Banks must move past PIN, OTP to ensure mobile security

No longer secured, PINs and one-time passwords should be abolished as a form of authentication for mobile banking apps, and replaced by biometrics such as facial and voice recognition.
Written by Eileen Yu, Senior Contributing Editor

Asian banks need to stop using PINs and SMS-based OTPs, which no longer provide adequate security and user assurance, and start tapping biometrics to authenticate mobile users.

In fact, the future of authentication resolves around biometrics on smartphones and banking apps must support the technology, sooner rather than later, urges Tony Chew, Citibank's global head of cybersecurity regulatory strategy.

Speaking at the EmTech Asia 2016 conference, Chew expressed his frustration that most, if not all, banking apps available today "lacked imagination and creativity", providing little beyond basic functions.

He urged the need for the industry to undergo "a big change", especially since surveys had revealed that 70 percent of consumers wanted better mobile banking products, but were concerned about security. They lacked sufficient trust and confidence that their information would be protected, and did not trust merchants, Chew added.

Noting how "absurd" it was that banks today still relied on passwords and PINs to manage user access, he said it was "ridiculous" that SMS-based OTPs (one-time passwords)--which he described as inconvenient--were commonly used to authenticate transactions.

Previously director of technology risk supervision at the Monetary Authority of Singapore (MAS), Chew further noted that Singapore had among the world's safest and soundest security systems, with zero or very low fraud losses for online banking over several years.

However, he added, this system comprised two-factor authentication based on a hardware token, issued to all online bank users, which was not convenient to process banking and payment services on smartphones.

With most consumers now turned to their smartphone to communicate as well as access and share information online, they would need to be able to do so confidently via reliable security. This meant current measures such as PINs and SMS OTPs would have to go.

Chew called for more innovation in the realm of mobile banking, especially payments, and pointed to biometrics as the way forward, specifically, facial and voice recognition. As more tech vendors integrated support for biometrics in their products, such as Microsoft with Windows 10 and Intel's 3D RealSense Camera technology, he said the technology should now be more easily enabled on smartphones.

He also noted that biometrics offered much better security than PINs and passwords in terms of authentication and verification, tapping an individual's unique physiological and behavioural traits to build the user authentication template.

Having monitored the progress of biometrics over the years, he added the technology's accuracy and robustness had improved significantly. "It is definitely superior and better than the [security] Q&A [process], which is a ridiculous form of authentication, as is SMS OTP," Chew said, adding that he had seen biometrics technology tested in the labs and was confident in its stability. "This isn't science anymore. This is a business decision."

He noted that USAA, a US bank which client base comprised primarily military personnel, was among the first to introduce three biometrics options via voice, face, and fingerprint. "Why haven't banks in Asia followed suit?" he said, pointing again to the lack of banking apps that used biometrics, particularly, in this part of the world.

"The whole bank is now in your smartphone and, yet, we're reluctant and slow in moving to incorporate all the banking functions on the smartphone...PINs and passwords aren't secured," Chew said.

Singapore bets big on fintech

The Singapore government, though, does recognise the need to drive innovation, including in its financial sector. According to Sopnendu Mohanty, chief fintech officer at the country's central bank and financial services regulator MAS, several "big" initiatives around fintech (financial tech) will be unveiled this year, including efforts in building up the necessary ecosystem and supporting policies.

Also a speaker at EmTech, Mohanty noted that the global fintech industry was booming, attracting some US$13.7 billion in funding last year, up more than 45.83 percent over the previous year.

To drive market growth in Singapore, he said MAS adopted a regulatory and development approach, pushing out the necessary policies, for instance, to support technology development in this space. He added that other key factors, including a robust infrastructure as the bedrock, would be essential to help the market thrive.

He noted that banks were moving to an open architecture that would allow them to easily connect to fintech products, including non-financial technology, and facilitate the integration of creative tools. A change in mindset and culture also would be essential to drive the ecosystem and transform the way people connect.

In addition, MAS should serve as a "one-stop shop" where market players could go to as the centralised body for policy and development issues, he said.

An experiential infrastructure also would have to be established to encourage and provide a platform in which banks and financial services providers could test out new technology and tools with actual customers, within a protected sandbox environment.

In this aspect, Mohanty revealed that MAS could soon become the world's first financial services regulator to provide guidelines on the development of new technology. This would create a unique landscape in which polices and regulations, for once, could keep pace and move ahead of technology, he said.

All of these would need to be underpinned by key technology components, namely, digital and mobile payments, authentication and biometrics, blockchains and distributed ledgers, cloud computing, big data and learning machines, cybersecurity, advanced sensors, and APIs (application programming interfaces).

Noting that payments accounted for 70 percent of the fintech market, he said there was tremendous growth potential and Singapore was investing significantly to develop this space.

Mohanty further stressed that, contrary to "a myth that has been going around", MAS firmly supported developments in cloud computing and recognised its importance. He said effort here would need to focus on ensuring the infrastructure was more than sufficient to support the financial sector.

Without APIs, however, none of these key technology components would work, he said, noting that it was critical that banks and fintech companies reengineered their systems to be API-enabled.

Editorial standards