"EBA directive for online banking opens door to fraudsters"

Banks and payment services that use SMS to send one-time passwords to verify mobile and online payment transactions expose their customers to identity fraud. Aspect Software, specialist in the field of customer engagement solutions, warns about this. The warning from Aspect Software anticipates the new guidelines from the European Banking Authority (EBA), which should better protect consumers during mobile and online banking transactions

Banks and payment services that use SMS to send one-time passwords to verify mobile and online payment transactions expose their customers to identity fraud. Aspect Software, specialist in the field of customer engagement solutions, warns about this.

The warning from Aspect Software anticipates the new guidelines from the European Banking Authority (EBA), which should better protect consumers during mobile and online banking transactions. The guidelines are effective from 1 August 2015. These guidelines require banks and payment services to use multi-factor authentication for complex transactions, such as payments. This form of authentication means that an identity check of the customer takes place in two independent ways (factors).

Keiron Dalton, expert in the field of mobile security and director Cloud Services at Aspect Software thinks that the EBA guidelines will force payment services and banks to focus more on security in mobile and online banking. At the same time, he warns that the guidelines will be at the expense of ease of use and possibly open doors for new, more sophisticated forms of fraud, such as SIM Swap. "These rules lead to major changes in digital banking. Banks will no longer be able to offer their customers simple and fast banking services, they have to think about how secure their systems are and how they protect the interests of their customers. "

Dalton: "The now proposed two-factor authentication method obliges many payment services to throw their current method overboard. At present, these services are increasingly using one-off passwords via SMS or card readers to complete payment transactions. But with sms is easy to cheat. We only need to look at the numbers to see that digital banking users have become more vulnerable. A report from the American software company FICO from 2013 concludes that 'Card not Present' transactions (telephone or internet purchases) are the biggest cause of fraud. Banks focus too much on customer-friendliness, resulting in a damage of 357 million euros 1 . As a result, internet scammers gain access to customer data, of which they abusively abuse. With mobile banking, SIM Swap is fast becoming the favorite method of fraudsters. In such a case, someone unlawfully receives a duplicate of a mobile SIM card, which enables him to intercept communication, also via SMS. Victims do not notice this until it is too late. Their bill has already been plundered. "

Dalton thinks banks should act now if they are prepared for the implementation of the EBA directive in August 2015. Their attention should focus on the risks that the choice of a channel (mobile, internet) entails in the field of authentication. Dalton: "Payment services and banks must consider whether they make concessions to safety with a simple and fast bank app. They can also choose to create a good balance. Hard tokens, such as a card reader, and soft tokens, such as an SMS, are proven to be suitable for online banking, but cause inconvenience during the transaction. And consumers are busy people. Customer experience is becoming increasingly important thanks to the 24-hour economy and the call for greater ease of use. That only increases the importance of virtually undetectable verification. SIM Swap checks, detection redirects, location determination, all are simple checks that a user can perform unnoticed and at the same time provide a powerful authentication tool for the device on which someone is banking online. With the use of data originating from a device, such as location data, suspicious transactions can be checked simply and imperceptibly, so that it can be determined whether a transaction is fraudulent or not. The user does not notice, the ease of use is optimal. "

"The EBA guidelines should primarily encourage payment services and banks to stimulate ease of use and easy access to payment options. These are essential conditions for modern banking. At the same time, banks have the responsibility for protecting their customers. Payment services and banks that do not combine these three aspects of online banking see their customers leave ", says Dalton.

1 Exchange rate 31 December 2013 via Oanda.com