Revolutionizing Banking Security

In an era marked by rapid digital transformation, the banking sector grapples with evolving threats to security and user experience. Traditional authentication methods like passwords and SMS-OTPs are proving inadequate against sophisticated cyberattacks. However, a new wave of authentication technologies is on the horizon, promising a paradigm shift in banking security. FIDO passkeys and biometric authentication are emerging as frontrunners, offering a blend of robust security and seamless user experience. We spoke to Tapesh Bhatnagar, Head of Digital Solutions at Giesecke + Devrient MS India Pvt Ltd, on how these technologies are reshaping banking security in India.

Limitations of Traditional Authentication Methods

The limitations with traditional authentication methods like passwords, PINs, and OTPs are that these methods rely on "shared secrets" i.e. there is a server in the bank’s control that validates the credential provided by the user. Since these shared secrets can be intercepted, they are vulnerable to phishing or theft. This exposes users to a higher risk of fraud. From a user experience standpoint, remembering numerous passwords can be frustrating and time-consuming. Additionally, traditional MFA methods like SMS-OTPs can be inconvenient and susceptible to Phishing and SIM swap frauds.

Impact on Indian Banking Sector

Driven by a multitude of factors like smartphone penetration and government initiatives like Digital India, there has been a significant rise in digital transactions in India. But this growth has unfortunately attracted a lot of cybercriminals contributing to a rise in cyberattacks targeting Indian Banks and their customers. As per a recent report by the Indian Computer Emergency Response Team, phishing attacks and social engineering scams are a major threat to the Indian banking sector as they often exploit weak authentication methods to gain unauthorized access to customer accounts. Even data released by RBI showcases a rise in complaints related to unauthorized transactions and fraudulent activities suggesting a growing concern. 

Trends in Vulnerabilities

As digitalization advances, so does the prevalence and sophistication of fraud. It is often noted that fraud transcends geographical boundaries, targeting the most vulnerable individuals/communities. Instances of fraud have become increasingly diverse, extending beyond merely hacking passwords to bypassing one-time passwords (OTPs).

In a recent case, a customer experienced a loss of 41 Lakh INR, wherein fraudsters successfully circumvented two-way OTP authentication to compromise a fixed deposit. This alarming incident underscores the pressing need for a more resilient security approach.

Smishing, a combination of "SMS" and "phishing," is a fraudulent practice where scammers use text messages to trick individuals into divulging sensitive information or clicking on malicious links. These messages often appear legitimate, prompting recipients to respond with personal information or to click on links that may lead to phishing websites or malware downloads. 

Vishing, short for "voice phishing," is a type of fraud where scammers use phone calls to deceive individuals into providing sensitive information such as passwords, OTP, PIN etc. Vishing attacks often involve automated phone calls or spoofed caller IDs to make the scam appear legitimate. Scammers may impersonate trusted entities, such as banks or government agencies, to gain the victim's trust and coerce them into divulging confidential information. 

Both smishing and vishing attacks exploit human vulnerabilities and the trust individuals place in communication channels such as text messages and phone calls. 

Evolution in Payment Authentication

FIDO (Fast Identity Online) is the gold standard for authentication as explained by the National Institute of Standards and Technology (NIST). The use of Biometric authentication is becoming widespread these days as our devices come with biometric sensors and we can log in to our devices using our biometric credentials. However, such biometric credentials alone are a single factor of authentication and need a strong linkage between the digital identity of the user and the transaction.

  

FIDO is an open standard of authentication developed through collaboration between a large set of industry players (300+) like Google, Apple, and Microsoft along with chip manufacturers and payment networks. The most important aspect of FIDO is that is a phishing-resistant protocol that rides on public key cryptography to securely verify identity without storing credentials (like password or PIN) on servers. In this way, it also nullifies scenarios of scalable attacks. 

Instead of using a password, the user can create passkeys (these are FIDO keys only) specific to a web service or an app for secure login or transaction approval. The benefits of passkeys to both users and businesses are significant: 

●    Convenience: Rather than entering a password and then completing 2FA to authenticate a login or a payment, using a passkey is as simple as unlocking a smartphone or device with facial recognition or a fingerprint scan. 

●    Security: Unlike traditional multi-factor authentication methods, which require a user to key in “something they know” (password/OTP) and “something they have” (device) to authenticate a payment, passkeys are completely phishing-proof. 

●    Speed: Thanks to the FIDO technology under the hood, passkeys provide a multi-factor authentication experience in a single step.

●    Biometric authentication: With device-bound authentication(for example; FIDO UAF), Banks can take the next step and shape a future of authentication where ‘something you have’ (your device) and ‘something you are’ (your biometrics) seamlessly merge. The user only needs to touch a thumb or a glance at a camera and, thanks to the FIDO-based technology, the second factor remains invisible to the user. That’s how Banks can provide two-factor authentication that feels like a single factor (frictionless).

Addressing Limitations of Traditional MFA

Yes, FIDO authentication along with PIN/Biometrics offers an alternative to the existing authentication methods in the banking sector as they address the limitations of passwords/PIN and traditional MFA by enhancing security and improving user experience. They eliminate the need to rely on shared secrets and are more convenient to use, making them resistant to phishing attacks.

Strategies for Enhanced Payment Security

As more and more customers are consuming banking services through web and app channels, it makes sense to offer a seamless and secure authentication experience to these users. Among these users, Millennials and GenZ are more inclined to adopt newer forms of authentication.

Banks can choose certain customer segments and deploy newer forms of authentication for certain use cases. One such use case is e-commerce transaction authentication. Currently, all card-based eCommerce transactions require the issuing bank to send an SMS OTP (as a second factor) to complete the authentication process. We have seen that dependence on SMS OTP creates multiple challenges, especially during the festive season when transactions rise multi-fold. Here, SMS OTP can be replaced by a push notification to the issuer banking app where the user verifies its identity using bio-metrics/PIN and a second factor of authentication takes place in the background based on device-bound passkeys. This will create a fine balance between usability, security as well as cost. Gradually, such experiences can be introduced to other use cases where OTP is used as a second factor of authentication.

Additionally, in line with the growing population of smartphones enabled with the ‘tap and pay’ (NFC) feature, Banks can also leverage to use of Payment cards (Credit/Debit) as an additional authenticator for specific use cases such as card activation, app onboarding and approving high-value transactions.

Having multiple authenticators registered for a customer gives freedom to the Bank to deploy an adaptive authentication process to combat fraud.

Balancing Security and User Experience

In the digital age, physical and digital consumer journeys are converging across all facets of life. Shopping, payments, and banking have seamlessly integrated into the digital realm, reshaping how consumers interact with financial services. While the customer demands exceptional user experiences, striking a balance between security and convenience is crucial. Introducing newer forms of authentication will need strong technology implementation by certified vendors followed by awareness campaigns to promote adoption. Since biometric authentication is not new to Smartphone users, using the same for banking app login or cross-channel authentication use case will be a logical step from users’ perspective.

Regulatory and Technical Considerations

FIDO passkeys are poised to play a significant role in the future of India's digital payment landscape. However, their widespread adoption will require strong handholding from an implementation and awareness standpoint.

1) Regulatory support: As per RBI’s Master direction on Digital Payment Security Control, an authentication framework needs to have multiple attributes and the good news is that FIDO device-bound passkeys comply to all the attributes whereas SMS-OTP falls short on compliance.

2) Technical support: For an introduction of any new technology, its seamless integration with the ecosystem is crucial. What sets FIDO apart is that major operating systems like Windows, Android, and iOS and browsers like Edge, Chrome, Safari, etc. are already compliant with FIDO standards.