By Dr. Hamed Taherdoost, Professor at University Canada West

The internet revolution has influenced the banking industry in many aspects in both corporate and retail banking.

Many banks have jumped to offer digital banking services without any physical branches recognized as “challenger banks” and “neo banks.” As more people perform their transactions using online banking services, the risk of data breaches increases accordingly. Based on the statistics provided by American Bankers Association, 73% of Americans used their online banking accounts in 2019. This new cybersecurity climate in the banking industry as a result of going digital requires banks to be quick to adapt to upcoming threats.

One necessity in the digital banking business line is considering safeguards against cyber-attacks to provide safe, secure, and uninterrupted services. Protection applications to consider in the banking industry with the aim to protect customers’ assets commonly, include regular security audits, firewalls, anti-virus and anti-malware applications, multi-factor authentication, biometrics, and automatic logout.

However, banking environments have significantly shifted in the digital age and many brand-new cyber fears are coming true. Digital banks are significantly a cost-efficient alternative for branch banking since they have eliminated maintenance and operation costs. However, banks need to increase their cybersecurity budgets to enhance or completely replace their cybersecurity applications to protect valuable data against typically carried out cyber-attacks if they are planning to grow and expand their digital footprint.

One countermeasure that is specifically focused on by banks is multi-factor authentication. Multi-factor authentication has turned into one element of the security in the DNA of digital banks since it offers a long-term solution to move from static credentials. Multi-factor authentication that is offered to clients as an option for authentication, combines something you know such as a secret with something you are such as a biometric, or something you have such as a device or object to log in to your digital bank account.

The combination of these mechanisms in parallel provides strong authentication that is less likely to be penetrated by attackers and hackers. Multi-factor authentication stops the risk of reaching the network by attackers, particularly for customers that rarely change their password or make minor changes in their credentials randomly. In a study conducted by Digital Guardian, 1,000 Google users in the United States, from ages 18 and up were asked about their habits in password security. It was concluded that nearly one-third (31.3%) of respondents change their passwords one to two times per year and just over one-fifth (22.4%) change their passwords more than five times annually. And 17% of respondents change their passwords every few months or approximately three to four times annually.

Considering multi-factor authentication mechanisms, dynamic One-Time Password (OTP) generator mechanisms secure financial transactions by generating a single password that is valid just for one-time use and its validation is time limited. The unique code generated provides better trust and faith to defend customers’ transactions against online attacks when coupled with static passwords that were traditionally used.

Authentication devices to be employed by banks for the multi-factor authentication approach include EMV Card and Reader, Hardware & Software OTP Tokens, Hardware-based PKI Tokens, Software-Based PKI Tokens, SMS-based OTPs, TAN Lists, and Matrix Cards. Each method brings along pros and cons and should be selected by considering some criteria such as customer acceptance, customer confidence, risk level, deployment, and maintenance costs.

However, the arms race in cyber security is never-ending and attackers constantly make attempts to penetrate banking systems. Shifting customer authentication to transaction authentication is a more secure solution to mitigate or eliminate the risk of cyber threats since it neutralizes the attacker’s normal operating model by making a unique code for each transaction that also includes an expiry mechanism.

The banking industry is a prime target for cyber-attacks and is commonly ahead of the curve in cybersecurity issues. Despite focusing on cyber security concerns and considerations to respond to future threats strategically, banks need to ensure the client experience logging into the online bank account remains simple.

Normally, the One-Time Password will be created and sent to the client on a mobile device, authenticator application, or OTP device as soon as the static password and information about the financial transaction are entered using an integral keyboard. The generated password is unique and acts as a digital signature and cannot be used for any other purpose by attackers. However, multi-factor authentication may be difficult to use from the clients’ perspective since it is dependent on a personal OTP device or mobile phone.

Thus, deployment of multi-factor authentication will be challenging when the mobile phone or OTP device is missed, when there are SMSrelated issues or in case that the statistic password is forgotten. The inconvenience for clients is likely to push them toward cutting corners and performing security measures that increase the vulnerability of the system.

Multi-factor authentication alone does not make banking transactions entirely unhackable. Attackers can still take advantage of weaknesses between different steps of authentication specifically in cases where clients are annoyed with using complicated multi-factor authentication and facing constantly expired transactions.

To keep pace with more sophisticated intrusion and attacks from malicious parties, banks as financial institutions that interact with sensitive transactions are expected to predict future cyber threats and modernize their authentication practices with an eye toward password-less approaches. Employment of blockchain technology which is a leading trending technology to secure transactions in blockchain-based multi-factor authentication technologies is expected to be a potential solution for future cyber security and authentication issues. Blockchain technology enables safe transactions between parties by using private keys for identifying users. Using decentralized blockchain technology can contribute considerably to safeguard data assets in financial institutions and offer more secure, convenient, and efficient large-scale transactions in the banking industry. New protocols as the result of the integration provide adequate techniques for authentication in the 6G era in which data nodes will be highly connected.

Observations and explorations regarding the integration of multi-factor authentication with blockchain are limited; however, there is huge room for research in this emerging field because of the advantages that each mechanism offers.

References:

1. Asim, J., Khan, A. S., Saqib, R. M., Abdullah, J., Ahmad, Z., Honey, S., Afzal, S., Alqahtani, M. S., & Abbas, M. (2022). Blockchain-based Multifactor Authentication for Future 6G Cellular Networks: A Systematic Review. Applied Sciences, 12(7), 3551. https://doi.org/10.3390/app1207355.
2. Digital Guardian. (2017). Uncovering Password Habits: Are Users’ Password Security Habits Improving? (Infographic). [online] Available at: https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic.
3. Lake, R. (2020). How To Protect Your Online Banking Information. [online] Forbes Advisor. Available at: https://www.forbes.com/advisor/banking/how-to-protect-your-online-banking-information/#:~:text=Remember%20to%20update%20your%20online [Accessed 6 Apr. 2022].