News
New selfie technology used by Lloyds Banking Group - expert comment
October 2016 by Robert Capps, VP of Business Development at NuData Security
Lloyds Banking Group has launched selfie technology to enable Bank of Scotland
customers to open a current account seamlessly online. Customers applying online
through the new simplified application form will sometimes be required to provide
ID. They will be able to complete a simple step-by-step application process to open
a current account and take pictures of their UK driving licence or passport, along
with selfie images to confirm their identity.
Robert Capps, VP of business development at NuData Security, comments:
“The username and password authentication framework is still the sole method of
verifying consumer identity in many non-face to face transactions. The problem with
it is that it’s proven to be about as waterproof as an open window. Multiple
ongoing breaches, with tens, no hundreds of millions of lost records should be
enough to give question to its validity as a valid authentication method.
As consumers, we’ve essentially put ourselves in the situation of giving multiple
copies of our front door key to complete strangers, and asking them to protect them,
with the full knowledge that some can’t, or won’t. We play this game, one with
horrible odds, every time we give our keys away using single-point authentication.
Even attempts to fix this archaic system have been lackluster, with weak auxiliary
authentication schemes being duct taped over the top of a weak framework, such as
SMS challenges, and secret questions and answers, it’s no wonder that consumer
authentication is a mess.
Where these techniques fail is that they are just as prone to being stolen via
phishing attacks, breaches, malware, social engineering, and a cornucopia of
methods, in just the same way as passwords.
For most banks, traditional online authentication boiled down to a choice between
“effective”, “easy” and “low friction”, where you can only pick two
options. The option usually left out of the mix, was customer experience. Banks, in
particular, need to provide customers with security reassurance, the security guard
at the front door, if you will. Username and password authentication, layered with
varieties of 2FA provide some of this visual reassurance, but do little in the way
of actual security – and banks know that customers also require real protection
too.
Physical biometrics has been touted as the new generation of security for a while
now, and it’s starting to lose its glossy shine. Fingerprint and retinal scans,
seem impressive in movies, but fall far short of true authentication in the
real-world – especially in non-face-to-face interactions. Just like passwords,
high resolution copies of fingerprints can be stolen, copied and stored (just check
out this WikiHow if you don’t believe it). The OPM breach is a disastrous example
that will likely have ripple effects for several years. Any physical biometric also
has the added negative consequence of not being replaceable, meaning that while you
can change your password you can’t change your fingerprint or retina. Once they
are stolen, it’s a lifelong risk that you can’t make right again.
Many large companies and banks are looking to multi-layered solutions as the future
in authentication, realizing that single-point identify verification is inadequate.
Advances in behavioural tracking technologies that monitor customer behaviour, by
way of analysing hundreds of human interactional signals, has injected new life in
to the authentication scheme and enlivened the whole multi-factor security paradigm.
Banks have discovered that a deep data-driven understanding of how good customers
behave gives them the ability to find better ways to protect and service them.
It’s reimagined security as a customer service, empowering banks to reduce
customer friction for good customers, and introduce more of it when needed.
Perhaps the greatest advantage of about these new behavioural authentication
technologies, however, is that they provide real security for customers and their
accounts because it disarms hackers of their main weapon – personally identifiable
information, and usernames and passwords. Unable to successfully replicate the
behavioural interaction profile of a legitimate user, hackers can’t get past the
test, so we’ve effectively made their entire quest for the keys pointless.
Banks can now access technologies that build a user behavioural profile that is then
used for authentication without the customer being aware of its existence.
Completely invisible, and operating behind the scenes, this technology can determine
if the user is legitimate based on how they have acted in the past, and how other
humans with good intentions act.
Maybe we shouldn’t be so quick to rid ourselves of usernames and passwords though.
Even physical biometrics can still have a place in the authentication scheme. These
obvious security measures help reassure customers that the bank is secure, and
provide valuable touchpoints for further intelligence about the customer
interaction. They also add to the completeness of the ongoing customer behavioural
biometric profile. In an ironic twist of fate, they could even serve as a kind of
‘bait’ to lure hackers into wasting their time and resources collecting data
that will eventually prove useless to them. How fun would it be to turn the
tables?!”
