Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Banking

Busting Online Banking Myths
hilding arrehed web

Published : , on

Author: HildingArrehed, director of worldwide professional services at ActivIdentity, part of HID Global

Two common misconceptions about online banking security may be holding financial institutions back from offering their customers the best services possible.hilding arrehed

I've had the opportunity to work with a number of financial institutions around the world, helping them design and implement security solutions for their online banking systems. Along the way, I've identified two highly prevalent myths surrounding online banking security. Here, I'll explain the flawed thinking behind these myths and offer some simple solutions to their associated challenges.

Myth 1: Strong online security practices are inconvenient and create bad customer experiences

Banks with the strongest online security are able to offer their customers more and better services than their less secure competitors, which often trump any convenience factors. For example, a bank that launched its online banking service back in 1996 began immediately enforcing strong, two-factor one-time password (OTP” data-scaytid=”9″>OTP) token-based authentication at every login. The bank quickly reached 2.5 million online users despite the fact that access to the site required login via a challenge/response scenario. Customers recognized that this system enabled them to confidently and securely conduct all their financial business online, including executing international money transfers, making stock trades and completing mortgage applications.

Fast-forward to 2011. With all of today's advanced security technologies, you might ask how financial institutions can build online banking systems that offer functionality and sufficient security and also maintain the highest level of convenience. My suggestion is to let your customers customize their security options in the following ways:

  • At the time of log in, allow customers to choose which authentication method to use based on how they intend to use the service. For example, a password should be enough to view account status and transfer money between a customer's own accounts
  • Empower customers to configure their own "convenience vs. security" levels. When logged in with a strong authentication method, such as OTP token or SMS text, it should be possible to reset the password mentioned above, or disable/enable that access level altogether
  • Let customers choose to connect from their preferred device. Be quick to release mobile and tablet apps, since using the built-in Web browser in small devices is typically not an option. Embed security into your apps, but keep your security model and supported authentication devices consistent so it's clear to the user that regardless of the device or app, the same service is being accessed with the same level of security
  • Some customers will want to get security credentials (OTP tokens, etc.) directly in a branch office, while others will want everything to be managed via phone. Tech savvy customers might want to use their mobile phones as OTP tokens. Let them choose, and don't be afraid to charge a small premium
  • Let customers use the same security credential they use for online banking when they access other bank services such as telephone banking and customer service
  • Do not underestimate the power of great customer support — in multiple forms. Some customers may want to research issues and find solutions on your website, while others prefer to communicate via email or phone. Make sure to provide all of these options, and do it well


Myth 2: The strongest security measures should protect initial access to all services

Levels of security should increase based on transactional sensitivity. For example, logging into your online account could be simply protected by password authentication, but access to money transfers should require more stringent validation and verification. Consider the following best practices for secure, risk-appropriate and cost-efficient electronic transaction signing:
 

  • Make it as easy as possible. Only ask for transaction signing when money is transferred to outside accounts, and allow transactions to be batched, including payments, transfers and other tasks that require signing. This prevents customers from having to go through the same electronic signing process multiple times
  • Use a secure but risk-appropriate technology to carry out the transaction signing. Smart cards, tokens, soft tokens and SMS text messages are all good ways to provide electronic transaction signing. However, customers should only be required to have one strong security credential to log in and conduct online business with your bank — they can choose to have multiple credentials, but this shouldn't be a requirement
  • Make sure it's clear to the user what is being electronically signed. This is to prevent the risk of man-in-the-middle attacks. Clarity is particularly important now given recent attacks on trusted Certificate Authority providers and hacks of the session security protocol mechanisms (SSL/TLS) used by Web browsers. If transferring $500 from account 12345678 to 87654321 on December 3, for example, select a subset of this transaction data to be encrypted (electronically signed) by the customer by using a strong security credential. In the case of an OTP token, this could mean that the number 5008321312 (where 500 is the amount, 8 is the last number of the source account, 321 is the last three numbers of the destination account and 312 is the date for the transaction) was typed into the token for encryption (electronic signing). The token would then return an encrypted version of the number that, once typed into the internet bank site, can be verified by the bank's back end, the only other entity with access to the encryption key used by the token. Given a strong user awareness campaign and a user-friendly interface, this allows the user to understand what it is they are approving
  • Store the transaction data, including the customer's electronic signature, in a secure, tamper-evident audit database for archiving purposes. It can be very useful in proving that a money transfer was correctly carried out and approved many years after it happened


Every bank obviously has its own advantages, challenges and security needs. Your security solution, including authentication and money transfer approval mechanisms, needs to be specifically defined to meet those unique needs.

 

Uma Rajagopal has been managing the posting of content for multiple platforms since 2021, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune. Her role ensures that content is published accurately and efficiently across these diverse publications.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post