A varied panel of experts from the spectrum of the finance industry gathered at The Law Society Headquarters in London to debate the impact banks’ security measures have on the customer experience and the emerging challenges for banks around digital security. Anna Milne reports
Douglas Blakey, group editor of Timetric consumer finance titles, chairs the debate in which there is plenty of disagreement, the odd nod of agreement, and widespread musing over the future of banking security. Blakey opens the discussion, asking the panel for a clear stance on whether it’s getting easier or harder to protect customers on online, mobile and tablet banking.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataTarika Dhingra, digital security and authentication lead at RBS Group, is the obvious choice to respond first. Dhingra’s response is an emphatic ‘yes’. "It’s definitely getting harder and for a number of reasons: we’re seeing more and more sophisticated phishing attacks and scams on our main channels and the number of channels now in use has increased the surface area of attack. We’re going to see more targeted attacks using malware, it’s going to get much harder."
Roy Vella, digital expert and independent advisor cuts to the quick in his usual affable manner. He agrees it is difficult for the banks but says that’s also very much their problem. Vella lays it down: "Now we have multi-factor authentication, there is plenty of digital resource in terms of footprint to be able to identify the person you’re talking to is authentic. Whether the banks are able to do that or not, that’s a different thing.
"My US bank brought out fingerprint verification three days after the iOS update- my UK bank is nowhere near doing that. There’s plenty of opportunity to use the reality of multiple device platforms to make it a more secure environment, not a less secure one."
Cue Clayton Locke- he wasn’t going to stay silent for long – CTO of Intelligent Environments. He jumps in to defend the banks, saying it’s absolutely getting harder- the increased surface area; the sophisticated techniques and talent the criminals now have in their arsenal- the threat is evolving and the cost involved in defending against the threats is sky-rocketing. Locke quotes PwC research in saying the cost of threat to the UK is now measured in billions of pounds instead of millions -it has tripled over last few years.
"It’s an arms race- the economics of which actually favour the side of the criminal, who can launch millions of attacks without that much investment, remotely."
Dog eat dog
Vella takes the bait and recalibrates his standpoint, issuing a well-known US tale about ‘the bear in the woods’. Long story cut short: two guys in the woods happen upon an angry Grizzly. Guy 1, instead of getting the hell away, stops to casually put on a pair of trainers. Guy 2, questioning Guy 1’s sanity in stopping in front of said predator, gets pragmatically informed Guy 1 has no intention of outrunning the bear, "I just need to outrun you". Dog eat dog.
"Cyber criminals don’t have to beat the toughest cyber criminal- they just have to beat the neighbouring bank aka the weakest link: those without two-factor authentication."
There is unanimity amongst the panel in this, and an air of resignation sets in. Locke adds there is too much onus on consumers to be responsible for changing habits and getting wised up on security. Whatever about the weakest banking link, consumers are the sloths of the consumer banking jungle. "If the industry is waiting to change the consumer, we’re going to be waiting a very long time indeed." It’s easier to change the computer, bring technology to the problem.
Smiles are raised by none other than the somewhat unlikely source of The Daily Star getting airtime in the debate. The previous day’s issue of the Star had published Locke’s amusing quote that people change spouse more often than they change their PIN number.
Responding to the suggestion banks should step up into the technology sphere, Andrew Tarver, founder and CEO of Bold Rocket, refutes it outright, saying the industry will not catch up with technology.
"In thirty years, my bank has seen every pay cheque go in, from when I was a waiter in a hotel at sixteen to CEO of a firm. Not once has their advice changed; not once have they used analytics and said, actually we can do this, this and this for you. If Google, Apple, Facebook- anyone else had that data, they would do all kinds of stuff with it. We’re just not sophisticated enough as an industry to utilise technology," he says.
Blakey challenges the panel on where responsibility lies- with the bank or the customer. Tarver states it is the customer’s responsibility, due to the choice involved in using the bank to store money and transact. "In the future there will be an inflection point around me storing digital data and what I mean by that is the ability to start to hold information which only existed in my brain before, and my DNA data. That’s when you create a digital soul.
Locke disagrees and stipulates that, "existential questions aside, the banks’ fundamental purpose of existence lies in the secure storage of money and, like it or not, they must take accountability for security in financial transactions, so responsibility lies with them".
Bruce McKee, Microsoft’s financial services industry lead, by way of explaining the discrepancy between banks accepting responsibility and delivering fit-for-purpose security systems says they don’t have a chance until they transform their outdated core systems and that, hence, for hackers, the holy grail of destruction would be to bring down a company like Microsoft because it offers solutions in this area for banks.
Blakey points out that a number of retail banks are placing digital innovation at the heart of ad campaigns with banks competing in this area when perhaps they should be cooperating. Dhingra says this is a total misconception and that banks absolutely cooperate.
"Just because they don’t shout about how they work with digital data, doesn’t mean they’re not working away on solutions behind the scenes. [RBS] works very closely on fraud communications and other banks can vouch for that."
She also drives home the fact that "it needs to be a joint effort from both banks and customers. Customers should be responsible for keeping their own credentials safe, and their devices up-to-date and banks, because they have resources at their disposal, should invest in technology."
Vella disagrees wholeheartedly, saying it can’t be joint when it’s the bank’s ultimate loss if a customer’s credit card details are stolen and money is lost. "I couldn’t care less if you stole all my credit cards- doesn’t make a difference, I’m not losing any money. What incentive does the customer have?"
Dhingra reminds Vella and the panel there is more to it than money: "there’s also an element of confidentiality and it’s in customers’ interests to keep devices up-to-date. Devices also store documents and all sorts of other information they wouldn’t want exposed and that’s why it’s joint."
The issue of responsibility has both engaged and divided the panel. McKee adds a new slant by saying, interestingly, that the more sophisticated technology has become, the less customers actually need to know about how it works. Back in the day, you’d get an instruction manual on installing software- these days you just click a button and it self-installs. This creates a culture of passivity and faux trust in customers, he explains- "they assume things run perfectly when in fact they don’t. So there’s a social element of lack of understanding but the banks have the challenge of explaining things to Joe Public." A nod of agreement ripples along the panel.
Blakey: "So the more we might do the more we might turn off the next wave of mobile adopters?"
This opens the discussion into the future of biometrics, which, again, none of the panel dispute is a bad thing, neither from a security angle nor a customer experience perspective. The question is how long it’s going to take. It seems difficult to reach agreement on this. Dhingra says it’s in the near future, Tarver holds out little hope for banks embracing digital properly at all- misguided attitudes running too deeply and the notion that investment in change should last a lifetime instead of re-adjusting systems every 18 months. And even when biometrics does come in, he continues, DNA-theft will be hot on its heels- in fact, it’s already in the planning.
Locke says "unless banks move ahead of regulation they’re going to be behind the hackers. These guys are already in the application so it’s no use concentrating efforts on protecting firewalls because they’re already inside working out how to extract the data".
Vella tells of his experience in Bulgaria to illustrate the large-scale operations the cyber criminals orchestrate. During his spell in a senior position with PayPal, he went in and shut down a building full of workers; two days later, the business is back in full swing in a different location, they’ve all been texted the new location: "it’s not just kids in their bedrooms- it’s a huge business" and they’re already onto biometric theft.
Locke then agrees with Dhingra in that, as an industry, "we need to take full advantage of technology and work together to drive each other forward".
Tarver says: "Service expectations are set by other industries and the gap between the experience in banking compared with other online retailers is getting bigger and therefore my attitude towards financial services is so weak that if someone comes up with an alternative, I’ll go with them."
On customer experience around security, Vella sums it up: "The old way was lock everything and open what needs to be opened- today it’s open everything and lock what needs to be locked. "Let the consumer decide," he pointedly addresses the audience, "present the security line and let them decide which things are on which side- some things the bank will have to insist on keeping behind the line but let customers decide."
Locke says that in biometrics, it’s no longer a trade-off between great user experience and stronger security, biometric verification offers a good experience and a high level of security.
On the biometrics, the only one who isn’t convinced is McKee, who informs the panel he has heard it is possible to put your finger down on a fingervein reader after someone else and for it to verify the former person- "so the technology needs to be developed" and, in the meantime, efforts by banks might be better focused on implementing "fairly simple" procedures such as two-factor authentication.
"40 of the world’s top banking apps don’t use two-factor authentication and 40% of those apps you could spoof ending the wrong certificate- this is down to bad practice in design, nothing to do with user experience," he says.
Explaining what he claims is a misnomer is the banks’ insistence on a so-called wet signature and this disrupts many an online process- having to print a form to sign it and take it to the branch or send it off. "I haven’t found the reason they do that- I don’t think it’s required by the regulators but the wet signature is the thing that’s limiting: once they cross this threshold they actually become a digital bank.
As the debate nears a close, there is lively disagreement on the capability of banks to integrate. Tarver argues it’s all about the archaeology, the legacy systems, prompting Vella to quietly conclude it is "just a matter of bravery". He cites PayPal’s biting of the bullet back in 2005 when Scott Thompson came in and had the whole thing re-written "from the ground up after six years in business".
Locke brings up the significant security development of chip and pin and despite the US lagging behind on this, their imminent adoption of tokenisation, driven largely by Apple Pay, will ‘leap-frog’ chip and PIN. Dhingra assures the panel banks are doing plenty of work behind the scenes on security; Vella and Tarver pitch the regressive "binary" mentality of older banks against the progressive mentality of newer banks in Spain and Poland.
Vella amuses the panel and audience in recounting that, when working at RBS, his team used to joke that their watches were set on weeks and months and everyone else’s on quarters and years, giving rise to dismally different interpretations of ‘soon’.
Coming to the banks’ defence and summarising the whole discussion, Dhingra asserts it’s by no means a lost cause but "bankers do need to do a better job in communicating what they’re doing. Fair points have been made this morning". Having taken the flak single-handedly for the industry, it’s perhaps fair she get the last word.