With a third of the global population on lockdown and scores of bank branches closed, many are convinced that branch banking is dead, and the future is branchless. Is this really true?
Branchless alternatives like Revolut, N26, Monzo, and NuBank let customers achieve the same and often better results in a fraction of the time and cost of traditional banks. Although it may look like branches have outlived their usefulness, in reality, the branch vs. branchless debate is more complicated.
In parts one and two of our four-part series about the future of banking, we explore how and why the first branchless banks emerged in the late 90s and what industry professionals had to say about it at the time. What the branchless concept aimed to fix and how it evolved into the digital branchless banks of today.
Over these 25 years, branches survived and thrived because they generated more revenue for banks in ways other than processing consumer transactions. Branches serve as advertisements, cultivate consumer loyalty, and create cross-selling opportunities.
However numerous financial professionals point that branches still exist because the older generation needs them. The younger, digitally literate generation can make the same operations online faster and more conveniently.
The consensus was that once the generations shift, branches won’t be needed. But these statements were based on the unwavering certainty that the future is branchless. In the third part of our series about the branch vs. branchless debate by SDK.finance, a core banking software provider, we will take a look at the biggest dangers to branchless.
The authentication security challenge
Out of all the functions of bank branches, one simple but crucial process is often overlooked. Whenever a customer wants something done at a bank branch, they first have to verify their identity. This relatively straightforward procedure is many times more complicated and difficult to do online.
Consumer authentication plays a vital role in the branch vs. branchless debate. If we can’t be sure that the person on the other end of the connection is who they claim to be, then the whole system is at risk. Hackers can disguise themselves as law respecting citizens, money launderers can move money around anonymously, and cybercriminals can remain elusive indefinitely.
What about two-factor authorization, biometrics, and other authentication systems? Don’t they already confirm a customer’s identity remotely and securely, you may ask?
The short answer is that they do until they don’t.
Every new security development is met with numerous attempts to exploit it. Just like Newton’s third law, for every action, there is an equal and opposite reaction. Throughout history, humanity has been locked in this perpetual arms race, which isn’t likely to end anytime soon.
The fact of the matter is that no matter how good and secure new technology is, after five, ten, or a dozen years, there will be a way to exploit it. Despite that, there’s more to it than just security, as the next example will demonstrate.
Enter two-factor authentication
In the early 2000s, two-factor authorization (2FA) was performed using a security token, usually in the form of a key fob that would generate a unique code every 60 seconds. RSA SecurID hardware was a popular solution, and the company commanded over 70% of the two-factor authentication market in 2003, including banks and companies like Lockheed Martin.
RSA SecurID hardware
In 2011, RSA’s systems were compromised as they fell victim to a sophisticated cyber-attack. As a result, they had to replace 40 million active devices for 30 thousand clients. A year later, a research team cracked RSA’s device in under 13 minutes, demonstrating further exploitable vulnerabilities.
However, even before RSA’s systems were compromised, their cost prohibited them from going mass market. Banks simply could not afford to give every customer an RSA device when they cost $50 per key fob for two years. Instead, only clients with sizable accounts that generated significant revenue for the bank would have access to them. For all its security merits, a physical key fob could not be used for mass authentication without incurring substantial costs.
SMS: the almost perfect solution
The 2000s saw rapid growth in the number of mobile devices used to receive one time passwords (OTP) over SMS. The method had several advantages over the token system, which resulted in its widespread adoption.
First and foremost, cost. Banks no longer had to issue expensive key fobs to clients. Instead, customers bought their mobile devices on their own. The only major investment for banks was the technology that would allow them to send OTPs. Each SMS costs a negligible amount at scale, and customers have a convenient way of authenticating their operations. The system was a brilliant upgrade. For some time.
The problem with SMS OTP authentication is that it has numerous exploitable flaws. Hackers have been able to bypass SMS OTP in many different ways for years. From mobile number transfer and operator interceptions to lost password bypasses and social engineering attacks, multiple exploits make the technology unsafe. In 2018 alone, there were 680 thousand known instances of mobile SIM takeovers used to steal funds.
The EU’s PSD2 directive that aims to protect consumers better and increase fraud prevention prohibits the use of SMS OTP because it does not provide Strong Customer Authentication (SCA) in online payments. The once brilliant solution is no longer considered safe on its own.
Digital activity is as unique as a fingerprint, but is it enough?
Besides SMS, banks and financial institutions have used a customer’s location and online activity to create a unique digital fingerprint that would be used to access their information. However, cybercriminals were able to hack these systems to access the digital fingerprint databases and sell access to them online.
With access to that information, attackers can completely impersonate someone’s online identity using more than 100 recorded data points, such as a user’s IP address, geolocation, operating system version, and how an individual interacts with their device.
Biometrics are not private
What about biometrics? Fingerprint, facial, iris, retina, and voice scanners are just some of the sensors used for security and authentication on modern mobile devices, but that does not make them safe to use.
Besides unprotected online databases that could be breached to obtain biometric data, Japanese researchers successfully extracted fingerprints from photos of individuals using mid-level consumer cameras that were then replicated using 3D resin printers.
While rudimentary face recognition has been defeated using simple photos of an individual, the more advanced systems were bypassed using a 3D-printed head that was formed using several pictures taken from different angles. Eye and retina scans were defeated in less than a month by printing a picture of an iris and adding a contact lens to match the eye’s curvature.
Voice authentication was circumvented by synthesizing voice from audio recordings and running them through artificial intelligence (AI) and machine learning (ML) algorithms. The use of modern technology resulted in new, highly sophisticated threats to digital security that are difficult, if not impossible, to counteract for good.
The biggest problem with biometric data is that it is static – it can’t be changed. If your password is compromised, you can reset it and make a new one quickly. If your fingerprint or retina scan gets stolen, how do you get them back? Once it has been leaked, it creates a permanent security problem.
For branchless and traditional banks alike, the merits of biometric authentication are clear. It’s quick to use, impossible for customers to forget, and can act as an additional layer of authentication. But the security flaws and vulnerabilities are as if not more apparent. With access to consumer biometrics, attackers can not only steal funds but commit fraud and money laundering at an unmatched scale without risking getting caught.
Even if all of these systems could be invulnerable to man-in-the-middle attacks, there would still be a problem with physical security. Every system described above is based on trust. A belief that a customer is the one holding a token key fob, a mobile phone, a laptop, etc. If a criminal takes the device away or forces a customer to unlock their device using biometrics under the threat of force, trust is broken, and these systems can be exploited in other ways.
Stay tuned for the final article in our four-part series about the evolution of branchless titled “The Future of Banking: Branchless or Not?” where we will explore how do banks choose what security solution to use? Changes to technology and infrastructure on this scale are very costly and complicated. What if the new expensive solution gets exploited in just a few years? The second life of the existing network of bank branches.