Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Business

Authentication: Keeping customer payment information safe in a digital age

Authentication Keeping customer payment information safe in a digital age

By Karl Barton, International Channels and Alliances at SecureAuth

The banking and finance industry are undergoing digital transformation. Traditional banks are evolving to offer consumers an increasingly digital and streamlined experience. This transformation is changing the way banks function and deliver consumer experience and service. However, as services and payment methods are moving from the high street to online, concerns around protection of personal data and payment details have been mounting.

Banking and financial data have been, and will continue to be, a lucrative bounty for attackers. For every data breach, consumer trust is being eroded, and the banking industry needs to evaluate how it is protecting its own data as well as customers’ identity and access. Passwords – despite being well-established and active for decades – are now considered obsolete in terms of security and positive user experience. Forrester reports that “Passwords remain the most common authentication method, and consumers still experience frustration remembering them. Attackers and fraudsters are aware of this and increasingly target reset processes as a means to compromise accounts.” Perhaps then, it is not too surprising that in a survey conducted by Forrester, 66% of global network security decision makers agreed that customers are demanding stronger online security and privacy protections. How then can banks and financial services increase security and protection without locking out or frustrating users?

The birth and death of two-factor authentication

To defend against evolving attacks on financial services,a comprehensive and intelligent approach to identity security and access is needed.Over 80 percent of data breaches are a result of stolen or misused credentials – so banks (both traditional and challenger) need to adapt their security strategy to focus on the identity level at the login phase of employee and customer online portals and conduct continuous assessment for high-risk areas.

Two-factor authentication (2FA) once added another step to the traditional password requirement, by requesting the user to provide another factor of authentication to further prove their identity. While this was a step in the right direction, it provided a negative user experience and today basic 2FA methods can be easily circumvented. For example, knowledge-based questions can be socially engineered with the wealth of personal information publicly available, and one-time passcodes (OTPs) delivered via SMS can be intercepted. SMS messages and voice calls can also be a particularly vulnerable form of 2FA, due to an inherent weakness in Signal System 7 (SS7), the protocol that allows carrier networks to communicate. SS7 lacks authentication controls, relying instead on trust between the operators’ networks. This ultimately provides attackers with an opportunity to directly access SMS and voice-based OTPs, and is a route exploited in Europe to access victims’ bank accounts. Arguably, the SS7 weakness was one of the driving forces behind NIST’s original proposal to phase-out SMS based OTPs. This pitfall – combined with the less than user-friendly experience – have meant that financial organisations need to re-think their identity security strategy. 

Applications in the financial industry

The growing sophistication of circumventing basic techniques means that two-factor authentication is no longer an effective security strategy. But what does that mean in practice for finance and banking services implementing or looking to implement stronger identity security controls in 2019? Firstly, it’s important to be selective about the authentication methods used. Ensure that any OTPs are single use only and avoid all simple authentication methods that use OTPs delivered by SMS, emails or voice calls. Equally, avoid any simple authentication methods that use push-to-accept without symbol recognition. Symbol-to-accept is a stronger alternative, as it requires a more thoughtful action by the end-user. Instead of simply hitting ‘accept’ or ‘deny’ when prompted, the user is asked to validate their identity by selecting a symbol or letter on their mobile device that matches the one shown on their browser. This helps to tackle the process of habituation and so render push-to-accept less susceptible to attackers.

To bolster security, ensure that any end-user facing self-service functionality, such as password reset, or account unlock, is protected using adaptive access controls that perform advanced risk analysis to verify the user. Adaptive authentication uses techniques such as geographic location analysis, device recognition, IP address-based threat services, and phone fraud prevention, that both strengthen security while remaining unburdensome to users.

Enhancing online portal security while providing refined user experience

Adaptive authentication both enhances security while simultaneously maintaining seamless usability, by performing advanced risk analysis in the background to quickly verify a login attempt. Secure Auth worked with a large UK-based financial services enterprise to secure and protect its customer portals. Its business model was largely based on repeat custom and customer retention through a personalised portal was needed. Working with customer preferences, the organisation adapted its approach to security and authentication to better reflect this, taking individual preferences into account. Repeat users enjoyed a refined experience without repeat access requests, as authentication was only required at the transaction phase. This reduced the amount of times that credentials were requested and improved the overall user experience.

With a multitude of technologies that could potentially be used in the digital transformation of banking and finance services, it becomes increasingly critical to maintain strong security and easy usability for employees and customers. By protecting online portals, enterprises can mitigate risks, detect breaches, and protect the most valuable information from attackers. Cyber criminals are constantly evolving their methods and exploiting new attack vectors, especially in the era of digital transformation; the time is now for businesses to take a more modern and adaptive approach to their security.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post