The rise of both digital and mobile banking solutions have created many opportunities for financial institutions over the last few years, enabling them to provide new services and interact with customers in new ways. However, they have also made it significantly harder to defend against fraud.
With customers logging in to their banking applications from different devices, anywhere, at any time, providing a secure means of authentication that meets compliance requirements and is also user-friendly, has become a major issue.
This was the challenge facing Raiffeisen Italy, the umbrella organisation for 40 entities of Raiffeisen Bank in the Italian province of South Tyrol. The organisation was contending with a legacy authentication system that, although secure, was proving to be burdensome and difficult to use. Ahead of the approaching PSD2 deadline, Raiffeisen needed to modernise its authentication methods to protect customers while providing an easier user experience.
So, the bank turned to OneSpan – which secures sensitive information and transactions for the world’s leading banks – to help solve these issues and drive its digital transformation strategy. Sam Bakken, senior manager market & security strategy, Security Competence Center at OneSpan explains how this was accomplished.
Letting go of legacy tech
The mobile adoption trend – “we are seeing a much faster increase in the adoption of mobile banking compared to internet banking,” explained Raiffeisen’s Information System CIO Alexander Kiesswetter – presented a clear need for Raiffeisen to update its mobile offering and provide a solution that was both secure and easy to use. The main issue with the bank’s previous authentication system was that it was very secure, but not user friendly. The bank had found itself in the familiar tug-of-war between security and usability, with security ultimately prevailing at the expense of customer experience.
Simply put, customers no longer wanted to have to use their bank card and the separate hardware tokens that were required in Raiffeisen’s legacy system for every single transaction. Instead, they wanted to be able to authenticate through their mobile device.
But providing an easier authentication experience for customers wasn’t the bank’s only challenge. It also had to comply with PSD2 Strong Customer Authentication requirements, which include Dynamic Linking, Replication Protection, and Run-time Application Protection.
Dynamic Linking refers to the application of authentication processes that dynamically link remote payment transactions to a specific amount and payee. In comparison, ensuring Replication Protection requires banks to mitigate the risk of an attacker copying a mobile app from one device to another. Run-time Application Protection requires the app to be protected from common threats while the app is running on a mobile device, such as reverse engineering, overlay attacks and code injection.
To solve these issues, Raiffeisen used OneSpan technology to build and white-label a standalone mobile app that authenticates and secures users through the app. Using the likes of Face ID and Touch ID, this removes the need for separate hardware tokens to provide an easier authentication experience for customers.
On the bank end, transaction signing was added to secure customers’ online transactions against fraud, along with mobile app shielding to secure the mobile authenticator app. This met Replication Protection and Run-time Application Protection obligations by protecting the app against several types of runtime threats, creating a secure execution environment for the app and allowing them to be executed even on untrustworthy mobile devices.
The OneSpan solution also enabled the bank to comply with the other key aspect of PSD2 – Dynamic Linking. This was resolved through the implementation of Cronto technology, which uses a graphical cryptogram made of coloured dots to encrypt transaction details and secure financial transactions with minimal impact on the user experience.
Reaping the rewards
So, how has the OneSpan solution benefitted Raiffeisen Italy? Well, since rolling out the solution, the organisation has received positive feedback from customers and experienced high adoption of the new authentication app. “The feedback that reached me is that customers are very satisfied by the new functionality and when we launched the new authentication app there was much demand and high activation,” said Alexander Kiesswetter.
“Customers perceive Raiffeisen once again as an innovative bank,” he added. “For the first time, we have a solution that enables us to move services completely to the smartphone without using other hardware tools for the authentication.
“Until this product, we were convinced that the smartphone is by definition an insecure device. When we saw the way that OneSpan enforces the security on the smartphone, and also the continuous updates to the software of the smartphone, we were convinced that finally, here was a product that we can offer to our customers and that guarantees us a high level of security.”
Raiffeisen Italy is also prepared for PSD2 well ahead of the September 2019 deadline and is now leading the way in the market, being the first-to-market bank in Italy to protect its app with mobile app security.
Ultimately, the bank has finally found a way to effectively combine security and usability, a balance that it had traditionally struggled to achieve. As customers continue to move to mobile apps for their banking needs, Raiffeisen can innovate safe in the knowledge that it can get the best of both worlds.
It is possible to improve security while still providing a positive user experience and, as Raiffeisen continues to digitally transform, its customers will be the ones who reap the rewards.