The scale of the online fraud problem in the UK was laid bare recently when a report published in The Times revealed that five million Britons had to cancel their credit cards in 2015 as a result of cybercrime. However, credit card fraud is just the tip of the cybercrime iceberg.
According to our own research, one in five Britons have fallen victim to cybercrime, including having their identity, money or bank details stolen. With more and more of our lives conducted online, the opportunities for cyber criminals to target us are greater than ever. Unfortunately, there is no single solution to combat this threat.
However, what is clear is that there needs to be more education on how people can protect themselves from cybercrime, whilst there is also growing consensus that financial institutions need to start adopting a wider range of security technologies to help protect their customers.
The Scale of the Challenge
Our research revealed that almost half (48 per cent) of people in the UK are concerned that their identity will be stolen, and the same proportion are worried that their bank details will be stolen. This isn’t helped by the fact that consumer education is poor, with just 19 per cent of British bank users saying they have a limited understanding of how to stay safe online. In a clear message to UK banks, more than a quarter (30 per cent) would like their bank to offer more advice on staying safe online.
Almost a quarter (22 per cent) of consumers don’t trust digital banking apps, and 12 per cent don’t trust online banking full stop. Furthermore, seven per cent of UK banking customers said they no longer use digital banking having previously been a victim of cybercrime.
Consumer worries about their online security are not unfounded. According to a PWC report, security breaches were at an all-time high in 2015, rising to 90 per cent from 81 per cent in 2014. Despite the high threat level, no European retail bank has attack-aware security that automatically detects and responds to intrusions inside perimeter defences. While most bank branches have sensors inside the building as well as on the door, the same is not the case for their online services.
However, a new partnership between The Centre for Secure Information Technologies at Queen’s University Belfast and Intelligent Environments’ aims to put an end to this through its Interact AppSensorFS proposition, which uses a state of the art detection approach using machine learning and prior knowledge. Machine learning, a form of Artificial Intelligence, will be used to model user behaviour, teaching Interact AppSensorFS to recognise when a hacker is entering or is in a bank’s system, alerting security officers and providing solutions to negate the threat.
Applying this sort of technology is critical in the ongoing war against fraud, but there are other areas where both banks and their consumers can tighten up security, particularly around the use of passwords.
The Password Problem
The challenge with passwords is that most cybersecurity guidelines specify a longer password, unique to each secure account, that changes every 30 days. The problem with this advice is that it is simply not realistic. The average citizen in the UK is registered on over 90 accounts, a number that is doubling every 5 years, according to Dashlane.
If that citizen were to follow the expert’s advice, they would have to remember 90 x 12 = 1,080 passwords per year. That just isn’t going to happen. Instead, the average person keeps two or three variants of the same password in play at any one time. This means that they are using similar passwords to sign into their newspaper subscription as they use to sign in to their work network as they use to sign into the online bank. This makes it much easier to hack through social engineering.
Our research shows that over half (58 per cent) of people are ready to ditch their passwords in favour of biometric security measures, while two thirds of consumers (69 per cent) would like their banks to put more security measures in place.
Verifying identity lies at the absolute heart of banking and finance. Without it, consumer confidence in a bank collapses. It’s crucial that banks are 100 per cent certain that the person conducting a transaction is who they say they are, and that they’re authorised to make the transaction – authorisation needs to be watertight. This brings us to the question as to why the banking sector hasn’t yet properly adopted biometrics, given the urgent requirement for improved identity verification.
The answer, candidly, is that it is all happening at a speed that the existing banking infrastructure can’t keep pace with. Although it is now clear that the legacy approach to security is not keeping pace with cybercrime, the old password approach was the most workable solution until recently. Biometric deployments from just a few years ago did not demonstrate that the technology was up to the grade needed for banking – accuracy, speed, reliability, and ease of use. The banks could get away with sticking to the authentication approach built deep into their existing infrastructures. A robust and low cost technology platform for obtaining the biometric signature was also simply not available. Until now.
The tempo of change is an opportunity for some banks and other businesses, but many have found it to be a shock to the system. Banking businesses, until recently, tend to be large businesses that have been around for a long time. One effect of this is that these banks tend have a great deal of infrastructure in place. This includes networks of ATMs, backend software systems, network infrastructure, and PIN encryption algorithms which requires substantial investment to overhaul.
However, we are now seeing the banks begin to take increasingly confident steps in the right direction. Last year, Barclays launched finger vein scanning capabilities, Halifax trialled a heartbeat verification system using an electronic wristband, while MasterCard has announced facial recognition to verify online purchases.
Two major pressures are being placed on big banks to adopt these sorts of biometric measures. One is consumer demand, as the more people become accustomed to biometric security through services like Apple Touch ID, the more they expect those sorts of measures to be implemented by their banks. The other, and likely the one that’s putting the majority of pressure on the bigger banks, is the evolving threat from challenger banks like Atom and Starling, who being nimbler, have a great opportunity to steal a march on their major competitors in the critical battle to defeat cybercrime.
Looking to the future
People are more on edge these days, and with good reason. High profile hacking attacks on organisations like Yahoo and TalkTalk have put the issues at the top of people’s minds, and as a result they are rightfully concerned about their security online. Of course, banking data is always going to be a primary concern as it’s particularly attractive to hackers.
Introducing biometric security measures, offering advice on what to watch out for when making online purchases and helping customers better understand what do when things go wrong, go a long way toward helping people be more aware of cybersecurity, without getting in the way of a great user experience.
Finding that balance between the two is the key for financial service businesses, and the route to a better, more secure service.
David Webber, managing director of Intelligent Environments
Image source: Shutterstock/AlexLMX