NEW SECURITY BANKING TREND
Posted on 02.10.2023 at 12:01
To build an international start-up is a blessing – I’m one of those lucky people having a chance to have such a different experience. The same technology may get different realization based on the country and culture context. For example, we used to offer our clients in a banking area a fancy add-on to our main solution – QR-based authentication feature https://youtu.be/0k9riTPHEjU. Usually our clients use it to simplify the process of log into the internet bank – no user name or any data input, just scan the QR and you’re in. It’s easy to use and add security when bank clients use public network for access to the internet banking service. How surprised I was when I first came to Vietnam and found this feature wide-spread in cardless ATM case and never seen as part of internet banking experience.
At the same time, you may see how differently the same tasks can be solved in various regions. In many Asian countries one of the top banking trend is QR-payment– people scan QR to pay to street vendors for junk food or in a coffeeshop while in some other non-Asian countries for fast payments people have been using simply mobile phone number linked with a card to send money.
One of the obvious pain point for a banking security is a necessity to perform two-factor authentication for log-in operations and money transfer in digital channels. When we were getting prepared for the product for launch in a new country we were sure that everyone uses the same things – hard-tokens like MAC-token calculator (hate them J ) & USB tokens or SMS OTP. Can you imagine how surprised I was when I first came to Indonesia where many banks use a simple combination of touch ID/Face ID and static password in mobile and you may even see hard tokens for consumers using internet banking (that is insane). At the same time in Vietnam, for example, many banks cut off their internet bank and for mobile moved from SMS OTP to OTP soft-tokens embedded into the banking app. I’m not even mentioning about FIDO authentication trend in there.
But more or less all the countries are moving from SMS-based authentication towards non-SMS. And I would call it a global security trend in BFSI. Just take a look:
- Bank Negara Malaysia has instructed financial institutions to stop using SMS OTP as a form of authentication for online activities or transactions https://techwireasia.com/2022/09/malaysia-is-migrating-from-the-usage-of-sms-otp-is-biometrics-the-answer/
- As a measure to prevent scams and phishing, 11 commercial banks have stopped sending SMS with links to their clients, the Bank of Thailand (BOT) https://www.nationthailand.com/thailand/general/40026399
- MAS Singapore to set deadline for banks to phase SMS OTP out as sole authentication factor https://www.businesstimes.com.sg/companies-markets/banks-move-away-sms-otps-favour-app-based-authentication-methods
One more case, recently I had a chance to study the new banking circular of banking security requirements in Pakistan and was really surprised – lately they have implemented absolutely wise solution related to banking transactions authentication. First, they excluded any manual input of OTP “FIs shall implement One Time Password (OTP) auto-fetch or auto-fill functionality, with sender binding control restricting manual entry of OTP” – I’m calling it wise as actually any OTP-retyping-related process adds more risks to transaction security. But what is more interesting about the new circular in Pakistan, it’s device binding: “Customer devices (such as computer, laptop, tablet or mobile etc.) shall be registered using device finger-printing / device binding for authenticating customer access. The functionality of managing the devices by the customers in their internet banking/mobile application shall also be provided”.
In this perspective, it’s such a pleasure for me to see that the great tech trend adoption may happen not only in a well-known high-tech mecca. And beside this, it’s a pleasure to see that 5 years ago McKinsey analysts mentioned all of these principles in their reports – the same principles we use in our solution –and now these principles have become a de-facto standard not in a country or region but in different countries around the globe. Is it a new cyber security trend? I don’t know but I like it a lot.