The delay in the implementation of PSD2 SCA due to coronavirus gives banks and others interested parties more time to create better mobile-based authentication processes for customers, rather than just rely on OTP, experts warn.
While the deadline to meet the EU’s PSD2 Strong Customer Authentication (SCA) requirements is currently set for the end of December this year, pressures brought on by the Covid-19 crisis have led to the European Payment Institutions Federation (EPIF) requesting a six-month extension.
For identity verification and authentication expert Payfone, this delay gives banks a chance to re-evaluate whether their current plans for SCA are as good as they could be, and make any key changes before the revised deadline passes.
There are several ways of achieving the SCA standard, with one-time passcodes (OTP), static passwords and security questions still being popular choices for many financial services organisations. While practices such as OTP have served companies well, particularly due to scale, they remain vulnerable to compromise through techniques such as SIM swap fraud and man-in-the-middle attacks.
For Keiron Dalton, VP at Payfone, the financial services sector should use this extra time to investigate authentication methods that leverage a combination of mobile signal intelligence and transparent verification processes, which further enhance security without compromising the user experience.
Dalton says: “Techniques such as OTP generally provide an effective level of security and reduce reliance on outdated processes such as static passwords. That said, they’re not completely fool-proof: SIM swap fraud remains a key concern, as do other methods such as social engineering and call forwarding, all of which can negate the effect of OTP. The user experience typically associated with OTP usage can also be described as ‘clunky’ at best, so there’s a thirst to establish what comes next for customer verification.”
Dalton continues: “The Covid-19 crisis has placed considerable pressure on banks and financial services organisations, in particular forcing the introduction of new processes to verify customers remotely. There’s a chance now for banks to take a step back and think about how this can be done, especially as the pandemic has encouraged a surge in cyber attacks.”
Dalton adds: “Covid-19 has created a burst in mobile adoption. That in itself introduces more challenges, in particular around identity verification. Our relationship with our mobile provides a unique window of opportunity to leverage the longest-standing digital relationship we have, especially when you consider we get a mobile phone before we even start our banking journey”.
He says: “By making better use of mobile intelligence to get an accurate picture of customer behaviour, banks and financial services businesses are able to circumvent many of the routes through which fraudsters are often successful. If a cybercriminal, for example, attempts to pose as a customer, a mobile intelligence-based approach will be able to flag these unusual patterns of behaviour and help stop a fraudulent transaction from taking place. The verification processes can all be done behind the scenes, which helps maintain a seamless customer experience.”
Dalton concludes: “We’re living in a nervous time for many customers, so it’s important that banks are able to bring that peace of mind. By using insight and the underlying mobile technology available to master their understanding of customers, they’ll be able to take full charge of the authentication process and remain a step ahead of the hackers.”