The awful and the absurd


29 January 2016
Tony Chew of Citibank

“Awful!” That is how Tony Chew, global head of Cyber Security Regulatory Strategy, Citibank, describes the state of banking apps in Asia. They are “so awful and so primitive, and they lack imagination and creativity”.

Users do not have sufficient trust and confidence that their information will be protected on a smart phone. And the security measures that the mobile banking currently rely on are “absurd” – “it is absurd that we still continue to rely on password and pins; it is ridiculous that we still rely on SMS OTP”.

A “big change” is needed, he said as he offered the first of three predictions in his presentation at the recent EmTech Asia 2016 conference: “The future of banking is in a smart phone.”

“According to all surveys I have seen, 70 per cent of smart phones users do want better banking services and products in their smart phones.”

His second prediction is that “the future of authentication is biometrics in your smart phone.”

Biometrics is the science and technology of identifying individuals based on physiological and behavioural characteristics. In a biometrics system, individuals are “enrolled” and an algorithm used to extract these characteristics. A template is then created based on the mathematical representation of these traits.

Chew is convinced that biometrics is one of the strongest candidates for providing user authentication on a smart phone. The biometric template cannot be reverse-engineered and cannot be hacked, he said.

His third prediction is that “the future of biometrics is really in face and voice recognition”.

Face is a very convenient method of verification, he said. In creating a biometric template of the face, there are some 80 points that can be matched up based on shape, distance, length and other measurable traits.

He went on to describe how a mobile banking app should work to create confidence and trust. The first thing to do when activating the app is to make sure that the user has a registered device. This involves embedding a secure code that can be identified and verified. And when a user looks at the screen, facial recognition will present very fast, simple and secure two-factor authentication that allows users to do all their online transactions on the mobile.

As for voice, Chew described it as “the most versatile biometrics system you can have”. Users can navigate an entire whole system using voice to provide verification because every person’s voice is unique. And with speech recognition, the system can be used to verify dynamic phases or passwords. “No other system provides such flexibility,” said Chew.

But it is not happening - not face, not voice, not even fingerprint recognition using the TouchID function of the iPhone, he lamented. In Asia, there are maybe two or three banking apps that make use of TouchID for simple transactions, but there is no single banking app that is making use of biometrics in such a way that it creates the confidence and trust needed to use the smart phone for the whole banking system, he said.

In the second part of his presentation, Chew focused on the wider topic of cybersecurity: “Are we really capable of protecting our systems, our data and our customer networks?”

“We know that hackers will always have a permanent perpetual advantage. We do not know and cannot possibly know all the vulnerabilities in our systems.”

The strategy for defence-in-depth will therefore have to be to “protect, detect and respond” because it will not be possible to block every attack. “Even for our most critical systems, access is still a password, and most incidents occur through a compromised password. How absurd can that be?”

His second concern was that “we build our systems to be so resilient, so fail-proof, that we no longer know how to shut them down when there is a destructive malware in the system”.

“Everything in the production system is replicated in the backup system,” he said. Regulatory requirements stipulate an active-active architecture, so malware is immediately replicated in the backup system and recovery will not result in a clean system. “How do we manage that issue? We have to be able to go back to a system that is clean. Is it 24 hours? 12 days? One month? How far back do we go? That is the predicament that we have now.”

“What we really need to do is to change our mindset. We need biometrics to generate the confidence and trust that we need for us to be more innovative and better in servicing our customers. And we need better ways of protecting our systems.”