Strong Customer Authentication (SCA) is the new identity verification requirement introduced across the EU.
Regardless of Brexit and the current transition period, SCA will continue to apply in UK domestic law pursuant to the Payment Services Regulations 2017. Undoubtedly, this is a good thing for consumer protection – as fraudsters become more sophisticated in their attempts to part customers from their money, it is right that banks and other payment services providers (PSPs) implement more robust identity checks for payments.
However, these measures alone do nothing to combat fraud where payments have been initiated by the customers themselves (i.e. APP fraud).
Indeed, banks have obligations to prevent fraud that go beyond the provision of SCA. Many are signatories to the voluntary CRM Code on APP fraud and all are subject to oversight by the Financial Conduct Authority which monitors compliance with anti-fraud best practice.
All of which begs the question:
Is complying with SCA enough to prevent fraud?
PSPs should be aware that whilst it serves as a useful baseline to indicate the steps that all PSPs should take as a minimum, SCA alone is unlikely to provide adequate protection from the risk of fraud.
We discussed the three elements of SCA in this previous article. To recap briefly, they comprise the knowledge element, the possession element and the inherence element. A customer must satisfy two of the three to authorise a payment.
Whilst this two-factor approach to authentication is undoubtedly an improvement for any organisation that still relies on single factor authentication, it is very possible that a fraudster could compromise more than one of the elements and therefore authorise a payment.
Compromising the knowledge element of SCA
The knowledge element of SCA (such as a password, pin or security question) is known to be vulnerable to fraud, as customers can be duped into disclosing this information to criminals or it can be stolen from them in phishing, cyber or malware attacks.
This information could also be compromised in a data breach by another third party company. Take the TalkTalk, British Airways or Equifax data breaches for example. These are all reputable companies that were subject to cyber attacks that led to unauthorised access of their customer's personal information. In each of these breaches, the ICO have issued (or gave notice of an intention to issue) fines after finding that the measures in place to protect customer's personal information were inadequate.
If a PSP customer is unlucky enough to have had their data compromised (and there are hundreds of thousands of people that have), there is a chance their stolen information could be used to satisfy the knowledge element of SCA.
Compromising the possession element of SCA
The possession element of SCA could similarly be vulnerable to fraud. Sim-swap fraud is a particular example of that has received attention recently, when food writer Jack Monroe lost £5,000 in an attack.
Sim-swap fraud, otherwise known as 'sim-jacking', is where perpetrators obtain details about their victims and use those details to pose as them and convince their network providers that the victim has had their phone stolen or lost and their phone number needs to be ported over to a replacement sim. As above, the fraudsters often obtain the victim's details in malware or phishing attacks, by conning them into giving over their information and scouring social media, or by purchasing information on the dark web that has been stolen in attacks on other organisations. Once the phone company has actioned the fraudulent port over request, the fraudster can intercept two factor authentication text messages and authorise payments and transactions from the victim's accounts.
The EBA have confirmed that for a device to be considered in the customer's possession there needs to be a reliable means to confirm this, through the generation or receipt of a "dynamic validation element" on the device. This is why the possession element can be satisfied through the generation of a one-time password (such as a text message). Whilst the EBA have confirmed that in the case of a text message, the possession element would not be the text itself, but the sim-card associated with the mobile number. This proves problematic if fraudsters are able to swap the sim card and make the means of confirming possession unreliable. PSPs using such a SCA method are therefore reliant on third party network providers to ensure sim-swap requests are subject to sufficient checks.
Compromising the inherence element of SCA
Inherence appears to be one of the more secure elements for the time being. However, it relies upon the customer having access to the appropriate technology (for example a retina or fingerprint scanner) so this may not always be possible.
Although based on newer technology, biometric data (such as fingerprints, facial or voice recognition) are also susceptible to compromise – as this recent article highlights.
What else can PSPs do to protect customers from fraud?
As highlighted, a transaction could be SCA-compliant by satisfying two or more of the required elements and yet still have been initiated by a fraudster or facilitating a fraud. In all of the scenarios above, the PSPs authentication procedures could be compromised by the effectiveness (or rather ineffectiveness) of a third party's security systems and fraud prevention measures. Therefore, PSPs should be wary of relying on forms of SCA that do this.
Good fraud prevention is often multi-layered and dynamic, based on the learning of particular trends and typologies. It requires the use of up to date technology based on risk assessments relevant to the particular PSP and customer. Otherwise, not only are customers vulnerable but PSPs will be at risk of claims of failing in their duty to offer adequate fraud prevention systems.
For instance, despite the risk of warning fatigue, PSPs should continue to dynamically remind their customers to be vigilant of attempts by fraudsters to steal their information and to raise their awareness of the risk posed by phishing and cyber-attacks. This will be of little use if the customer's data is compromised in an attack on another organisation and PSPs should consider time limited data or that which has traceability in order to eliminate data linked to a known compromise event.
PSPs should also consider the way that they are using text messages to verify a customer's identity, as this also relies on the effectiveness of a third party's security systems (i.e. the mobile phone provider). The National Cyber Security Centre published security advice for organisations using text message authentication in November 2019, stating that SMS technology "was never intended to be used to transmit high risk content" and as a result there are "inherent weaknesses in the system". The FCA has also issued guidance stating that PSPs will need to provide authentication for their customers that does not rely on mobile phones in any event.
SCA is a new minimum, not the silver bullet
Fraud is an industry wide problem and the tactics employed by fraudsters are evolving and continue to become more sophisticated. Customers need to have confidence that the systems in place are secure, reliable and safe, and all of the players in the market need to continue to work together to combat the issue. As the SCA deadline nears, PSPs should not lose sight of the fact that this is a regulatory requirement and the minimum that needs to be done to effectively protect against fraud. It is more important now than ever for PSPs to continually analyse the methods and techniques employed by fraudsters, as well identifying the risks within their own systems and seeking to close these gaps, to ensure that PSPs are always one step ahead.