The Virtual Safe – Protecting Money in the 21st Century
Exchanges of money are as old as humanity. The trade of goods and services for currency have been physical, real-world experiences. We’ve become accustomed to putting coins in a slot, handing over notes, receiving change, signing cheques, countersigning travellers’ cheques and more. Virtual examples, which lack the jangle of coins in our pockets or the sound of crisp notes, are relatively new. Online banking, tapping a card, using a PIN or an app have required cultural change and trust.
Data overwhelmingly indicates that we are becoming accustomed to the digital movement of funds, but many of us still worry about the safety of electronic transactions, especially online. The news is full of stories about data breaches, cybercrime, password disclosure and more. So too are Hollywood movies, which trade off futuristic technologies and hacking them as plot points. Mission Impossible becomes Mission Probable. Getting customers to believe that transactions are secure is hugely important for any retailer – and is also, for now, somewhat against human nature.
Convenience is key to confidence, but the more convenient the transaction the less secure it has tended to be. Bank security initiatives have often failed because customers consider them too burdensome. But things are changing. The best technology, thanks to innovation, can now deliver transactions that are both secure and simple.
The key is at the point of transaction by making customers’ log-ins more secure without making them more complicated. The key, also, is in making the technology better at spotting fraudulent transactions. Moreover, it is about the power and the confidence of the involvement of leading brands. Online merchants, for instance, find that technology from companies such as Google, Amazon instil confidence in shoppers.
Concurrently, new technologies are emerging that will build further confidence. Biometric log-ins, for instance, make use of customers’ unique fingerprints, irises, retinas and voices. Many of these methods have been around for a generation but adoption has been slow for reasons of cost, complexity and human nature. Now, they are really taking off.
The two biggest are fingerprint and voice. Fingerprint is most familiar on mobile phones, both as a means of unlocking the phone and as a form of authentication. Increasingly though, merchant services are using fingerprint technology and combining it with other forms of authentication. In emerging economies, notably in Africa, use of fingerprint technology is soaring. In the last few years voice has also made huge strides in banking, with giants such as HSBC and Barclays implementing it in the UK. It works by analysing a customer’s unique voice print which, according to Barclays, is made up of 100 different characteristics, beyond even the scope of Rory Bremner.
The great joy of biometrics is they make life easier and more secure. The customer becomes the door to the vault. Using your fingerprint or voice is much more convenient than two step authentication, especially if the latter involves a number generating keypad which needs to be carried around with you or a password with capital letters and symbols you might forget. This importance cannot be understated. The reason that contactless payments took off in the UK is that they made small payments far easier for both customer and merchants. They cut queues at tills and made taking the Tube more convenient. Low risk payments have become commonplace. Reaching in a pocket or purse for coins suddenly feels archaic.
If biometrics are highly visible, Artificial Intelligence (AI) is much more back end. Many of us will have had online card purchases declined because AI systems have looked at transaction patterns and flagged them up as anomalous. Certain items such as video game consoles are particularly prone to these “false positives”. Fraud is evidently a problem online, but for now false positives are also a significant problem and inconvenience. According to Javelin Strategy and Research, the battle against online fraud means that for every £1 lost to payment fraud, £13 worth of transactions are falsely declined.
As anyone who has had this happen knows, a declined purchase is a hassle to sort out, often requiring multiple phone calls and occasionally feeling like a chapter out of Catch-22. You often feel a bit like a criminal even though you aren’t. Many consumers give up and are less inclined to use the retailer in question in the future. Thus, online merchants are potentially losing millions of pounds a year and damaging their relationships with customers even as they are trying to do the right thing.
The reason for many of these false-positives is that most anti-fraud systems are “rules-based”. Buy a PlayStation when you’ve never bought one before and you break a “rule” which sets off a warning and results in the purchase being declined.
To combat this, companies like Featurespace are replacing the rules model with adaptive behavioural technology. This is what is known as “Weak AI”. It is not a truly intelligent computer that acts like a human, but it is a system that learns and adapts. With each transaction you make, it gains a better ‘understanding’ of your behaviour. To go back to our PlayStation example, a fraud-spotting AI may notice that you’d never bought a PlayStation before. But it would also know that you had made many purchases that were consistent with having a nine-year-old and that other customers with this pattern of purchases had also bought PlayStations. It might even conclude that the PlayStation was a 10th birthday present.
Finally, we have new ways of proving identity online. In many countries, particularly in Europe, Government e-IDs have been around for over a decade. Indeed, in some Nordic countries the BankID system (which is issued by banks) can also be used to demonstrate identity. Elsewhere, we are seeing the emergence of a softer form of this known as Federated Identity. This is where you have a sign-in for Facebook, Amazon or Google which becomes a quick sign-in for many other digital services. Newspapers were early adopters of this. Tired of abusive comment posters who hid behind anonymous, untrackable usernames, many of them moved to only allow readers to post if they signed in using their Facebook ID. Abusive comments dropped sharply. The big attraction of Federated Identity is that it allows a Single Sign On and prevents “password fatigue” where customers serially forget passwords and have to change them or use the same password for dozens of services.
Together, all of these technologies point to a future with less fraud, easier, better security and happier customers. It’s worth remembering, though, that all security is essentially running to stand still. If artificial intelligence can be used to combat fraud, it might also be used to commit it. Facebook IDs can be stolen and it’s all a game of cat and mouse with online criminals.
Finally, we are likely to see exciting, novel forms of fraud we couldn’t even imagine five years ago. Researchers in Japan warned recently that people making peace signs in selfies could leave themselves open to fingerprint fraud. Smartphone photographs taken up to three metres away, they said, were now of sufficiently good quality that they could be used to recreate fingerprints.
Each innovation, in other words, is part of the moat that keeps the hackers away from our money. The problem with part of a moat is that attackers can run around it. As ever, the best defence is in scale and continued investment in technology to serve the customer and protect their money. Innovation is vital. Implementation is everything.