by John Petersen, Global Head of Business Development at ValidSoft
Changes in the payments landscape have recently highlighted the need for more secure authentication methods. The competition between traditional ‘brick and mortar’ banks and Fintech companies who are keen to break their monopoly continues unabated. Within the EU, the Payment Services Directive 2 (PSD2), which mandates open banking, is providing leverage for the new market players. This is providing potentially more competitive and innovative offerings to those who were previously denied access to account information.
Traditional banking challengers
The challengers,or ‘Neobanks’, are competing with the incumbents, typically providing digital-only banking services via smart-phone apps and online services. They differentiate themselves from the traditional big banks as being innovative, agile and built from the ground up on digital technology.
Interesting then, was the recent announcement from one of these UK Neobanks, Monzo, requesting that almost half a million of its customers reset their PINs due to a potential security breach where certain internal staff could access these PINs unencrypted. Setting aside the issue of lax data security, why is a digital challenger bank, built specifically for the digital age, using antiquated, insecure PINs to protect their customers? Whilst they might be providing advanced features when it comes to handling finances and moving funds, they are anything but when it comes to strong customer authentication, and they are certainly not alone in the world of Neobanks.
This brings me to another category of Fintechs seeking to disrupt traditional payment models, the digital wallet providers operating in an open-loop marketplace. These providers come in a number of forms, whether they are wallets linked to pre-paid cards issued by the wallet provider themselves or links to bank-issued debit and credit cards.
In emerging economies, the so-called unbanked and underbanked provide enormous growth opportunities for wallet providers, typically for prepaid services, where traditional cards and account services are simply not accessible to all citizens. However, where the money goes, fraud soon follows. Wallet providers are in effect leveraging the emergence of a handheld computer in the form of the smartphone, and it’s always-on communications capability. This is a digital payments ecosystem and one that cannot afford to be compromised by weak authentication solutions, such as the out of date methods that even the “old guard” institutions have largely jettisoned.
Voice biometrics could offer the solution
Biometric authentication, controlled by the wallet provider and not the handset manufacturer, is the way forward when it comes to making purchases, making payments or topping up cards. For those providers that allow transactions to be initiated online as well as through their app, the same level of identity assurance should be provided. And where a contact centre also exists, the traditional ‘weak link’ in many financial institutions, reliance on obsolete Knowledge Based Authentication (KBA), such as passwords, should also be replaced.
The only biometric approach that can satisfy strong authentication requirements on all these channels, as well as being the most accurate of all biometrics modalities, is voice. A natural fit for the smartphone app, and also able to be used directly in a web browser with no other devices or phone calls and – again – the only effective way to secure the contact center. Voice biometrics is the natural and secure method of protecting mobile wallets and their transactions. The great news is that customer experience is enhanced at the same time that fraud and operational costs are also reduced for the operator.
For payment providers to the unbanked in regions where smartphones are still in the minority and data network coverage is unreliable, USSD-based payment services can still be biometrically authenticated with a simple phone call.
Whilst some wallet providers are happy for their users to authenticate via the handset using the inbuilt fingerprint reader or facial recognition, it needs to be understood that these are not enforceable, can be bypassed and are not under the control of the wallet provider regardless. You can also not force people to lock their phones, making for a potential problem for lost and stolen handsets, or those simply left lying around. PINs can be forgotten, guessed and stolen, but your voice cannot. Even if the voices are recorded, state-of-the-art algorithms can detect such recordings. The same is true for artificially created speech (synthetic speech). From a customer’s perspective, regardless of a payment provider’s internal security flaws or breaches, the theft of an unencrypted fingerprint, facial scan, iris scan or any other physical biometric is still the worst possible scenario for any individual. Such theft can continue to compromise the individual indefinitely.
Voice biometrics templates should be encrypted, in any event, since the latest voice biometrics technology can also detect replay attacks and synthetic speech, it is the only biometric modality that has inherent capabilities to counter its theft. Consequently, its theft does not represent a threat to the customers/owners of those templates or their mobile wallets and would certainly not lead to the erosion of confidence in the customer base. In the case of emerging payment technology, where secure authentication is key to its success, precision voice biometrics could provide the answer.