Entersekt has announced a partnership with Cellulant, an African financial technology company. The partnership will further enhance Cellulant’s cybersecurity by proactively securing its digital banking channels and guarding against digital banking and payment fraud.
Entersekt is working with the Cellulant team to integrate its mobile software development kit with Cellulant’s product stack, making Entersekt’s authentication and app security solutions available to Cellulant’s clients. Two large Kenyan banking groups are already working on their deployment.
“We are delighted to be partnering with Cellulant. The company works with some of the finest brands on the continent. This collaboration will mean their partner banks’ end-customers can enjoy increased safety and security while transacting.
“We are very happy to support Cellulant’s cybersecurity efforts to drive consumer confidence in digital banking and boost the adoption of digital payments on the continent,” said Schalk Nolte, CEO of Entersekt.
“Our clients trust us to not only be constantly innovating around digital banking and payments but also to guarantee safety and security. Being able to provide the powerful security and authentication services of Entersekt will significantly add to our platform offering.
“Through this partnership, we can deliver some of the most sophisticated services available anywhere in the world. We look forward to continuing our work with Entersekt as we help our clients take advantage of the many efficiencies afforded by digital banking,” said Cellulant CTO George Murage.
The story of digital authentication started in an MIT lab in 1961, when a group of computer scientists got together and devised the concept of passwords. Little did they know the anguish it would cause over the next 50 years. Today, most people possess more than 90 username-and-password combinations and would rather click “Reset password” than try to remember them all.
Unfortunately, passwords are not only inconvenient, but dangerous as well – it’s a problem the world has been grappling with for the last 20 years, at least. Somewhere in the background, though, the authentication wheel has been turning and recently, at the Apple Worldwide Developer Conference (WWDC), two promising announcements were made.
But first, let’s backtrack a bit…
Everybody loves pizza
Authentication has evolved in several interesting ways. Two-factor authentication, for example, was developed in response to account takeover fraud – and it had its place. But when people started doubling up on the knowledge factor, we started seeing instances of knowledge-based authentication where, if you forgot your password, you could enter your mother’s maiden name, the title of your favorite book or your favorite food. Attackers could still succeed by guessing because, as it turns out, most people like pizza!
What if those scientists had started out differently and looked more closely at how other valuables were being protected?
House and car keys, for example, still represent strong possession factors that grant access to high-value assets. They’ve been used for ages with great success and, as a result, make the concept of possession as a primary factor easy for users to understand: “keep your keys safe, it grants you access.” There was never a need to add an extra layer of authentication.
Fast-forward to the digital era, and car keys have evolved to enable keyless entry. Houses, too, are commonly accessed with a remote. In both cases, unique challenge-response mechanisms are used for every transaction, making them impossible to intercept or copy.
Which brings me back to the first of two Apple announcements mentioned earlier.
Where physical meets digital
After much experimenting with identification and endpoints, the iPhone can now act as a car key. Though Apple devices are protected by biometrics and PINs, isn’t it ironic that after all this time, the iPhone – in all its sophisticated glory – has become like a physical key in a sense?
Had that MIT team been able to use an uncopiable “digital key,” perhaps today’s digital world would not be littered with billions of passwords, and attackers would have had to physically approach their victims to steals their keys. That would have cost money and exposed them to capture, making attacks much more costly and risky when compared to attacks that are carried out by sending out thousands of phishing emails at a time.
Of course, there have been several attempts to come up with alternatives. Many dedicated hardware devices have been used over the years with varying degrees of success, but no-one has ever hit the nail on the head.
Some companies allocated a number but did not generate it themselves. Instead, they used a number found or calculated on the device (like the phone’s IMEI or browser fingerprinting), breaking the challenge-response paradigm and nullifying the isolation principle. Others issued physical hardware (like keys) that created cost and distribution challenges, not to mention them being yet another thing for users to carry around.
A vision of endpoint perfection
Companies entering this space need to recognize the value of secure endpoints and find a solution that will:
- Ensure that each endpoint instance is allocated a unique, once-off value
- Ensure that each challenge-response mechanism is unique every time
- Limit the “key” to a single use and having a unique “key” for each mobile app
- Have the ability to issue new keys for each new use case and make the linking easy
- Have the ability to issue keys to devices that users already have in their possession
This can result in stable endpoints. Though certain requirements may force a business to include passwords here and there, the endpoint always needs to be the anchor.
When looking at companies that applied the security principles mentioned above, many arrived at similar solutions. The FIDO Alliance, for example, launched eight years ago to tackle the world’s over-reliance on passwords. They chose to focus mainly on protecting website logins. However, there are ways that businesses can obtain certifications and become FIDO compliant.
Android announced that FIDO would be built into their devices. Microsoft then followed suit, adding it to their authentication setup in Windows (Windows Hello). Only one dominant player remained – Apple – and they were silent. Then, suddenly, with iOS 13.3, Safari started supporting external FIDO tokens. So, when Apple joined the FIDO Alliance in February this year, many were already anticipating a WWDC unveiling – yes, the second announcement.
Now, the endpoint puzzle is finally complete and later this year, all major desktop (Windows and macOS) and mobile (iOS and Android) operating systems will feature built-in FIDO authenticators operating as secure endpoints.
Trusted endpoints: Where we need to be
The vision of trusted endpoints is becoming a reality and finally, context-specific identities can be provisioned into most consumer devices. Consumers can now trust in a physical device, not in some digital thing that can easily be lost or forgotten.
To succeed, attackers will need to gain access to the physical device, which is not easily done.
Of course, there are many challenges we still need to tackle. However, they pale in comparison to the potential that now exists to create exciting new customer journeys using a universal platform authenticator.
Entersekt announced the appointment of Nicolas Huss to its board of directors.
In the twenty years he has been active in financial services and payments, Huss has built a strong reputation for organizational acuity combined with strategic vision, reorienting organizations and steering them to success.
He served most recently as the Ingenico Group chief executive officer, a global leader in seamless payments. He is credited with reinvigorating the Paris-headquartered business in the two years he led it, as well as concluding the merger with Wordline in October 2020, which has formed the fourth-largest payment services provider in the world – and Europe’s biggest.
Prior to Ingenico, Huss headed Visa Europe, during which time it was bought by Visa Inc., to which executive committee he was subsequently appointed.
“The board and I are delighted to have Nicolas join us,” said Schalk Nolte, chief executive officer of Entersekt. “His record of building successful, future-fit businesses puts us in great stead to learn as a leadership team and grow as a company. I have no doubt that his contribution at board level will help drive our expansion internationally.”
Huss added: “This is an exciting time in the financial services space. COVID-19 is changing how consumers bank and shop, and there’s real potential for vendors offering a proven alternative to business as usual.
“Entersekt’s focus on state-of-the-art security matched with excellent digital user experiences fits the bill. I’m excited to join its stellar board to help build value for shareholders and customers alike.”
In addition to Entersekt, Huss sits on the board of Amadeus IT Group, a major Spanish software provider to the travel industry. He also chairs its audit committee.
Where there’s money, there’s also an opportunity for fraudulent actors to leverage security flaws and weak entry-points to access sensitive, personal consumer information.
This has caused a sizeable percentage of consumers to avoid adopting mobile banking completely and has become an issue for financial institutions who must figure out how to provide a full range of financial services through the mobile channel in a safe and secure way. However, with indisputable demand for a mobile-first experience, the pressure to adapt has become unavoidable.
In order to offer that seamless, omnichannel experience consumers crave, financial institutions have to understand the malicious actors and fraudulent tactics they are up against. Here are a few that have to be on the mobile banking channel’s radar.
1. Increased device usage sparks surge in mobile malware
Banking malware has become a very common mobile threat, even more so now as fraudsters leverage fear and uncertainty surrounding the global pandemic. According to a recent report by Malwarebytes, mobile banking malware has surged over recent months, focused on stealing personal information and using weakened remote connections and mobile devices in a work-from-home environment to gain access to more valuable corporate networks.
The financial burden of a data breach resulting from mobile malware could potentially set organizations back millions of dollars, as well as do some serious damage to customer trust and loyalty.
2. Sacrificing software quality and security by effecting premature product rollouts
Securing mobile is a laborious task that requires mobile app developers to factor in several entities, including device manufacturers, mobile operating system developers, app developers, mobile carriers, and service providers. No platform nor device can be secured in the same way, meaning developers are constantly having to overcome a unique set of challenges in order to reduce the risk of fraudulent activity.
The reality of such a complex ecosystem is that mobile app developers are not always qualified to understand all the risks at play, which leads to unsecured mobile data, connections, and transactions. Additionally, the speed at which the market moves thanks to emerging technologies and innovations creates an added layer of pressure for developers. Lacking the resources and time to properly protect consumers can lead to high-profile attacks where sensitive data is exploited.
3. Vulnerabilities in digital security protocols
At any given time, every entity in the ecosystem described above must have high confidence in the entity on the other side of the transaction to ensure its legitimacy. A lack of digital security protocols like secure sockets layer (SSL) and transport layer security (TLS) in mobile banking apps makes it difficult to establish encrypted links between every entity that ultimately help prevent phishing and man-in-the-middle attacks.
If we continue growing our ecosystem at the current rate, adding to its complexity and connecting more and more third-party services and networks, we can no longer avoid fixing the broken system we have for SSL certificate validation.
4. Unreliable mobile device identification
Another issue at play is device identification. The only way other entities in the ecosystem can recognize a unique device is through device fingerprinting. This is a process through which certain unique attributes of a device – operating system, type and version of web browser, the device’s IP address, etc. – are combined for identification. This information can then be pulled from a database for future fraud prevention purposes and a range of other use-cases.
Data privacy concerns and limited data sharing on devices, however, have weakened the process and reliability of identification. If we do not have enough discrete data points to establish a reliable digital fingerprint, the whole system becomes ineffective.
5. Time to update authentication techniques
Fraudsters are always on the lookout for ways to intercept confidential login information that grants them access to protected accounts. Two-factor authentication (2FA) has become banks’ preferred security method for reliably authenticating users trying to access the mobile channel and staying ahead of cybercriminals.
More often than not, 2FA relies on one-time-passwords (OTPs) delivered by SMS to the account holder upon attempted login. Unfortunately, with phishing – especially via SMS – on the rise, hackers can gain access to a mobile device and OTPs delivered via SMS, and gain access to accounts and authenticate fraudulent transactions.
There are also a number of other tactics – e.g., SIM-swapping – attackers use to gain access to sensitive information and accounts.
6. Lack of industry regulation and standards
Without the establishment of rigorous standards and guidance on online banking security and protecting the end-user, low consumer trust will inhibit mass market acceptance. The Federal Financial Institutions Examination Council (FFIEC) has yet to issue ample guidance on the topic of authentication and identification on mobile devices. Mobile security standards need to be a top priority for regulators, especially as new technologies and mobile malware continue to disrupt the market.
The underlying theme for banks to keep in mind is that trust is a currency they cannot afford to lose in such a competitive financial services market. In the race to provide seamless, omnichannel banking experiences, integrating better security protocols without compromising usability can feel like a constant balancing act. Researching the latest tools and technology as well as building trusted partner relationships with third-party service providers is the only way banks can differentiate themselves in a dynamic security landscape.
With the number of data records breached in 2019 surpassing four billion, fraud prevention and regulatory compliance are, inevitably, top priorities for financial institutions (FIs).
A recent report from Javelin, for example, found that FIs are significantly more focused on investing in digital fraud mitigation than companies in other industries. According to the report, 52% of consumer banks plan on implementing additional security solutions to keep customers’ accounts secure, and 46% want to invest in better identity verification measures.
But with attention – and budget – devoted almost exclusively to security and compliance, it’s easy for areas like innovation, customer engagement, and user experience to fall by the wayside. In the report cited above, only 28% of banks indicated an interest in adding support for new channels.
The situation is more complex than simply devoting a larger share of the budget and focus to fraud prevention and security: as companies find new ways to engage with their customers through new features and touchpoints, criminals find new vulnerabilities to exploit.
It’s no surprise, therefore, that more than a third of companies in the study report that “fraud is a significant impediment to digital innovation efforts, forcing them to slow the expansion of their features and functionality as they seek ways to mitigate the new risks these innovations attract”.
Fraud prevention on the spot
Research and experience have showed that fraud mitigation and cutting-edge security strategies can go hand-in-hand with – and even drive – innovation, customer engagement and a great user experience.
Consumers have indicated that they want more information about their transactions and more control over authenticating them. Today, digital channels enable financial institutions to give their customers the insights and control they demand, while making it easy to check all the necessary security and compliance boxes. With the right approach in place, there need be no trade-off between fraud mitigation and customer engagement.
Imagine, for example, a state-of the art in-app messaging solution that combines instant communication with banking-grade security and on-the go self-service functionality. A customer can be alerted when a suspicious activity occurs on their account, with the option of responding immediately by approving or rejecting the transaction before it’s processed. This eliminates frustration and other effects caused by false declines, while putting the customer in control of fraud prevention.
Turn insights into relevant engagements
Many FIs are starting to realize that there’s a missed opportunity when it comes to making the most of insights they already have on their customers. Even though the use of consumer data is a matter of increasing global concern – as regulations like Europe’s GDPR and California’s Consumer Privacy Act illustrate – much can be gained from using insights for good. And in the case of banking, what’s good for the customer is also good for the bank.
Customers demand relevant, personal experiences from their banks. If they don’t get it, they’re not afraid to look elsewhere – a recent report conducted by Capgemini indicated that 63% of consumers are currently using a financial product from a big tech company. But banks that are willing to invest in personalization and tailor advice, loyalty offers, and relevant products to customers based on their profile, will reap rewards. BCG reports that one bank that reinvented its personalization strategy saw a 20% increase in revenues over three years.
Use engagements to build trust
Apart from gaining revenue, banks can also use relevant, meaningful engagements with their customers to build trust and foster lasting relationships. In the U.S. today, the most-used functionalities of mobile apps have been checking account balances, managing card controls, and depositing checks.
With peer-to-peer payments becoming an increasingly popular and familiar function in banks’ mobile apps, banks have introduced another touchpoint through which they can engage with their customers, increase loyalty and provide an alternative source of revenue.
While introducing faster payments services ticks a big box when it comes to addressing customers’ needs, fraud and security remain crucial considerations – and potential roadblocks to adoption. Traditionally, banks have used the lapse in payment completion as time to examine transactions and respond to suspicious activity.
Now, the pressure for speed has impacted the time available to ensure accuracy. But by implementing a truly customer-focused omnichannel authentication strategy, FIs can offer customers a one-touch in-app authentication experience that engages them in real time, all while eliminating fraud and providing a great user experience. The bank can rest assured that it has digitally signed proof of consent of the transaction, while the customer feels secure, in control, and on the way to transacting more.
Opportunities moving forward
It is more important than ever for banks to remain competitive and innovative, but it should not come at the cost of customers’ security and increased fraud rates. Preventing fraud and delivering the best in digital security comes down to identifying the customer and engaging with them securely, when and where it matters. Keeping them engaged and building loyalty is a matter of trust, built by offering consistent, relevant experiences regardless of when and where a customer chooses to interact with their bank.
Entersekt described the latest implementations of its authentication technology in Europe’s DACH region.
The fintech firm announced that Netcetera, a payments technology specialist and long-standing regional partner, has implemented the system for Bank-Verlag, which builds and operates secure digital services on behalf of Germany’s banks, among other things. Two major Austrian card issuers are also deploying the technology.
Entersekt’s authentication solution allows consumers to approve their e-commerce payments with one touch of their banks’ mobile apps. It combines PSD2-compliant authentication and state-of-the-art app security with a checkout experience users love.
It is proven to reduce shopping cart abandonment, increase the number and average value of transactions, and positively impact customer loyalty, while reducing card-not-present fraud significantly.
Highly flexible, the 3-D Secure solution can be rolled out fast. Netcetera’s implementations were completed in time to beat the original PSD2 deadline of 14 September 2019. “Experience counts when tight deadlines and project complexity raise the stakes,” said Uwe Härtel, Central Europe country manager at Entersekt.
“We are extremely proud of our track record with Netcetera, and we look forward to collaborating on many more implementations, enabling financial services providers to meet consumer demand and their own compliance objectives quickly and painlessly.”
Entersekt and Netcetera each have over a decade’s experience securing card payments through 3-D Secure. “We are proud of our solutions, which always rank among the first products to be certified as conforming to the latest specifications,” said Peter Frick, managing director payment security at Netcetera.
“Together with Entersekt, we deliver a PSD2-compliant, highly secure online payment process that is decidedly user friendly.”
Christoph Thöt, Bank-Verlag’s department manager cards and payment solutions, added: “We were on the lookout for a reliable, technically cutting-edge 3-D Secure provider.
“Our choice of Netcetera and Entersekt meant we could add to our offerings a highly effective card-not-present authentication solution. We have already successfully brought the first card portfolios onto the joint app-based, biometrics-protected solution.”