Today’s financial fraudsters are more sophisticated, more agile, and more online than ever.
With payments increasingly moving to electronic channels — along with the gateways supporting their transfer and settlement — the need for robust authentication measures has never been more critical.
“Authentication is an ever-evolving process,” Jim Colassano, senior vice president and business product manager for the RTP® Network at The Clearing House, told PYMNTS for the series “What’s Next in Payments: Authentication: What’s New and What’s Next?”
“Compromises and data breaches are occurring more frequently than we would ever want them to,” Colassano said. “And once someone gets access to your password, it opens and unlocks a whole different set of opportunities for them, especially if you use that same password on different sites.”
Individuals typically use the same passwords for multiple sites, including their banking sites, he noted.
That’s why approaches like multifactor authentication are becoming the standard for securing payment transactions. MFA traditionally relies on something the user knows (passwords) and something the user has (tokens, or codes sent via text messages or emails).
This approach enhances security, particularly across critical areas where passwords alone are no longer sufficient to protect sensitive information.
“It’s not just multifactor authentication,” Colassano said. “There are other ways of validating customers, such as tracking of IP addresses … You need to get more sophisticated because the vectors of attack are getting more sophisticated.”
Advanced authentication methods, such as IP tracking, biometrics (facial and fingerprint recognition), and voice prints aim to create multiple layers of security, making it harder for cybercriminals to exploit vulnerabilities.
Colassano highlighted that people often use weak passwords, and the reuse of passwords across multiple sites poses a risk when the password for a site that doesn’t require heavy security, like a news subscription, is re-used across a security-critical site like a digital banking account.
“Brokerage accounts, medical and financial information, those are the sites where you want to make sure that only the individual who owns that data can get access to that data because there are serious implications to both the individual as well as the organization if you allow someone else to get access to that information,” he said.
The reliance on passwords stems from familiarity and ease of use, and Colassano pointed out that organizations are increasingly investing in tools and education to enhance the cyber hygiene of their customers and end-users.
Password generators, password managers and education on recognizing scams contribute to a more secure environment. Introducing friction in the form of educational pop-ups during transactions can also serve as a momentary pause for users to verify the legitimacy of the transaction and confirm the counterparty is the intended recipient.
“All of these mechanisms are layered, and different organizations will take different approaches to how they authenticate individuals based on the risk of the system you’re [using],” Colassano said.
“Something as light-touch as [a confirmation page] can prevent so much fraud because once you make consumers aware of it, you do that one or two times, the light goes off, they’ll remember the next time they go to make a transaction,” he added.
As technology and online behavior advance, traditional passwords are increasingly proving no longer to be sufficient to protect sensitive information.
Looking ahead, Colassano said he envisions a shift toward a passwordless future, primarily driven by advancements in biometrics. Facial recognition, fingerprint identification and voice prints are expected to replace or augment traditional passwords.
“It is a constant battle, and on the bright side, there are going to be technological advances and different mechanisms that can be used to better defend identities against the next wave of attacks,” Colassano said.
“Authentication is multifaceted, it is complex,” he added. “And the challenge for a lot of financial institutions is how do they make authentication feel frictionless to their customers so they don’t balk and walk away from it. This is something that the banks take very seriously, something that the networks take very seriously. And the protection of every account holder across the network is their highest priority.”