Who’s There?

Proving a digital message is truly coming from a member trying to make a legitimate transaction is complicated. Identity verification has to accommodate many scenarios these days.

For example, if a member the teller doesn’t recognize walks into a branch of $6.5 billion Mountain America Credit Union, W. Jordan, Utah, to cash a check from an out-of-town bank, authorization can be as simple as showing a driver’s license or another approved form of identification, says CUES member Tammy Bryant, VP/operational compliance.

But if a member telephones the call center to change the user ID or password on an account, the member is invisible but speaking in a live interaction, and authentication is conversational. The rep asks the member for his or her name and personal account information. This could include date of birth and last four digits of his Social Security number, of course, but also account activity questions: the date and amount of the last deposit or the source of their direct deposits, Bryant explains. If that’s not enough, the rep will text a one-time PIN to the smartphone the member has registered with the CU and ask the caller to read it back.

If someone is trying to join the CU online and get a debit and credit card, the applicant is invisible, inaudible and not previously known to the CU, Mountain America CU will track the IP address the request is coming from and use third-party databases to match the computer to the person, Bryant says. Then the online banking system will ask out-of-wallet questions that only the apparent applicant should be able to answer.

If a member vacationing abroad presents a Mountain America CU debit card for the payment at the emergency care clinic to treat a family member who has had an accident, that transaction likely would trigger fraud alerts and special authentication.

“Fortunately, most of our cards are EMV, so we would know that the card is legitimate, assuming the hospital had an EMV reader,” Bryant says. “We would use all elements of the card transaction—including the location—to verify that the card is where it should be. Someone would call the member on the phone registered with us and ask about the transaction. And we’d run the transaction through our fraud monitoring software to see if that triggered any red flags. If none of that reassures us, we might hold up approving the transaction until the member contacts us.”

Mountain America CU encourages members to report travel plans, but they don’t always remember, she adds. She should know. Bryant got a call herself when she went to New York without informing the CU and started making card payments.

The Best of Biometrics

Multifactor authentication, out-of-wallet questions and geo-location tracking, plus the growing use of biometrics, are what many CUs are using to authenticate members who transact remotely. “I think most CUs are looking into biometrics,” Bryant says. “We use thumbprints and iris matching through EyeVerify.”  

Not everyone sees immediate promise in biometrics, however. The widespread availability of thumbprint authentication supported by the Apple and Google operating systems is “irrelevant” for financial institutions, claims Robert Capps, VP/authentication strategist at NuData Security, Vancouver, British Columbia, because “the financial institution has no independent way to verify the match. The digitized print is never sent to the bank or CU. It just opens the device keychain. It’s a more convenient alternative to typing in a user ID and password but not really a more secure one.”

Biometric authentication is hard, notes e-signature specialist Pem Guerry, executive vice president of SIGNiX, Chattanooga, Tenn., because it requires special hardware and an opportunity to capture a marker of the member that can be used for matching. Some CUs ask members to touch a fingerprint pad when they are transacting business in a branch, he adds.

The best solution relies not so much on biometrics that verify the member’s body as the rich abundance of available data and the ability to configure a complex series of data points that only the real member can satisfy, Capps explains. “You have to be who you say you are. No thief can hack all those data points.” At least not yet.

Authenticating Driver’s Licenses

The driver’s license is still critical to authentication. In a branch, authentication by driver’s license is done by looking at the photo on the license and the face of the person presenting it, reports Paul Kobos, SVP/banking and payments for Gemalto, Austin, Texas.

For remote transactions a financial institution can have a mobile applicant take a picture of his or her license or passport and transmit it for authentication.

“Systems have sophisticated forensic matching reviews that know exactly what the front and back of a particular state’s driver’s license looks like,” Guerry says. Moreover, CUs can ask an applicant to take and send a selfie on the spot. The CU checks to make sure that photo matches the license photo it has on file. To be even more secure, the CU can require the person to send a video selfie including the person blinking. Such an image would be more difficult to grab off the web, Guerry points out.

Driver’s licenses themselves may become digital in a few years. Gemalto has a pilot with four states to create digital driver’s licenses that a person can carry in a smartphone, much like an airline boarding pass. The digital driver’s license can be matched to a digital database file to confirm that it’s legitimate. Physical examination or capture will be unnecessary, he says.

Verifying driver’s licenses is a smart tactic, but not an adequate strategy. As the crooks get smarter, today’s authentication safeguards become less reliable, Capps warns. “Traditionally, a CU with members using online banking would require a user ID and password, probably supplemented with something that verifies that the device being used really belongs to the member. Now the bad guys have learned to get past those protections.

Device Authentication

Recognizing the device a member is using to conduct a transaction is becoming an increasingly important factor in authentication, reports Eric Woodward, group president at Early Warning, a Scottsdale, Ariz.-based fraud risk management company and the owner of Zelle, a P2P real-time payments service.

“There’s a tremendous amount of data available from mobile devices and their activity that can be used to detect signs of fraudulent activity,” says Woodward. “At first, people worried that introducing the mobile banking channel would increase fraud risk, but the opposite has occurred. Mobile has the potential to be the most secure channel because of the layers you can leverage—device, network operator, location, user behavior, proximity, etc.—to help authenticate the user,” he explains.

Escalating fraud protection to stay a step ahead of fraudsters does carry its own risk: frustrated members. Security is bolstered by layering multiple authentication technologies, notes consultant Sabeh Samaha, president/CEO of Samaha & Associates, Chino Hills, Calif., but this could upset the critical balance between security and member convenience.

“Each CU has to find its own balancing point, based on its membership and risk tolerance,” staying fairly close to the middle and addressing issues by leaning a little one way or the other, he explains.

Member experience is very important to Mountain America CU, Bryant notes. As a result, the CU tries hard to minimize the inconvenience of requiring members to go through multiple authentication steps.

Members are “well aware of fraud danger in the world of automated, remote transactions, and they almost always support our precautions,” she says.

Passive Authentication

“The goal,” Capps insists,“is to use passive authentication measures that a member doesn’t even recognize so that the member gets convenience and the CU gets security.” That can happen when behavioral biometrics are used, he suggests.

“How humans interact with technology can be revealing and reliable,” he argues. “How they hold their smartphone, how they type in their password, how hard they press the keys, how long they hold down a key, the size of their finger—all these can now be measured in the tiniest detail. We’ve seen financial institutions that use passive behavioral biometrics go from challenging members 50 percent of the time to challenging them just 4 percent of the time. That’s building security while minimizing member inconvenience.”

Passive authentication gets a boost when CUs can authenticate by device. Member experience is always a strategic consideration, Woodward acknowledges. “If you did a blood test and waited for DNA analysis, the authentication might be perfect, but members obviously would not stand for that. So we focus on passive authentication. We can take a signal to the mobile network operator and see if they recognize the SIM card. Member cooperation can still be critical in some situations, but you can use other techniques first.”

It’s also important to share anti-fraud intel, Woodward emphasizes. “The first time a device is used in a suspicious way at one financial institution, the word can go out to a whole consortium to flag any activity with the device,” he notes. “If you layer authentication procedures and share experience, you can build a very effective anti-fraud solution.”

Cost Effectiveness

“It’s ultimately a financial decision, based on the membership, experience and risk tolerance of the CU,” Woodward points out. Most authentication involves processing data, and that entails cost, he explains. So CUs use what they need. User ID and password (or a thumbprint on a smartphone) may be enough to let a member passively review balances and transaction history. If someone is attempting to join the CU online and immediately deposit a large check by remote deposit capture, the CU may happily pay for stepped-up authentication, he explains.

To see where authentication is headed, look at what car-sharing apps are doing, Kobos suggests. “If you look at Car2Go registration, for example, they ... [have] the user take a picture of their driver’s license ... [and] a ‘selfie’ for confirmation and performing automated matches and checks. I expect banks to follow a similar path.”

Vendor Limitations

Member authentication technology is getting more sophisticated quickly, which means CU executives have to keep picking the best of the available solutions. However, as a practical matter, they generally pick the vendors that pick the technology tools, Samaha observes. That requires due diligence, possibly including requests for proposals and a detailed selection of new vendors, he adds. Adequate authentication is usually provided by familiar CU processors, although fintech companies are starting to enter this space, he notes.

Small CUs are just as vulnerable to authentication failure as large CUs and banks but may have fewer resources for robust protection, Capps says. “Many credit unions under $250 million outsource authentication to a service provider, and some of the providers have only rudimentary controls, so their clients are exposed to more fraud risk.”

But good things are coming. In the future, it will be possible for a CU with limited resources to subscribe to a vendor offering that captures data from a variety of sources—including the telecom provider—authenticates the member’s device, exposes any history of misuse, verifies the member by behavioral biometrics and generates a risk score that lets the CU determine what access to grant, Kobos predicts. It will cause little inconvenience for the member and very little labor for the CU, he says.

But will it be affordable? “I think the fraud risk and customer experience will allow a lot of financial institutions to cost-justify it,” Kobos concludes.

Will such authentication ever be foolproof? Not likely, Samaha says. “It’s a constant process to stay ahead of the fraudsters,” he notes. “Leaders now are authenticating via member devices, but a device will one day be digitally mimicked. Biometrics are emerging on the leading edge, but a... anything digitally stored can be stolen.”

Where do we go from there? It could be a computer chip implanted under the skin of the member, he speculates.

Maybe. Maybe not. Regulatory pressure for authentication has shifted from requiring certain technology to requiring evidence of protection. “The examiners are saying, ‘show me how you protect against account takeover.’ That’s smarter than requiring particular technology,” Capps says.

Richard H. Gamble is a freelance writer based in Colorado.