempting to use fraudulent identities. In addition, failed logins can be captured and recorded, in order to identify and tackle repeated attempts at fraudulent activity – such ‘black-list’ information can then be shared within the industry.
Voice biometric security offers an opportunity to adopt a technology that will take us more than just the one step ahead of the criminals, and which offers significant customer experience benefits as well. For a generation that is coming to see the smartphone as the primary access point to all online services, both of these factors will become increasingly important over the next few years.
Paul Way is Director, UK, at Nuance Communications