Are Biometrics Truly The Key to Securing Malaysia’s Banking Sector?
By Frederic Ho, Vice President of APAC, Jumio Corporation
The cyberthreat landscape is never static.
Phishing scams were already a pressing global issue for the banking industry, with Malaysia recording over 25,000 online fraud cases and RM850 million in losses in 2022. The well-publicised OCBC Bank phishing scams, too, resulted in a total loss of S$13.7 million (RM45.6 million) for Singapore’s customers. And, with the emergence of ChatGPT, a cybersecurity storm may very well be brewing in our midst. Fraudsters are about to get even more sophisticated in their attacks — now being able to craft highly convincing (and grammatically sound) phishing messages.
It’s also worth highlighting that authorities around the world are realising that SMS OTPs — which are susceptible to phishing attacks — are no longer fit for today’s fast-paced digital landscape, and swift action must be taken to implement robust security measures. This is especially evident in Malaysia, where its central bank is introducing new additional measures, including migrating away from SMS OTPs to more secure forms of authentication, and requiring banks to detect and block fraud attempts immediately.
Malaysia is certainly on the right path toward a more secure banking landscape. But, if banks don’t implement the right technologies, these new regulations may unintentionally create more friction to the overall customer banking experience. Or, if other banks choose to prioritise the experience above all else, they may unintentionally choose technologies that are less secure in the long run.
One can’t help to wonder — what’s the next course of action for banks? Is biometric technology truly mature enough to be the silver bullet that provides airtight security and seamless customer experiences that banks are aiming to achieve?
Biometric technology goes mainstream
Secure, convenient, and seamless. These are just some of the benefits that have made biometric authentication methods increasingly popular in both consumer and enterprise systems. In a world where cyber threats are becoming increasingly sophisticated and prevalent, biometric authentication has emerged as a popular solution to the challenge of identity verification — leveraging unique biological or behavioural traits of an individual to verify their identity.
While biometric verification is undoubtedly secure and convenient, it is imperative to understand that adopting such an authentication method, alone, is not a fool-proof solution to cybersecurity. For instance, facial recognition without advanced liveness detection, which ensures that the picture taken is from a live person at the point of capture, is vulnerable to deepfake spoofing. A multi-factor verification approach — which uses a combination of verification technologies when high-risk transactions are detected — can provide organisations with an additional layer of security that ensures the protection of their customers against cyber-attacks without compromising on convenience.
Setting up for success with multi-factor authentication
As part of their effort to prevent the different types and levels of cyberthreats, financial institutions have understandably grown to check more than just ID documents for identity verification. As such, it has become common practice for organisations to layer countless risk signals such as user’s name, IP address, phone, and email.
There is a problem with this, too, though. Countless layering leads to a lack of data integration that cuts across different solutions, which not only hinders the efficiency of cybersecurity checks, but increases the risk of non-compliance with Know-Your-Customer (KYC) and anti-money laundering (AML) regulations. Partnering with multiple risk vendors can complicate the process of managing workflows as each vendor may have its own framework. This can result in a lack of seamless integration. Furthermore, relying on multiple solutions makes it difficult for organisations to scale the systems as it grows, thus increasing operational resources and costs.
The onus, therefore, is on banks to implement the right technologies. To do so, banks can implement multi-factor and risk-based authentication that orchestrates only the necessary risk signals and technologies for identity verification. For instance, logging into a bank’s mobile app might start with a device check, and if the user’s phone was used multiple times to open accounts, a more rigorous set of checks such as face verification will be initiated. In addition to this, financial institutions can also consider implementing multimodal biometrics such as fingerprint and facial authentication that can be used for high-risk profiles or financial transactions above certain thresholds.
This orchestration allows companies to provide a frictionless experience for legitimate customers and increase scrutiny for higher-risk individuals. It results in easier logins, better fraud deterrence, and reduced cost on manual investigations — since they can use lower-cost risk signals first to filter out a lot of the fraudsters, before running more advanced identity verification processes such as biometric authentication.
To enable this, banks can partner with experienced integrated identity verification providers to unlock access to a comprehensive range of online identity verification solutions and any necessary manual reviews — which are triggered when the verification process requires a final decision from analysts to ensure reliable user verification and remote fraud detection. Furthermore, organisations can also have the power to customise their identity verification and KYC compliance workflows based on the changing landscape and requirements, risk tolerance, as well as regulatory standards in the different markets.
Most importantly, as these solutions don’t require any additional steps from the end user, a smooth onboarding process and frictionless customer experience can still be achieved — a crucial aspect, since a seamless digital experience is one of the top priorities for consumers in today’s digital landscape.
It’s time to say goodbye to SMS OTPs
Migrating away from SMS OTPs and enforcing secure authentication methods is a step in the right direction for Malaysia’s shift towards a cashless society. As our online infrastructures become increasingly open and interconnected, the stakes are even higher as cyberattacks can have far-reaching and severe implications that can spread rapidly, affecting not just individual businesses but entire economies, leading to significant damage and potentially long-lasting consequences.
It is therefore critical for organisations to continuously tap on advanced technologies to prevent further instances of fraud in the banking landscape — securing a safer banking experience for everyone.