By Frans Labuschagne, UK & Ireland Manager, Entersekt
As most of us are acutely aware of by now, the Coronavirus pandemic is having a global impact on the way we live our lives. Not only is the disease endangering the health of millions of individuals, it is also shutting down businesses, closing schools, and increasing our dependence on technology like never before. Whether it be working from home, communicating with family or keeping up to date with finances – technology has proved invaluable in these unprecedented times. However, as people become more reliant on the internet – cyber security becomes an even bigger issue.
For instance, banking customers are increasingly reliant on the internet and their mobile devices to carry out transactions, with research revealing that 82 percent do not feel safe visiting their bank branch during the pandemic. Ever-opportunistic, cyber criminals are taking advantage of this increased reliance on remote banking to launch attacks.
It is therefore vital that banks prepare for this surge in cybercrime and consider additional security measures to keep customer accounts safe.
One of the biggest tactics cyber criminals are utilising during the COVID-19 pandemic is phishing, with research from Barracuda Networks revealing there has been a 600 percent increase in attacks since the end of February. Research also shows cyber criminals are starting to reap the rewards from their scams, with data from National Fraud Intelligence Bureau (NFIB) revealing that cyber criminals have already netted over £1.6 million.
The most prevalent scams encourage users to hand over money and confidential information, with bank details being the ‘Holy Grail’ of sensitive personal data. It is critical for banks to offer their customers – both consumers and businesses – additional security measures to ensure they can bank securely and that no unauthorised intruders are accessing their accounts. One of the most reliable ways to achieve this is through multi-factor user authentication.
Multi-factor authentication (MFA) is widely used by financial institutions and is a method of controlling access to a system or network by requiring a user to present credentials – authentication factors – in at least two different ways – for instance, via a password, biometric data or through a physical token, as a smart card or other device.
Over the past few years, strong customer authentication (SCA), which relies on the MFA principle of requiring at least two different types of authentication factors, has become a key security measure in the financial services and payments industries, mandated by Europe’s revised Payment Services Directive (PSD2). Implementing SCA ensures that only authorised individuals can access an account or complete a sensitive transaction, thereby protecting users against account takeover fraud and similar attacks.
With PSD2 mandating the implementation of SCA, the industry has seen a rapid increase in providers offering authentication solutions. It’s fair to say, though, that not all authentication solutions are created equal. So, what should banks look for in order to provide a secure banking experience, without over complicating transactions or excluding customers that might be less tech-savvy?
One of the most common mistakes many financial institutions make with MFA is asking customers to authenticate themselves via different methods depending on how they access their bank account. The result is a muddle of authentication techniques: biometrics on the banking app, challenge questions from the call centre, card swipes in-branch, and static or one-time passwords online.
This can leave customers feeling confused and left trying to remember too many pieces of information, which can encourage mistakes like using easy-to-remember passwords or using passwords across multiple accounts and platforms.
What banks should really aim to offer customers is a more streamlined authentication process, no matter what channel customers are accessing their accounts from, all while combatting fraud and satisfying regulators.
Multi-factor authentication best practices
A key element of a winning MFA solution is one that provides the utmost security while putting the customer first, enabling quick and easy authentication that does not detract from the overall banking experience. However, accurately identifying and authenticating users on remote banking channels is a complex undertaking. Not only is it subject to constant change as technology and consumer behaviour evolve, it is also regulated and enforced by governing bodies that set standards and requirements. Selecting a vendor with an eye on global regulatory trends is important as this will ensure that the authentication solution is compliant with regional regulations.
MFA solutions should be built on technology standards, offer flexibility to scale to meet future requirements, and be compatible to run seamlessly across multiple operating systems. Authentication should seamlessly integrate into the customer’s digital banking experience and be built into the mobile app or web browser. This will ensure customers won’t have to rely on passwords, find themselves unable to access services if they don’t have a physical card reader to hand.
When it comes to evaluating the basics of an MFA solution, there are also important guidelines to remember:
- Each factor selected must be equally strong. Combining a weak factor with a strong one yields little more protection than relying on the strong one alone. A social security or national identity number, for example, may qualify as a knowledge factor, but can be obtained by fraudsters with minimal effort, precluding it as a strong factor. The same would apply to the more standard challenge questions in use today, like a mother’s maiden name.
- Factors must be mutually independent, so that if one factor is compromised, it cannot typically be used to gain access to the other/s.
As cyber criminals look to cash in on the pandemic, it is critical that banks take steps to protect their customers as they become more dependent on internet and mobile banking. MFA provides a way for banks to doubly verify that accounts are being accessed by authorised individuals and not by intruders. When identifying a solution, banks should look for one that balances state-of-the-art security with a user experience fit for today’s age of the customer.
Banks should keep these eight best practices for MFA implementations in mind:
- All sensitive transactions must be multi-factor authenticated
- The entire authentication process must take place out of band
- All sensitive data must be encrypted in transit, end-to-end
- Cryptographic keys and sensitive data at rest must be protected
- All authentication responses must be digitally signed
- Clearly display critical transaction information for verification
- Take a layered approach for high-risk transactions
- Adopt a consistent multi-channel approach
This is a Sponsored Feature