Adrian Jones, CEO at Swivel Secure
Whether it’s through a bank’s website or mobile application, consumers can check their balance, pay bills and have instant access to their money 24/7. This convenience has caused NetBanking to boom. Since 2008 we’ve seen the percentage of people in the UK using online banking nearly double – from 35% in 2008 to 69% in 2018.
But the rapid adoption has outgrown policy, leading to a lack of standard cybersecurity regulations in NetBanking, with a huge opportunity for fraudsters. According to UK Finance, 76% of fraud losses in 2018 were gained through remote purchase payments. Therefore, it’s critical that the growing issue of cybercrime in NetBanking is addressed – something which the European Union Payment Services Directive (PSD2) partly aims to do.
What is PSD2 and SCA?
Launched in January 2018, PSD2 is a set of regulations for payment services and providers in the European Union and European Economic Area. It is a revision of the regulations set out in the original PSD, which established a single market for payments with a view to creating a more efficient and secure service.
One of the major revisions in PSD2 is the introduction of Strong Customer Authentication (SCA). This is a set of technical standards, outlined by the European Banking Authority, which define the security measures that payment services must comply with to enhance the security of online payments.
The standards come into force this September, so the race is on for banks and payment service providers to put the necessary security procedures in place.
Regulatory Technical Standards
Payment service providers need to employ technology that guarantees user authentication and minimises fraud risks. But to comply with SCA, there are three key technical adoptions that payment service providers should consider.
1. Authentication: One-time codes
The first aspect of the SCA technical regulations is to implement strong authentication, by utilising authentication one-time codes (OTC). Each time a user actions a payment, the payment service provider must supply them with an OTC. The user then inputs the code to confirm their identity, and validate the payment.
To ensure the authentication code is secure, it must include two or more of the following elements for two-factor authentication (2FA) or multi-factor authentication (MFA):
- Knowledge – something which only the user knows, like a PIN. The user might then extract a one-time code, using their PIN as a positional indicator
- Possession – something the user owns, such as a mobile phone application or a hardware token
- Inherence – something which is associated with the user, including biometrics
Additionally, payment service providers need to ensure that these elements can not be deciphered if the code is revealed. Therefore, the OTC shouldn’t follow a sequence or be based on the information the user has supplied, to prevent fraudsters gaining personal information about users or guessing a future code.
2. Dynamic Linking
Secondly, payment service providers need to adopt measures to link the payer, transaction amount, and payee for each transaction in a standard known as dynamic linking. The payer can see the transaction amount and payee at all stages of authentication, and the authentication OTC will be unique to that transaction. Should any element change, the authentication code will be invalidated.
3. Transaction Risk Analysis
Finally, payment service providers need to implement risk-based analysis in real time. Every remote payment needs to be monitored and adequate authentication should be applied. Most banks have implemented some sort of risk algorithm and process already but the Regulatory Technical Standards set out specific criteria for remote payments. This uses risk-based analysis to provide a combined score based on particular parameters, including: the locations of the payer and payee, plus any abnormal spending or behaviour from the payer.
What does SCA mean for you?
In addition to the technical changes required to comply with SCA, the regulations may pose some initial obstacles for the banking industry and users.
1. User experience
There’s some concern that the extra steps for strong authentication will have a negative effect on consumers NetBanking experience. To counter this, there are some exemptions to SCA and transaction risk analysis will determine the level of authentication required.
Despite this, Barclaycard’s Director of International Payments, Paul Adams suggests one in ten transactions will need to go through two-factor authentication. So, it’s essential to implement user-friendly two-factor authentication methods which cause minimal disruption whilst securing users’ funds.
Another concern is finding a way to implement SCA at a low cost. Ecommerce sites especially will be keen to find a low-cost solution without negatively affecting users’ checkout experience. It’s important for payment service providers to work with any third parties to find a solution that balances those concerns because cutting costs in the implementation stage could be crippling later down the line, with some predictions estimating SCA to cause €57 billion in abandoned carts if the process isn’t easy enough.
3. NetBanking architecture
Another concern in the industry is how to implement secure authentication across the carefully balanced banking architecture. Bank networks experience surges of traffic in busy periods and this can cause pressure on the service.
One way to mitigate this is by having a layered network which is load balanced for resilience. With this banks can implement two-factor authentication so that each of these layers require separate authentication. This would help keep the layers separate to enhance security, but also ensure the network architecture can withstand both authentication capability and load on the system.
The Deadline Approaches
With the SCA deadline approaching, the banking industry will be looking to implement technology to comply. But it’s crucial that any technology can be flexible and secure for each unique network. This will not only help overcome some of the concerns about SCA but also encourage users’ trust in NetBanking and create a more security-aware consumer base.
While SCA is a step forward for cybersecurity in the banking industry, the criteria for certain features may not be secure enough to deter the cybercriminals who are constantly finding new ways to infiltrate the NetBanking architecture.