The Key to Smarter Banking

by Eric Gilmore, Head of Pre-Sales EMEA
April 5, 2023

In 2022, 92% of people in the UK used online banking. The number of consumers with a digital-only bank account rose to 24% in 2023, compared to 9% in 2019. This figure is expected to continue to grow and hit 43% by 2028.

Mobile banking is the breakout digital channel and its growth is being led by the under-35s. 85% of those aged 18 to 24 and 79% of 25 to 34-year-olds are now using mobile banking apps more frequently. Interestingly, the over-55 age group is also embracing mobile banking, with over half (52%) saying they use mobile banking apps more often.

Despite the growth in digital banking channels, there is still a significant proportion (24%) of consumers who are wary of online banking. And not without cause. In the first half of 2022, just under 30,000 incidents of fraud in remote banking were reported to industry body UK Finance. The total cost of these incidents was £85 million.

What is the state of security in UK banks today?

How are fraudsters gaining access to consumers’ bank accounts? A recent Which? report has highlighted some of the real gaps UK banks have when it comes to securing their digital banking channels. The results of the report show how important it is that all banks address weaknesses in security, including customer authentication, and implement a strong platform they can grow their digital services on.

The Which? investigation finds that a reliance on weak passwords, a laidback approach to protecting the process of adding new payees, and vulnerable login processes are common to many current accounts. Looking at 13 banks in the UK, Which? discovered that many banks also still send one-time passcodes (OTPs) via SMS. Which? and the identity industry at large considers this method of authentication one of the least secure ways to authenticate a customer’s identity. Intercepting these texts is a relatively easy way for fraudsters to gain access to a customer’s bank account.

SMS-based security is a cause for concern

SIM-swapping is a growing problem in the UK. Since 2015, this kind of fraud has increased by 400%. It occurs when a fraudster fools a mobile network (a fraud tactic known as social engineering) into transferring a person’s phone number to a SIM card in the fraudster’s possession. Once the fraudster has control of the mobile number, they can receive all the calls and texts intended for that person, including, of course, any OTP used to access bank accounts.

With SMS vulnerabilities, banks are at the mercy of mobile operators and their security controls. This loss of control is vastly less secure than having the built-in security of a platform like IdentityX®.

The Which? report showed that one of the poorly rated banks, TSB, still relies on SMS-based security. TSB also failed to block insecure passwords, similar to the lowest-rated bank, Virgin Money. Contrarily, the two highest-scoring banks, Starling and HSBC, use a dedicated mobile app to authorise account logins. In addition, Starling customers who want to make account changes online can only do so via a device that has been through stringent checks, and the user must capture a live selfie of themselves that matches existing identification on file.

Biometric identity verification offers security and convenience

This approach from Starling moves into the area of biometric security which, when combined with a bank’s mobile app, is a secure and convenient way of approving customer actions.

In cyber security, biometric identity verification is the use of physiological or behavioural features – face, voice, iris, fingerprint – as factors for authentication purposes. Biometrics provides virtually-unspoofable authentication of the individual, better security, and a much simpler UX when compared to other options, like OTPs or card reader devices.

Biometrics technology is increasingly being used by financial institutions to build stronger customer authentication journeys. Adding a new payee to a bank account, for example, is considered one of the riskier customer journeys. Using a biometric security factor, like a face scan, is a great way of mitigating this risk. To add a new payee using facial biometrics, a customer simply needs to take a selfie (or, as we’ve seen with Starling, a video selfie). The photo or video is then checked against the original photo or video on record with the bank. The customer will only be authenticated and able to add a new payee if both forms of identity (the photos or videos) match up. This is a secure, simple, and convenient method of authentication. Face biometrics removes friction for the customer and the bank when compared to other multi-factor authentication methods; at the same time, biometrics enhances the security of online and mobile payments.

Increasing security and reducing friction

Daon has helped financial institutions in the UK and across the globe implement biometric authentication. For over 20 years, Daon has led the market in digital identity security innovations and next-gen identity verification and authentication.

We know that shoring up security isn’t just about putting stronger methods of identity verification and authentication in place. Banks also need to think about the customer experience. How easy is it for customers to use these authentication methods? Is it convenient for them? Is it too complicated? Are there too many steps in the process?

When we speak with clients in financial services, we tell them to focus on finding the balance between security and customer convenience by reducing possible points of friction.

Security is all about layers. And all these layers require a solid platform. Daon’s IdentityX provides that strong foundation through Identity Continuity with a range of authentication factors, including biometrics. Identity Continuity builds instant digital trust with any customer, in any channel, in any application – from mobile and web to contact centre and in-branch, all using a single, secure, and universal approach to that customer’s digital identity journey.

Built on FIDO standards

Daon has been a member of the FIDO Alliance since 2014 and has helped banks adopt the latest, standards-based approaches to authentication for even longer. FIDO specifications or standards help deliver login experiences that are more secure than passwords and SMS OTPs. With FIDO authentication, bank customers, for example, can sign in with phishing-resistant credentials, including biometrics, security keys, and smartphone notifications.

In addition, FIDO’s latest standard, passkeys, is a much more secure and faster login option that can replace passwords, enhancing customer experiences across websites and apps. While passkeys may not be suitable for all banking scenarios, they are a useful tool and an emerging technology gaining widespread adoption.

With Daon’s IdentityX platform, banks can reduce their dependency on weak authentication factors like SMS links, OTPs, and passwords, improving the security of both customer and organization data.

Consolidation onto a modern platform

Newer banks like Starling don’t have the burden of having to deal with legacy technology. This means they can implement new systems at a faster pace than older banks that still use technology from earlier generations of digital banking. This older tech often includes cumbersome authentication systems. As customer expectations for digital experiences increase, these legacy technologies are no longer fit for purpose and can slow down innovation, especially in critical areas like security.

Daon’s IdentityX is a modern platform that can be used to replace legacy systems that risk a bank “being left behind,” as Which? reports. Banks can also use IdentityX to consolidate multiple systems onto one modern platform. Once they’ve moved to a future-proofed platform like IdentityX, banks can introduce more advanced methods of identity authentication to their customers, like face or voice biometrics, and start the process of removing outdated security methods.

There’s no doubt the banking industry is changing. As digital channels gain popularity, and new, digital-only banks emerge, the way people bank will continue to evolve. But with the convenience of digital comes the added risk of exposure to fraud. And newer, advanced methods of identity authentication are necessary to mitigate that risk. Biometrics technology is already making an impact on banking security, and its influence will grow. By 2025, Juniper Research predicts that biometrics will authenticate over $3 trillion of global mobile payment transactions, up 650% from $404 billion in 2020.

As the Which? report says, there is now an imperative for banks to tighten their security. As online and mobile banking continues to grow in the UK, there is an increased urgency for banks to modernise the platforms that support that security. Banks need to take every step to better protect their customers while also offering a frictionless customer experience. With its inherent security and ease of use, biometrics technology is a natural fit for inclusion as part of a modern security approach.