Great expectations: fixing digital trust is a simple matter of standardising authentication
Banking fraud expert Rob Woods explores the fundamentals of digital trust and asks why we’re not already better at stopping scams in the UK?
A recent experience of swapping broadband providers left me thinking about digital trust. Specifically, how far we still have to go to achieve anything resembling a secure eco-system for UK businesses, that designs fraud out. It wasn’t the quality of their customer service that so irked me, rather it was the authentication process they used to validate my phone call. On the face of it, they did the right thing; following initial (PII-based) security questions, their representative asked me to read out an OTP code sent to my mobile phone. Where’s the issue with that? When I signed up and they were desperate for my business, I’d only completed a simple webform, including a field for mobile phone. As an honest citizen, I gave them my genuine mobile number, of course, registered to me. But what if I were a fraudster? The reality is, their security process did nothing but confirm that I own that particular mobile number. It did nothing to prove I am who I say I am.
This serves to highlight an important point. Industry is not currently doing enough to build better infrastructure so that digital trust is designed into the warp and weft of financial transactions. In contrast to what some will have you believe, we simply cannot expect to educate consumers out of this fix. Digital trust cannot be something consumers have to learn about or do. What is painfully obvious from years of experience in the banking sector is that people don’t really understand scams and data breaches. They might say they do, or that they’re more aware now than 12 months ago, but really, they don’t. This is why so many scams are still successful. Added to which, scams are constantly changing, adapting to the latest trends. How can anyone be reasonably expected to be on top of it 24/7? That is why opinion polls are interesting, but not terribly helpful.
Two-way trust is broken
The result is that two-way trust between company and customer is currently broken. This issue is there’s no standardised, consistent way of telling whether a call from a card provider (e.g. AMEX) is genuine or not. For one thing, there’s simply not enough information designed into the process at the point of call for the customer to make a reasoned decision. The call operator can ask you a set of security questions, but you have no idea if it’s them or not, and equally, they don’t really know if it’s you. Both of these parts of the trust equation have to be solved in order to move forward with any sense of confidence towards a digital trust eco-system that serves its purpose. That said, some examples of good practise already exist. Monzo’s app changes colour when the call is genuinely from them. Other providers validate their communications in-app too. But for now, these are the exception, not the rule.
Digital trust must be simple. It has to be innate and in-built. Take the UK Contactless payments system for example. When you see that symbol, you immediately know what to do. You are armed with a set of learned expectations. If something happens outside of that frame of reference, your suspicions are immediately raised. What is more, the symbol is ubiquitous at tills and payment points everywhere. It is itself a symbol of trust. Why can’t digital identity work in the same way?
Trust by design
Technologically, this is already possible. All that is lacking is an established digital identity framework in the UK to govern it. Imagine the scenario: you call a service provider (let’s pick on broadband again), to set up a new direct debit. In order to prove you are who you say you are, they send a cryptographic digital identity challenge to your (pre-verified) mobile phone number confirming what they need. You confirm on your handset that it’s ok to respond. The digital ID wallet within your phone responds to the challenge with the relevant information and the call handler confirms approval. Then you simply continue the call with both parties having secure knowledge they are dealing with the right person. It’s beautifully simple. Trust is designed into the process. The consumer knows what to expect. And, you haven’t shared any superfluous or irrelevant information, just what they needed. Any occasion in which you get a call pretending to be from the broadband supplier that doesn’t ask you to confirm a cryptographic challenge, you know something is wrong.
And herein lies the problem. Fraudsters prey, nay rely, on the fact there is no standardised system for ID verification in the UK. In fact, just stop and think for a second how many different forms there are. Sometimes it’s a phone call, sometimes a text message, other times an email, or a QR code. Confusion and non-standardisation are the perfect smokescreen for fraudsters to launch attacks. It’s no wonder the UK has a fraud problem.
A common approach
So how do we achieve standardisation? Greater collaboration between all sectors through which scams pass as they’re nurtured towards the payout would be a strong start. Social media providers in particular must be brought into the fold, given that it was recently estimated that up to 70% of APP scams originate on an online platform. A set of common standards of identification and interoperability between financial services institutions, telcos, big tech platforms and social media platforms would certainly help plug the vulnerabilities that allow so much fraud into the system.
As for a common identity framework, there have been numerous false dawns in the UK, whilst other countries, notably the Nordics and Singapore have proved there are ways to do it, with the right political will and favourable wind. Of course, what they have in their favour, and we lack, is an underlying government-sanctioned digital identity framework. Whilst that doesn’t appear to be on the cards here anytime soon, the UK’s best chance at success might be a bank-led system. After all, they already know who I am and all about me, understand how to create and maintain payment structures, and they know how to work together. All that’s left now it to pool their collective wills and resources, get together and solve it!
Rob Woods is director of market planning in fraud & identity (EMEA) for LexisNexis Risk Solutions, a global data and analytics company.
To learn more about the trends that will define digital trust in a new era of authentication, click here to download the free report, ‘The Future of Trust: Authentaverse’, from LexisNexis Risk Solutions and The Future Laboratory.