Companies are in a bit of a bind today. The promise of omnichannel customer engagement – a great customer experience through a wide choice of communications media – means that organizations are opening doors for customers to encourage them to come in. Log into a browser, send an email, pick up the telephone, use a mobile app, engage in social media, send a text…and customers expect companies to be there for them. They also expect the process to be fast and relatively effortless.
On the flip side, there are more fraudsters than ever who would love to be able to waltz into your organization and steal valuable customer information. Open the doors too wide for your customers, and you’re also inviting identify thieves in. One of the biggest challenges of customer support today is finding a way to make it easy for customers, but difficult for criminals. It’s a pretty tall order, and technology changes so quickly that most companies need to run to keep up.
A simple password won’t do anymore. Customers commonly use easy-to-guess passwords (like “password”). If they’re forced to make a complex password that uses upper- and lower-case letters, numbers and symbols, chances are high they’ll forget it and need to reset. In this case, there needs to be another way to ensure that customers are who they say they are. The last thing you want to do is keep legitimate customers from accessing their accounts.
“The principle here is that a password alone won’t get you through the door,” he wrote. “Instead, you first need to further prove your identity with a second challenge, just like if you want to withdraw money from an ATM, you need both your card and your PIN on hand.”
While there are many means to putting two-factor authentication in place, many organizations are turning to SMS. The idea is that if a customer forgets a password (or the security system believes a second factor is warranted because the customer is logging in from a new computer), they are sent an access code via text message to their phones. Dalton noted that many security experts – including those at the US National Institute of Standards and Technology (NIST) -- don’t think SMS is enough. Phones can fall into the wrong hands, and SIM cards can be swapped out easily to direct security messages to a fraudster’s phone.
“At Aspect, we agree with NIST that SMS alone isn’t good enough for effective two-factor authentication,” wrote Dalton. “But there are steps the banking sector can take to add stronger security to the technology in order to boost security and increase customer confidence. If SMS is still being used, it needs to be supported by a range of additional checks that can verify that it is secure. These include advanced fraud detections that can tell if a message is being diverted, or location data that knows if a person is where they say they are.”
The hard part, of course, is putting these safeguards in place in a way that doesn’t further inconvenience legitimate customers.
“Of course customers demand the highest possible levels of security – but only if it doesn’t interfere with the transaction in any way,” wrote Dalton.