By Roy Urrico
It may surprise many people that facsimile devices, which received their first patent in 1846 and became ubiquitous in the 1980s, are still alive and kicking in many businesses including financial services, notwithstanding an obvious lack of security.
A surprising number of financial institutions continue to receive large transaction requests via fax, according to New York-based Authoriti, which provides transaction security to financial institutions.
Even the IRS went old tech to help get through the COVID-19 shutdown. With most of its teams working from home — and unable to access mail — the agency requested businesses that typically file paper forms to fax them instead.
A fax sitting on a counter at a workplace, or at a home office during a pandemic, in plain sight, containing PII (personally identifiable information), such as Social Security numbers, does not paint a secure picture. Nevertheless, the most up-to-date FBI Criminal Justice Information Services policy permits using physical fax machines without encrypting the message, but demands encryption for all email and internet communications, as well as cloud-based faxing. As the logic goes, it is much tougher to intercept faxes than unencrypted electronic communications.
In speaking with credit unions and banks about security strategies, Michael Cutlip, the CEO of Authoriti, said the majority of financial institutions still receive faxes —primarily instructing the institution to execute transactions.
Cutlip suggested many credit unions and banks, in order to compete and leery of disenfranchising account holders who “have always done it that way,” opt to continue a comfortable process for those customers. “If they have always sent a fax to request a vendor payment, institutions don’t want to rock the boat.” Typically, a customer will send a fax to the institution, which reviews it, then calls the client to confirm the payment and amount details contained in the fax. Some financial institutions will send their customer a secret PIN that only the authorized signer on the account should know and can repeat.
Cutlip described this process as “The epitome of insecurity.” He said it continually boggles his mind this is still going on in 2020. “Banking customers using an app on their phone are employing better security for a $5 Venmo transaction than that same bank might be using for a $5 million transfer.” Cutlip warned there is a big security gap that happens between authentication and execution.
Authoriti works with financial institutions to integrate a highly secure technology to validate transaction requests on multiple channels including outdated fax methods. Cutlip explained many financial institutions are now trying to streamline customer service, seeking ways to eliminate those callbacks and make the process more efficient — short of mandating or forcing a client to move to an online platform.
Cutlip said, “We have created a way for the user in effect to automate a fax.” The Authoriti app scans a QR-enabled fax form, allowing the user to create a PIN automatically and then place it on the fax form. The financial institution receiving the fax can check in with the API and confirm the legitimacy of the fax and execute it without the need for the callback.
Cutlip explained Authoriti’s patent-pending solution enables banking customers to also create and send an encrypted, one-time, content-rich smart PIN to their credit union or bank for digital transactions, making for a much more secure process. It works through an app on a smartphone, a familiar platform for most customers. Valley National Bank in New Jersey already uses this Authoriti process to authorize its customers’ wire transfers.
In many instances, Cutlip said people already receive onetime PINs to prove their identity and device. “However, all of those centralized PINs are ‘dumb,’ in that they are just a number and they're subject to misuse.” He added, if a criminal gets hold of that PIN, the hacker could repurpose that PIN to approve a transaction of their making.
Authoriti allows the generation of a content-rich smart PIN embedded not only with identities, but with details of the transaction that needs approval and authorization. “If you're wiring funds, for instance, you would put in your identifier, the dollar amount of the wire, the destination account or beneficiary, the ABA routing (or SWIFT) number for the beneficiary institutions,” Cutlip explained. The Authoriti system encrypts and digitally signs those details when generating the PIN, makes it available to the user on their device, then submits or distributes it to the recipient institution, through any channel.
The smart PIN also works for contact centers. If a credit union needs to confirm a transaction, for example, the member service representative can create a request and push it to the member who can just look at their device and confirm, “Yeah, that's what I want to do,” Cutlip said. “Our PIN gets automatically sent back to the credit union and the call center rep, (who) can be confident that’s what's being authorized. So, it works both ways.”
Cutlip said, “We're securing the message, not the channel.” He added, whether pushed online, written down on a piece of paper, or sent via smoke signals, Authoriti can unpack the message and confirm it. “It authorizes the transaction you're reviewing. We focus on transactions rather than people.”
Cutlip affirmed the Authoriti smart PIN system easily plugs into any core provider. “It gives (financial institutions) one more competitive opportunity to market around security and data privacy. They are going to need to those angles covered to compete going forward.”