Does a Mobile-Centric Society Undermine PSD2? |
The impact of the EUs Second Payment Services Directive PSD2 continues to shake up and open up banking systems across Europe but a major component is still to come into force the requirement for strong customer authentication more commonly known as two-factor authentication for online card payments This will kick in by September 2019 and promises to reduce fraud by confirming customer approval of all significant transactions It means some serious technical work is required of banks and payment providers to ensure their systems not only comply with the new regulation but do so in a way which minimizes additional effort from consumers In many implementations two-factor authentication relies on a mobile app or text message making for a common point of compromise Overreliance on the smartphone risks mistaking device authentication for user authentication Adobe Stock PSD2-factor authentication PSD2 was signed into EU law in 2015 with member states required to adopt its requirements into their own laws by Jan 13 2018 in the UK this was addressed by the Payment Services Regulations 2017 The requirements include more open visibility of bank account information leading to an explosion in offerings combining multiple accounts from different providers in a single place usually a website or app The strong customer authentication SCA part of the legislation defines SCA in the same way two-factor has generally been defined a combination of at least two out of three types of authentication data The categories are listed in the legislation as knowledge something only the user knows possession something only the user possesses and inherence something the user is In everyday terms the knowledge component is generally a username or password things like memorable information or answers to pre-set personal questions mothers maiden name would also fall into this category These are inherently limited in terms of security Passwords can be leaked shared guessed or worked out while the security questions used to supplement passwords are often based on personal information which may be easily discovered especially in a world where many people openly share huge amounts of information via social networks The possession side of things is also in common use for online security The standard implementations are smartphone apps which generate unique one-time codes or require the user to hit a confirm button before a login is approved or a payment is made In the physical world a card counts as a possession so making a chip-and-PIN payment or ATM withdrawal is a two-factor process combining possession of the card and knowledge of the PIN This translates into the online world with card readers which use a generic reader to create a one-time code using the card and also with user-unique code-generating dongles Both methods are widely used to secure online banking although more common in business accounts than at the consumer level It also covers codes sent via SMS or voice calls in which case the phone or more specifically the phone number is the possession element The inherence category is the least widely used so far but potentially the most secure and the simplest to operate from the user perspective It includes all biometric approaches from fingerprint readers and face recognition both now commonly supported in high-end smartphones to voice or iris identification More esoteric methods include identifying individuals by everything from the way they move to the patterns of their heartbeat or the smell of their breath So far none of these methods have proved entirely reliable with even high-end variants often easily defeated Examples of this include the use of Gummi Bears to trick early fingerprint sensors and the facial recognition in the latest iPhones being unable to tell twins apart Too much mobile Under PSD2 payments and access to account information will need to be secured by SCA-compatible technologies by September next year with a few exemptions For example smaller transactions up to 30 online or 50 for contactless or payments to pre-approved recipients The SCA component of logging in to view account details needs to be refreshed every 90 days With ever more payments being initiated directly from our mobile devices their value as a secondary possession element is reduced if a bad actor gets hold of your phone either physically or by remote hijack they can also get at your code generator or SMS messages and successfully impersonate you to your payment processor SMS methods are particularly vulnerable to simple port-out scams where an attacker uses weak security at phone service providers to pose as a customer and have a number redirected elsewhere with many providers still relying on basic private information such as dates of birth or Social Security numbers this can be very simple to achieve Using phones as both the transaction tool and the possession part of the authentication process also risks violating the independence requirements under PSD2 the two factors used for authentication need to be separated in such a way that should one factor be compromised the second remains secure This convergence makes biometrics an even more attractive option Smartphones are the weapon of choice here too as they can provide fingerprint reading for many of us at least - two-thirds of new phones now have readers but it will take some time for all of us to have them while increasingly sophisticated cameras and microphones can provide face iris or voice recognition and motion sensors may soon be able to measure our unique gait or gesture patterns Many laptops also include fingerprint readers too This means we can meet the inherence component even if the device used to measure it is the same one being used to make the transaction However this rules out a large proportion of the population those with no compatible device or no device at all While the number of customers making online payments using only a basic PC may be limited banks and payment processors cant afford to shut them out entirely The other potential issue with biometrics is their immutability Its easy to change a password order a replacement card or buy a new phone but we cant change our fingerprints face or voice at least without fairly significant surgery If crooks figure out how to spoof any of these either with physical copies or by compromising and reproducing their digital representations its pretty much game over for that feature as a reliable means of identification Most of these approaches also rely on internet connectivity or at least cell phone service so may be unsuitable or expensive for travelers The simplest possession method using a code-generating app such as Google Authenticator is at least viable without data roaming costs but others all require at least some mobile data to transmit requests and confirmations There are doubtless other circumstances where particular methods are impossible or inappropriate for example fingerprints when youve got a hand in bandages after an injury So some sort of fallback options will be necessary Ultimately it is likely that banks and other payment providers will need to make multiple methods available to their customers and allow them to choose whichever combination works best for each individual Theyll also need to give users the ability to select the best options for their circumstances on the fly while remaining secure This could become a major differentiator with those companies providing the most seamless reliable and low-effort options likely to accumulate more users while those who offer only limited or awkward methods will undoubtedly lose business With little over a year before the SCA components of PSD2 come into force we should be seeing a major upturn in the release of new authentication methods very soon indeed Theres not much time for these new methods to be trialed rolled out and accepted as the new reality Just how much more security they will provide remains to be seen