Shayype’s new ‘ingredient’ could be just the thing to strengthen security for banking and cards

There’s a pressing need for better security in the banking industry. In fact, the urgency for the entire ‘fintech’ sector to raise its game over customer authentication has never been greater, while at the same time striving to reduce both costs and ‘friction’ and increase efficiency.

The implementation of Strong Customer Authentication (SCA) mandated under the EU’s Second Banking Directive (PSD2) is only one of them. It’s well known that many financial institutions missed the EU’s September 14 th , 2019 by a country mile. Why this happened is not clear, but it could be something to do with banks and others having a difficult time deciding on the best two-factor solution to use.

Meanwhile the two-factor industry itself may be suffering something of a crisis (which you can read more about elsewhere on this site). In January 2018 online tech journal, The Register ran a headline asking ‘Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication’ [1].

Why is this?

Clearly one drawback of 2FA is that there’s a perception that it adds to complexity and increases friction.

A second reason is that customers are perhaps becoming ever more wary about giving away yet more personal information about themselves, even if it is in the name of security. It remains something of a paradox that almost all current authentication technologies require users to give up yet more personal information, such as mobile numbers, fingerprints etc. (On hearing this, Homer Simpson might utter a mighty ‘Doh!’)

Thirdly are the main 2FA ‘tools’ available to fintech companies up to the job? A shadow of doubt was cast on the efficacy of sending one-time codes to users’ phones by SMS or text in 2016, when America’s National Institute of Standards and Technology (NIST) issued guidance that, at least where US official bodies were concerned, SMS-based 2FA had been ‘deprecated’. NIST has since softened its line a tad, but 2FA via SMS is currently regarded as at best a short-term solution by many - because account-takeover, sim-fraud and simple phone theft (allowing criminals to divert security codes to themselves) is now so prevalent. Mobile service providers send out ‘replacement’ sim cards, often without proper checks, and appear to be putting customer service before security.

Meanwhile biometrics brings with it a raft of problems, ranging from civil liberties and consent issues to an apparent ‘arms race’ with hackers, who are adopting a raft of new tools - including face altering software, fingertip imitation hardware and others - to fool such systems.

At the same time for many banks, fixed password discipline is still a problem. Which? Magazine in the UK recently discovered mobile bank Starling allowed its researchers to register something as simple as ‘password1’ to secure an account.

Many others still use ‘incremental’ passwords (where users are asked for certain characters such as the third, fourth and seventh in a string) which remain vulnerable to repeated keylogging, man-in-the-middle or phishing attacks.

Could adding new ingredient in the mix help?

Shayype is a new ingredient, designed to allow users to prove who they are, without giving anything away.

Read that statement again, it’s so significant. It’s also worth ditching everything you know about authentication and starting from scratch.

Shayype doesn’t kill off or ditch the much-maligned password: it re-invents it. Instead of a fixed code, users are armed with something easier to use and recall than a password (especially a ‘strong’ password) but which crucially is never exposed.

How does it work? Customers simply apply a mentally held graphical pattern or shape to a small grid containing only the digits 1-5, enabling them to read off the correct numbers in the right order. Since the numbers switch round every time, the user neatly ‘receives’ a fresh hacker-resistant one-time passcode (OTP). The user’s secret pattern is set up simply and securely at the outset.

OTPs can now be securely delivered direct to users’ screens, without the need for additional hardware. Put another way, users have something as simple and portable as passwords, with all the strength of 2FA, without having to carry anything else with them.

Is it up to us to predict where this new ingredient may lead the drive for greater security and cost reduction in the fintech sector? We think not, preferring that others far more skilled than ourselves consider the implications.

As we say users can now prove who they are, without having to give up extra personal information. It’s theoretically possible to have a Shayype ‘secret’ associated with a totally anonymous username (if required). Furthermore, any system incorporating Shayype will not suffer from device theft, signal, or battery problems.

Where can Shayype be introduced? Securing customer service websites would be a good starting point for banks wanting to get to know this ground-breaking new technology.

Another could be helping to establish trust between customers and call centres. At present many pundits advise customers upon receiving a cold call from their ‘bank’ to wait several minutes (allowing the line to fully disconnect in case fraudsters are hoping to fool a victim into thinking he’s actually calling his bank) and then call back on a different number. This procedure interrupts the efficient flow of operations at any call centre, greatly increasing costs and time taken.

Shayype could get around this problem, by printing hardcopy numbered grids at the foot of customer correspondence. The call centre operator could then read a code, which will appears in the customer’s chosen secret pattern or shape on a specified grid, proving the call is genuine.

Once they’ve got more used to Shayype, banks could dispense with much of their authentication hardware (key-fobs, card sleeve readers etc), leaving customers with something far more portable yet more secure to use.

Shayype could even offer the equivalent of ‘chip & PIN’ for online card use, where transactions would not be able to proceed without the customer inputting an OTP. This would defeat almost all card-cloning crime and would have huge security-boosting implications for territories where cards with accompanying PINs (gained via scams like the ‘Lebanese loop’) are still a valuable commodity in the underworld. (The point here being that as the customer effectively inputs an OTP at an ATM, this will be of no use to a thief, even if he/she has seen the numbers the victim types in.)

Shayype could also make life easier and more secure for the house-bound or disabled. In addition to more secure online ordering using cards, carers could be given ‘one-time’ PINs at banks or in stores, or a user in a wheelchair could safely pass his/her card to a shop assistant and read out (perhaps from a Shayype phone app) a one-time code in place of a fixed PIN.

Sight-disabled users could have an app which reads out the numbers on a grid, conveying an OTP to a blind user, without risking anyone listening or looking on, having a clue what their secret pattern is.

[1] tion/