Blog

Visible vs invisible banking security: The ongoing UX debate

Banking Security Payments
The unsolved debate continues for financial service providers — how to fight fraud rather than function. Which is more important? On the one hand, you risk losing clients. And on the other hand, banks need to mitigate against the high cost of fraud.
Recent reports stipulate that the average cost (including theft, incident investigation, crisis management, client notification, regulatory fines and penalties, and lawsuits) of a single data breach is $4.24 million. A data breach that compromises 10 million records can cost a business $50 million on average. Raise that to 50 million records, and as much as $392 million is at stake.
And that is why the relentless pursuit to achieve the perfect balance between banking security and great user experience (UX) remains one of the main struggles for financial institutions.
Consumer authentication preferences for online banking and transactions,’ A PYMNTS.com and Entersekt collaboration survey conducted in November 2022, explores what level of security visibility consumers typically favor in order to construct security architectures around these preferences. The outcome may not be what you would expect, but there is a solution.

How the frequency of transactions affects banking security preferences

The survey confirmed that 57% of consumers like to actively authenticate their identity (visible security) when buying goods and services, even though they believe their financial institution is protecting their identity and money.
However, 62% of consumers do not want to verify their identity every time they pay for goods and services. While half of consumers want to verify their identity every time they access their bank accounts, 22% want to verify their identity only the first time they access their bank account.

Customization is at the heart of authentication and a good user experience

These mixed findings continue with four out of five consumers expressing interest in using multi-factor authentication (MFA) during infrequent transactions. Three out of five would only use MFA for more routine activities.
In fact, one in three millennials said they wanted their financial institutions to use more invisible security measures, while another one in three said they’d prefer more visible security measures.
With such similar results, FIs must carefully consider how to achieve a good balance, on top of paying attention to another factor known as security, or alert, fatigue. True customer convenience comes down to customization.

Creating a safer banking user experience that reduces friction

A proper resolution requires a combination of authentication approaches. Building a multi-layered defense, mitigating fraud risk while reducing friction when appropriate and required, is one way to minimize that fatigue and permit an instinctive, unseen authentication solution.
To achieve this, FIs should offer a range of authentication methods, including secure, easy access through MFA that suits their clients’ needs. This could be through a branded, FI-specific app or by leveraging biometrics on their PCs and mobile devices.
"FIs should offer a range of authentication methods, including secure, easy access through MFA that suits their clients’ needs."
In addition, FIs should enable them to choose the login approach that they prefer for the visible layer. This level of customization addresses the varied preferences on top of creating a tangible sense of security for the user, while eliminating the fatigue factor.
Ensuring the user feels safe is equally important as creating an experience that removes unnecessary friction.

Strengthening usability and security with multi-layered authentication

Within the invisible layer, FIs should try to find a unified solution with cross-channel awareness, continuous learning, and smart customer identification. Strong contextual data flow, and the use of advanced risk signals, should also be considered at this point. There are many disparate authentication options from legacy methods out there. These should be reimagined to create robust, invisible protection.
"There are many disparate authentication options from legacy methods out there. These should be reimagined to create robust, invisible protection."
These layers work together and communicate with each other to ensure the multiple vulnerabilities within the attack surface are blocked from various angles. For example, SMS injection and credential stuffing can easily be used in combination within a single attack, and so, one defense layer is not nearly enough.
To prevent such grouped attacks, the real security solution lies in the layers as unified layering can effectively address various fraud attack vectors, including:
  • Sniffing: Fraudsters “sniff out” sensitive, unencrypted packets of information moving across a network, either to sell on or use themselves.
  • SMS injection: Identity theft that takes place when fraudsters use malware, usually delivered via SMS, to copy a device’s certificates.
  • Man-in-the-middle attacks: Real-time interception of sensitive communications, often after someone has clicked a link to a fake website, entering their credentials, which the fraudster captures and then uses on the real site.
  • Phishing: Emails, text messages or voice calls that lure people into visiting scam websites or downloading malicious software, which is then used to gather credentials.
  • Account takeover fraud: A form of online identity theft in which fraudsters gain access to a victim’s account through a data breach, malware or phishing attack, allowing them to make non-monetary changes for further criminal activity.
  • SIM-swap fraud: Cloning of a physical SIM card, or porting of a victim’s mobile number from their SIM to another, through social engineering or collusion at the mobile carrier, used to intercept one-time passwords.
  • Chargeback fraud: Fraudsters buy goods online using stolen credit card details. Once goods are received, they apply for refunds. The victim’s bank balance remains neutral, and if they don’t check their credit card statements, the activity goes unnoticed.
  • Triangulation fraud: Using a fake site, fraudsters advertise items at discounted prices. Victims place orders using their credit cards, and the fraudster then buys and ships the item to the customer. The customer asks no further questions, and the fraudster retains the credit card details for future use.
When invisible layers are context-aware, they are more robust, especially when used in conjunction with customizable, visible defenses. We call this Context Aware™ Authentication.
The result is a strengthened security and usability journey, enabling the right balance of safety vs UX. This combination of visible and invisible, curated security ultimately empowers the consumer. And, for the FI, this translates into revenue growth, cost savings, and protection from multiple fraud vectors all at once.
To learn more about meeting consumer expectations with multi-layered authentication, get in touch with one of our experts.