PSD2 opens up a large number of new opportunities for banks and their customers. The new directive puts customers in greater control over their finances, giving them the freedom to choose how to manage their money. It allows customers to share financial data more efficiently with banks, payment service providers, online merchants, e-commerce sites, and other third parties. Unfortunately, it also means there is greater risk of customers sharing this information with fraudsters.
Mobile banking customers are at a particularly high risk, due to the always-connected and sensitive nature of mobile devices. PSD2 takes this risk into consideration and requires financial institutions to use multiple advanced security measures, including passwords, tokens, and biometric scans. Strong security is no longer just a best practice; it is the law.
These changes could not have come at a better time. 36% of smartphone users used their devices for mobile banking in 2017 and as many as 36 million Android devices were impacted by malware during the same year. This poses enormous risks for banks and their customers, especially with the new data sharing requirements imposed by PSD2. In order for banks, customers, and third parties to embrace modern banking successfully, developers must start implementing more secure authentication measures.
Predictions in Numbers
Mobile devices are currently the leading vector for payment fraud. According to PaymentsSource:
- 71% of all fraudulent transactions in Q2 of 2017 were from mobile browsers
- 28% of all instances of global fraud were caused by rogue mobile apps (malicious apps imitating legitimate apps)
- 16% of all instances of global fraud were caused by trojan horses
A study conducted by Kaspersky Security Network revealed the following:
- Over 1.74 million malicious packages were installed onto mobile devices in Q2 of 2018 (an increase of over 421,000 from Q1).
- Over 61,000 of these include mobile banking trojans, which can masquerade as official banking apps in order to trick people into providing login information.
- Mobile banking trojans are also the most rapidly growing threat, with over 42,000 new instances (an increase of 105%) detected since Q1 2018.
The report also found that Bangladesh and China experienced the greatest number of overall mobile malware attacks, followed by Iran and Nepal. The United States experienced the greatest number of mobile banking trojan attacks, as well as the greatest number of mobile ransomware attacks. While it's unclear whether fraudsters are deliberately attacking American users, it is clear that mobile users in both developed and developing economies are at risk of falling victim to malware.
Fighting the Emerging Smartphone Fraud Threats
The rate of mobile fraud may be growing, but there are balancing measures to mitigate and address this growth. PSD2 takes a significant step towards combating mobile fraud through the Strong Customer Authentication (SCA) mandate, which focuses on reducing fraud by improving the user authentication process. With SCA, users must authenticate by providing two or more distinct forms of identification such as a password, PIN, or fingerprint. The types of identification accepted include:
- Something you know, such as a password, PIN, security question.
- Something you have, such as a hardware token or mobile device.
- Something you are, such as a fingerprint or facial scan. This also includes behavioral attributes such as the way you type and swipe, and how you hold your device.
Many users are familiar with the first two forms of identification, through the use of usernames, passwords, and two-factor authentication (2FA) systems. However, the real power lies in the third form: biometrics and behaviors. Passwords and devices can be stolen, duplicated, or emulated with minimal effort. Physical attributes, are much harder to replicate. And while attackers are successfully able to bypass fingerprint readers and facial recognition systems, the process is more intrusive and difficult overall.
Behavioral biometrics combine behavioral attributes with physical ones, making it harder for fraudsters to imitate a real, valid user. Using static attributes (such as a fingerprint reading) to identify users, while also factoring in dynamic attributes, such as the users’ typing cadence, swipe length, and the device's orientation during use – helps successfully identify legitimate users. The behavioral biometrics based process can occur continuously in the background of the app, providing secure ongoing authentication, throughout a session, without the need for direct user input.
In the context of PSD2 and SCA, this means banks, payment processors, and merchants can comply with legal requirements, without having to add friction to the user experience. It's a much safer and more convenient approach to authentication.