By Karl Barton, International Channels and Alliances at SecureAuth
The banking and finance industry are undergoing digital transformation. Traditional banks are evolving to offer consumers an increasingly digital and streamlined experience. This transformation is changing the way banks function and deliver consumer experience and service. However, as services and payment methods are moving from the high street to online, concerns around protection of personal data and payment details have been mounting.
Banking and financial data have been, and will continue to be, a lucrative bounty for attackers. For every data breach, consumer trust is being eroded, and the banking industry needs to evaluate how it is protecting its own data as well as customers’ identity and access. Passwords – despite being well-established and active for decades – are now considered obsolete in terms of security and positive user experience. Forrester reports that “Passwords remain the most common authentication method, and consumers still experience frustration remembering them. Attackers and fraudsters are aware of this and increasingly target reset processes as a means to compromise accounts.” Perhaps then, it is not too surprising that in a survey conducted by Forrester, 66% of global network security decision makers agreed that customers are demanding stronger online security and privacy protections. How then can banks and financial services increase security and protection without locking out or frustrating users?
The birth and death of two-factor authentication
To defend against evolving attacks on financial services,a comprehensive and intelligent approach to identity security and access is needed.Over 80 percent of data breaches are a result of stolen or misused credentials – so banks (both traditional and challenger) need to adapt their security strategy to focus on the identity level at the login phase of employee and customer online portals and conduct continuous assessment for high-risk areas.
Two-factor authentication (2FA) once added another step to the traditional password requirement, by requesting the user to provide another factor of authentication to further prove their identity. While this was a step in the right direction, it provided a negative user experience and today basic 2FA methods can be easily circumvented. For example, knowledge-based questions can be socially engineered with the wealth of personal information publicly available, and one-time passcodes (OTPs) delivered via SMS can be intercepted. SMS messages and voice calls can also be a particularly vulnerable form of 2FA, due to an inherent weakness in Signal System 7 (SS7), the protocol that allows carrier networks to communicate. SS7 lacks authentication controls, relying instead on trust between the operators’ networks. This ultimately provides attackers with an opportunity to directly access SMS and voice-based OTPs, and is a route exploited in Europe to access victims’ bank accounts. Arguably, the SS7 weakness was one of the driving forces behind NIST’s original proposal to phase-out SMS based OTPs. This pitfall – combined with the less than user-friendly experience – have meant that financial organisations need to re-think their identity security strategy.
Applications in the financial industry
The growing sophistication of circumventing basic techniques means that two-factor authentication is no longer an effective security strategy. But what does that mean in practice for finance and banking services implementing or looking to implement stronger identity security controls in 2019? Firstly, it’s important to be selective about the authentication methods used. Ensure that any OTPs are single use only and avoid all simple authentication methods that use OTPs delivered by SMS, emails or voice calls. Equally, avoid any simple authentication methods that use push-to-accept without symbol recognition. Symbol-to-accept is a stronger alternative, as it requires a more thoughtful action by the end-user. Instead of simply hitting ‘accept’ or ‘deny’ when prompted, the user is asked to validate their identity by selecting a symbol or letter on their mobile device that matches the one shown on their browser. This helps to tackle the process of habituation and so render push-to-accept less susceptible to attackers.
To bolster security, ensure that any end-user facing self-service functionality, such as password reset, or account unlock, is protected using adaptive access controls that perform advanced risk analysis to verify the user. Adaptive authentication uses techniques such as geographic location analysis, device recognition, IP address-based threat services, and phone fraud prevention, that both strengthen security while remaining unburdensome to users.
Enhancing online portal security while providing refined user experience
Adaptive authentication both enhances security while simultaneously maintaining seamless usability, by performing advanced risk analysis in the background to quickly verify a login attempt. Secure Auth worked with a large UK-based financial services enterprise to secure and protect its customer portals. Its business model was largely based on repeat custom and customer retention through a personalised portal was needed. Working with customer preferences, the organisation adapted its approach to security and authentication to better reflect this, taking individual preferences into account. Repeat users enjoyed a refined experience without repeat access requests, as authentication was only required at the transaction phase. This reduced the amount of times that credentials were requested and improved the overall user experience.
With a multitude of technologies that could potentially be used in the digital transformation of banking and finance services, it becomes increasingly critical to maintain strong security and easy usability for employees and customers. By protecting online portals, enterprises can mitigate risks, detect breaches, and protect the most valuable information from attackers. Cyber criminals are constantly evolving their methods and exploiting new attack vectors, especially in the era of digital transformation; the time is now for businesses to take a more modern and adaptive approach to their security.