Strong Customer Authentication in payment processes

In the context of strong authentication, we have two basic EU documents: final Regulation 2018/389 (COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27.11.2017) Regulatory Technical Standards (RTS) (preceded by a draft report in the field of strong customer authentication (SCA) in the area of Payment Services Directive 2 (PSD2) (EBA / RTS / 2017/02)) and opinions of the European Banking Authority (EBA): EBA-Op-2018-04 and EBA-Op-2019-06.

European Commission Regulation 2018/389 strong authentication was a hot topic in 2019, in the context of PSD2 launching September 14 (which this requirement enforced along with this date).

We should remember that strong authentication should be used because its lack relieves the client from liability.

Pursuant to the Act on Payment Services (Article 46 (4a)): If the payer's provider does not require strong user authentication, the payer shall not be liable for unauthorized payment transactions, unless acted intentionally. If the recipient or recipient's provider does not accept strong user authentication, they are liable for damages suffered by the payer's supplier

RTS forces the use of at least two of the three elements of customer identification (knowledge - what I know, possession - what I have, inherence - who I am) during the payment process.

Each of the areas raises doubts and controversies. Due to the futuristic connotations, the biometric area determining who the payer is is, moves the minds of the interested parties and arouses curiosity.

The regulation received an EBA interpretation clarifying the list of acceptable forms of biometric identification, which included elements of behavioral biometry (which could have been a slight surprise). For this reason, we wanted to devote this article to this issue.

We are talking about the EBA opinion of June 21, 2019 (EBA-Op-2019-06) "Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2").

Point 10 resembles the SCA definition of PSD2 and RTS and I will repeat it too: “SCA is defined as an ‘authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data’.”

The authors rated behavioral biometry as SCA compliant in terms of key impact dynamics and phone position.

I will quote the table in point 22 of the opinion listing the "elements" allowed by the EBA to use biometrics in the context of SCA:

Table 1 — Non-exhaustive list of possible inherence elements

Element	Compliant with SCA?*
Fingerprint scanning	Yes
Voice recognition	Yes
Vein recognition	Yes
Hand and face geometry	Yes
Retina and iris scanning	Yes
Keystroke dynamics	Yes
Heart rate or other body movement pattern identifying that the PSU is the PSU (e.g. for wearable devices)	Yes
The angle at which the device is held	Yes
Information transmitted using a communication protocol, such as EMV® 3-D Secure	No (for approaches currently observed in the market)
Memorised swiping path	No

* Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.
"Keystore dynamic" and "the angle at which the device is held" classified as behavioral biometrics appear here.

I agree that the fingerprint, retina, iris of the eye or face is unique, but the assessment of the uniqueness of a person based on the characteristics of the speed of the choice of keys or pauses when writing meets my doubt. Can 7.5 billion people be uniquely distinguished by the way they press keys? How can it disturb these characteristics of the current physical and mental state of man? Of course, 7.5 billion people do not have to write in a unique way, as a 4-digit PIN covers 10 thousand. possibilities and certainly a given PIN occurs many times in the population. It should be unique in combination with the unique user ID.

Biometry

I do not have specific research on the effectiveness of algorithms that determine the identification of a given user on the basis of previously collected behavioral data. The method is not yet popular in terms of production, so we have to wait for real results. I rely on my intuition in this regard.

Let's return to the EBA opinion, because it will shape the market.

Reading point 18 I understand why the EBA included behavioral biometry in the set of acceptable methods. After all, this is one of the elements that can characterize a person.

The EBA is of the view that inherence, which includes biological and behavioural biometrics, relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these.

Regardless of this assumption, the practical question still remains open: are the available tools for measuring these characteristics able to determine a person's uniqueness?

Despite its attractiveness, biometrics is still a young, unrecognized area and we do not know exactly how effective and resistant to frauds. There are many articles on the web about impersonation using biometrics. In the case of behavioral biometrics, I have not heard of such situations (it is difficult to record a behavioral trace to be used in the application later). Perhaps because the basic feature of behavioral analysis is that the analysis lasts throughout the logged-on user's session. This enables a more complete scope of verification and detection of situations deviating from the pattern and gives a longer time for an appropriate response (and it varies depending on the results of the analysis). Additionally, it is possible to harness various systems and verification methods. It is possible to combine many solutions into a synergistic customer authorization ecosystem. This approach can ideally coincide with the EBA approach. The bold approach of the EBA (which is somehow forced by the definition of human traits) including behavioral biometrics as accepted methods is combined with the emphasis on the need to implement other elements of verification. Although it indicates the above methods as acceptable for SCA, it still writes about high security standards (point 17 of the opinion).

Point 17 (EBA-Op-2019-06): „Article 8 of the RTS on SCA and CSC refers to the ‘authentication elements categorised as inherence and read by access devices and software’ and recital 6 refers to the need to have ‘adequate security features’ in place that could, for example, be ‘algorithm specifications, biometric sensor and template protection features’.”

Based on the original entry from the Regulation (2018/389) - point 6:

In order to ensure the application of strong customer authentication, it is also necessary to require adequate security features for the elements of strong customer authentication categorised as knowledge (something only the user knows), such as length or complexity, for the the elements categorised as possession (something only the user possesses), such as algorithm specifications, key length and information entropy, and for the devices and software that read elements categorized as inherence (something the user is) such as algorithm specifications, biometric sensor and template protection features, in particular to mitigate the risk that those elements are uncovered, disclosed to and used by unauthorised parties.

I interpret this as a guide to combine many solutions in the area of security, and when using a second factor in the form of behavioral biometry, the use of effective algorithms and solutions becomes a key.

Internal processes, which is the second suport line

High security standards that ensure a low level of fraud risk require, in the case of behavioral biometrics (and not only) the introduction of strong support at the level of internal processes, both operational and implemented in IT systems.

What should be remembered, however, is that Regulation 2018/389 imposes monitoring obligations on payment service providers, including algorithms themselves, transaction security and biometric patterns, as well as numerous organizational solutions.

This is a big opportunity for the second "support line". Appropriate Back Office systems that can relieve the front office teams (simplify the payment process in the channel), which will affect the comfort of use while maintaining a high level of security.

Background activities should be invisible to the user (or potential criminal), i.e. they should not delay the payment process.

Effective automation of monitoring and actions used for payment transactions is required.

Anti-fraud systems have met such high performance and security requirements for years.

Our experience in the field of anti-fraud service shows how intensive and effective can be the operation of such systems in space and time from the customer's passage through the SCA process and authorization of the transaction order to the physical transfer of funds to the indicated recipient.

I emphasize that the key element is to strengthen and expand the monitoring performed by anti-fraud systems. I assume that in organizations with high anti-fraud culture, such monitoring is already enriched with behavioral biometrics factor and this element is actively used to track possible deviations.

Let's take a closer look at the issue.

Each transaction entering the anti-fraud service space, in addition to the basic transaction data is enriched with a set of additional data / factors analyzed based on:

customer profile, similar profiles as well as opposite profiles (as a complement to the collection),
historical transaction data:
- of the same type (in the context of a given customer or without him, in the context of similar customer profiles or opposing profiles),
- of the opposite types (in the context or without as above),
- from a given period (also using the customer context or not),
profiles / characteristics of the recipient:
- in the context of current and historical transactions,
- in the context of changing customer characteristics (e.g. the same data, but transfers to different banks, etc.),
features / characteristics of the order environment (under what conditions the order was performed, what machine, what machine parameters, from what place, through which device):
- in isolation from other clients or in comparison with other clients (e.g. orders from different clients come from the same device),
order patterns (e.g. are transactions for such amounts ordered from such an account?),
authorization data (including data collected from behavioral analysis) and authentication,

Generally, we start from monitoring and analyzing the following contexts (or their modifications, correlated with these contexts):

analysis of typical transaction behaviors of the client and similar clients (historical data) and in the counterweight analysis of typical behaviors of completely different clients,
monitoring characteristics of the recipient,
analysis of transaction characteristics,
analysis of the technical environment,
analysis and research of the environment (e.g. analysis of external databases of proprietary sanction lists, etc.)

In summary, we collect all current and historical data, build typical profiles and focus on analyzing situations that are not typical.

The process should be carried out inline so that the commissioner does not suspect increased monitoring work.

It should be remembered that running such analyzes requires a process of collecting data for several months and building appropriate models.

Uniqueness as a minus, UX as a plus

Returning to the behavioral biometrics itself, it fits in with users' expectations related to making the payment convenient. An important plus from the point of view of the UX process is that the analysis of the uniqueness of features is carried out as if it is in the background. User does not need to perform any additional actions.

The second important feature of behavioral biometrics identification is that it takes place all the time during the user's interaction with the system. So it may turn out that the system only after some time, and not immediately after logging in, finds that the level of compliance is too low and will block user access to the system. This increases security. Actually, the user does not have to worry about logging out, even if he leaves the computer without logging out and someone else sits next to it, after a while it will be logged out. The system will recognize a level of incompatibility that is too high. This is a huge change compared to classic verification, which is only performed when logging into the system.

It should be remembered that the mechanisms of verification of behavioral biometry collect only behavioral trace and not information that the customer enters. Comments on the internet show that this is a key issue for users. They don't want the system to know what they are typing. The implementers of this method emphasize that in the consent they collect, the user explicitly agrees to download trace features and not the substantive content of what he or she types in.

Certainly the awareness that the system I work with all the time checks my identity gives me a greater sense of security, especially since I do not have to do any additional actions, remember passwords and be careful when entering them. It is also impossible to steal or transfer this knowledge.

However, I'm afraid that my unusual traffic will log me out or block access. For this reason, such a system should not be based only on the verification of behavioral factors, but should verify other elements that allow additional statement that we are dealing with the right user. These other elements are typical elements analyzed by anti-fraud systems, such as my environment, my device, regularities regarding my transactions or operations that I perform in the system.

So I think that authorization should be implemented using behavioral biometry, putting the burden of maintaining a high level of security on the anti-fraud systems side.

This solution is a win-win situation. Customer receives a convenient solution and the Bank maintains a high level of security.

On the other hand, thanks to the collection of information in the background, knowledge about behavioral characteristics of the user can be a good input for the anti-fraud area, regardless of whether biometrics as such will be used as the second component of authentication.

This is a special element of customer verification, which can be used cross-sectional in various, seemingly disjoint areas.

To sum up, regardless of whether the Bank will officially use behavioral biometry as an element of SCA, it should implement mechanisms and systems for reading and analyzing this factor.

If he uses it (after months of analysis) for SCA, that's fine. If it uses anti-fraud protection to raise the level of security, then it's also good.

Summary

From the perspective of a well-organized compliance or security department, implementing behavioral biometrics seems a desirable element.

An efficient risk team, regardless of the direct analysis of behavioral data and the unambiguous identification of the client on their basis, will be able to use them for their analyzes and respond to potential inconsistencies.

Departments responsible for channel services should not ignore the value of security systems, but actively use them and take into account their analysis and results in business processes. Unfortunately, this practice is rare. In my experience, security departments are seen as those that block more than support business. It seems to me like a mistake. Due to the fact that it was accepted that these departments were focused mainly on minimizing risk at the expense of business, antagonism arose. It is now a good time to change these relationships and launch joint projects.

The way is not easy, but the strength of good business processes, safe and convenient, is based on the strength of internal systems, algorithms and solutions used there. Business and security cooperation will create synergies that give you the chance to succeed.

Sources (chronological order):