SDK.finance CEO Alex Malyshev writes for PaymentExpert on the biggest danger involved with fully embracing branchless banking.
With a third of the global population on lockdown and scores of bank branches closed, many are convinced that branch banking is dead, and the future is branchless. Is this really true?
Branchless alternatives like Revolut, N26, Monzo, and NuBank let customers achieve the same and often better results in a fraction of the time and cost of traditional banks. Although it may look like branches have outlived their usefulness, in reality, the branch vs. branchless debate is more complicated.
The first pure internet bank, Security First Network Bank (SFNB), was even one of the hottest internet IPOs in 1996. A cover story in The Economist 2007 forecast that “cash, after millennia as one of mankind’s most versatile and enduring technologies, looks set over the next 15 years or so finally to melt away into an electronic stream of ones and zeros.”
In the 2010s, the use of mobile and online banking skyrocketed. Bain retail banking report calculated that each digital banking interaction incurs a variable cost of about 10 cents, while a teller or call-agent interaction costs $4 or 40 times more! The new generation of branchless banks began to capitalize on the latest trend of customers opting only for digital banking services and rarely visiting the branch.
Over these 25 years, branches survived and thrived because they generated more revenue for banks in ways other than processing consumer transactions. Branches serve as advertisements, cultivate consumer loyalty, and create cross-selling opportunities.
However numerous financial professionals point that branches still exist because the older generation needs them. The younger, digitally literate generation can make the same operations online faster and more conveniently.
The consensus was that once the generations shift, branches won’t be needed. But these statements were based on the unwavering certainty that the future is branchless. In this article about the branch vs. branchless debate by SDK.finance, a core banking software provider, we will take a look at the biggest dangers of branchless.
The authentication security challenge
Out of all the functions of bank branches, one simple but crucial process is often overlooked. Whenever a customer wants something done at a bank branch, they first have to verify their identity. This relatively straightforward procedure is many times more complicated and difficult to do online.
Consumer authentication plays a vital role in the branch vs. branchless debate. If we can’t be sure that the person on the other end of the connection is who they claim to be, then the whole system is at risk. Hackers can disguise themselves as law respecting citizens, money launderers can move money around anonymously, and cybercriminals can remain elusive indefinitely.
What about two-factor authorisation, biometrics, and other authentication systems? Don’t they already confirm a customer’s identity remotely and securely, you may ask?
The short answer is that they do until they don’t.
Every new security development is met with numerous attempts to exploit it. Just like Newton’s third law, for every action, there is an equal and opposite reaction. Throughout history, humanity has been locked in this perpetual arms race, which isn’t likely to end anytime soon.
The fact of the matter is that no matter how good and secure new technology is, after five, ten, or a dozen years, there will be a way to exploit it. Despite that, there’s more to it than just security, as the next example will demonstrate.
Token security was not enough
In the early 2000s, two-factor authorisation (2FA) was performed using a security token, usually in the form of a key fob that would generate a unique code every 60 seconds. RSA SecurID hardware was a popular solution, and the company commanded over 70% of the two-factor authentication market in 2003, including banks and companies like Lockheed Martin.
In 2011, RSA’s systems were compromised as they fell victim to a sophisticated cyber-attack. As a result, they had to replace 40 million active devices for 30 thousand clients. A year later, a research team cracked RSA’s device in under 13 minutes, demonstrating further exploitable vulnerabilities.
However, even before RSA’s systems were compromised, their cost prohibited them from going mass market. Banks simply could not afford to give every customer an RSA device when they cost $50 per key fob for two years. Instead, only clients with sizable accounts that generated significant revenue for the bank would have access to them. For all its security merits, a physical key fob could not be used for mass authentication without incurring substantial costs.
SMS: the almost perfect solution
The 2000s saw rapid growth in the number of mobile devices used to receive one time passwords (OTP) over SMS. The method had several advantages over the token system, which resulted in its widespread adoption.
First and foremost, cost. Banks no longer had to issue expensive key fobs to clients. Instead, customers bought their mobile devices on their own. The only major investment for banks was the technology that would allow them to send OTPs. Each SMS costs a negligible amount at scale, and customers have a convenient way of authenticating their operations. The system was a brilliant upgrade. For some time.
The problem with SMS OTP authentication is that it has numerous exploitable flaws. Hackers have been able to bypass SMS OTP in many different ways for years. From mobile number transfer and operator interceptions to lost password bypasses and social engineering attacks, multiple exploits make the technology unsafe. In 2018 alone, there were 680 thousand known instances of mobile SIM takeovers used to steal funds.
The EU’s PSD2 directive that aims to protect consumers better and increase fraud prevention prohibits the use of SMS OTP because it does not provide Strong Customer Authentication (SCA) in online payments. The once brilliant solution is no longer considered safe on its own.
Digital activity is as unique as a fingerprint, but is it enough?
Besides SMS, banks and financial institutions have used a customer’s location and online activity to create a unique digital fingerprint that would be used to access their information. However, cybercriminals were able to hack these systems to access the digital fingerprint databases and sell access to them online.
With access to that information, attackers can completely impersonate someone’s online identity using more than 100 recorded data points, such as a user’s IP address, geolocation, operating system version, and how an individual interacts with their device.
Biometrics are not private
What about biometrics? Fingerprint, facial, iris, retina, and voice scanners are just some of the sensors used for security and authentication on modern mobile devices, but that does not make them safe to use.
Besides unprotected online databases that could be breached to obtain biometric data, Japanese researchers successfully extracted fingerprints from photos of individuals using mid-level consumer cameras that were then replicated using 3D resin printers.
While rudimentary face recognition has been defeated using simple photos of an individual, the more advanced systems were bypassed using a 3D-printed head that was formed using several pictures taken from different angles. Eye and retina scans were defeated in less than a month by printing a picture of an iris and adding a contact lens to match the eye’s curvature.
Voice authentication was circumvented by synthesizing voice from audio recordings and running them through artificial intelligence (AI) and machine learning (ML) algorithms. The use of modern technology resulted in new, highly sophisticated threats to digital security that are difficult, if not impossible, to counteract for good.
The biggest problem with biometric data is that it is static – it can’t be changed. If your password is compromised, you can reset it and make a new one quickly. If your fingerprint or retina scan gets stolen, how do you get them back? Once it has been leaked, it creates a permanent security problem.
For branchless and traditional banks alike, the merits of biometric authentication are clear. It’s quick to use, impossible for customers to forget, and can act as an additional layer of authentication. But the security flaws and vulnerabilities are as if not more apparent. With access to consumer biometrics, attackers can not only steal funds but commit fraud and money laundering at an unmatched scale without risking getting caught.
Even if all of these systems could be invulnerable to man-in-the-middle attacks, there would still be a problem with physical security. Every system described above is based on trust. A belief that a customer is the one holding a token key fob, a mobile phone, a laptop, etc. If a criminal takes the device away or forces a customer to unlock their device using biometrics under the threat of force, trust is broken, and these systems can be exploited in other ways.
Thus, it is very dangerous to transform the banking system to 100% branchless. Banks will face a great challenge of authentication security and cyber crime. Perhaps it is a way to the second life of the existing network of bank branches.