PSD2 SCA delay: A time for organisations to revisit authentication
by Keiron Dalton, VP at Prove
Before Covid-19 brought the world to a relative halt, the European Banking Authority announced that organisations should meet the PSD2 Strong Customer Authentication (SCA) requirements by 31st December 2020. With the outlook still uncertain for the global economy, the UK regulator has extended the deadline until 14th September 2021.
A delay to a regulation like PSD2 SCA might seem to some like another headache to deal with alongside everything else. However, this postponement can actually be seen as a blessing in disguise. It has offered organisations within financial services more time to analyse their authentication methods to ensure they are vigorous enough ahead of the extended deadline.
PSD2 SCA: securing a digital world
Essentially, PSD2 was introduced to guarantee that a bank or payment service provider can prove that a transaction is being made by the account holder, rather than an unauthorised third party. For this to be possible, SCA, a key constituent of PSD2, requires merchants to use two-factor authentication for transactions worth more than €30. This forces customers to take extra steps to verify their identity, potentially relying on rigid methods such as SMS one-time passcodes (OTP) generated by the payment provider.
Many organisations welcomed the news of an extension when it was announced. During the nationwide lockdown, online traffic rocketed, resulting in banks and other financial services being placed under huge pressure in terms of monitoring transactions. Consumer habits also changed dramatically during this period: with more of us buying items online, it became more difficult to distinguish between genuine transactions and fraudulent activity. Thus, the delay has given organisations the chance to take a step back and reassess their approaches to authentication.
Reach SCA compliance: are current methods up to scratch?
Most of us will be familiar with more traditional methods of SCA standard authentication, such as one-time passcodes (OTPs), static passwords and security questions.
These authentication methods generally have a good track record in terms of keeping fraud down. The issue here, however, is that the methods used by cybercriminals are more advanced than ever before, meaning that traditional authentication procedures are open to compromise.
Cybercrime continues its rise
One fraudulent technique which threatens traditional authentication methods is that of SIM swapping. This technique consists of a hacker registering an existing phone number onto a new SIM card, which allows the criminal to gather all the sensitive data they need, including OTPs.
Furthermore, security questions can also be breached through, for example, a criminal gaining an understanding of a victim’s behaviour by monitoring keystrokes through a keylogging application.
Away from the security aspect, OTPs are also lacking when it comes to user-friendliness. Having to type a complex password multiple times due to errors is cumbersome and erodes the positive user experience that organisations work so hard to maintain.
Turning over a new leaf for authentication
Looking forward, it is clear that a change of direction is needed for authentication approaches. An ideal solution would be to combine security with simplicity, which can be achieved by making the most of mobile technology. As a society, the vast majority of us use our phones frequently and on a daily basis, therefore there is a huge amount of data attached to a mobile phone number that can be leveraged for authentication purposes.
A mobile intelligence-based approach can be extremely powerful in helping organisations to stop cybercriminals in their tracks. For example, a hacker trying to pose as a customer can be flagged immediately, due to this method’s ability to detect subtle yet suspicious patterns of behaviour.
Mobile intelligence also has major benefits on the customer experience side of things. Features such as auto form pre-fill can use mobile data to automatically fill in a subscription form, so a user doesn’t have to spend time doing it.
Thinking outside the box
Organisations need to use the coming months to reflect on how they will approach authentication in the future. Cybercriminals will continue to up their game as time goes by, so banks and other organisations within financial services need to stay a step ahead. If these businesses take advantage of mobile intelligence, authentication will become that bit more secure.