Global Banking & Finance Review recently spoke with Brian Spector, CEO, CertiVox about security within the financial sector, including the state of user security, common threats and organizations can be doing.
How would you describe the state of user security within the financial and banking industry at the moment?
“Organisations across all industry sectors are facing the increasing risk of data breaches and sustained assault from hacking collectives, and it seems that not a day goes by without another high profile data breach hitting the headlines. In recent weeks we have seen three South Korean banks fined for a data breach that affected up to 20 million customers, as well as the fallout for banks from the Target attack in the US. Obviously this is also prevalent across other sectors with high profile organisations like Yahoo!, Adobe and Tesco also falling victim to attacks in recent months, and as you would expect, the financial services industry is relatively one of the most secure.
“However, we recently surveyed 2,000 UK consumers to look into their experiences of banking security, and found that of the 24 per cent of respondents who had online services hacked, 13 per cent of these successful attacks targeted banking services. With the important financial information concerned, this should make alarming reading for banks, particularly as the same research found that 25 per cent of respondents would terminate a service immediately if their account was compromised.
“The finance and banking industry by its very nature must be aware of these increasing threats and regularly update its security accordingly. However, the additional security implemented by some are either not sufficient, or diminish the experience of their customers.”
What are the most common threats encountered?
“Recent research from Ponemon shows that the average annual cost of cyber crime varies by industry segment, with financial services, defence, and energy and utilities experiencing substantially higher cyber crime costs than organisations in retail, hospitality and consumer products.”
“The problem is that as security gets more sophisticated so do the attacks themselves. It appears a recent high profile attack example could have been orchestrated based on initialisation through a malware-laced phishing email. Whatever the type of attack though, what is proven time and again is that username and password security systems are inherently weak, offering a wide range of attack vectors to criminals, along with a valuable harvest of private customer information.”
Confidential data is a top concern. What products are available to increase security and help prevent data theft?
“Security Intelligence systems such as two-factor authentication should start to be integrated across all industries in order to have some kind of real control on data breaches. Many companies do respond to these threats by adding layers of security, such as: additional security questions, Captcha codes, SMS based so called One-Time-Passwords or physical security devices in the case of banks. However, the problem with these measures is they often frustrate users in relation to the ease of use and experience in accessing services.
“Data is the individual’s responsibility, but as service providers ‘volunteer’ to protect personal information it is by default their duty to safeguard the consumer data held. This means organisations must begin to learn about the different technologies available like encryption, and using it to safeguard personal and sensitive data. There are several strong authentication technologies ready to step in and replace the traditional ID/ password combination, and organisations should really be focused on finding a higher level of security that transcends user name and password, which is also cost effective and advanced, but also easy to use.
“To establish trust and prevent these types of attacks, organisations need to look beyond username and password protection and even common two-step authentication and should urgently consider technologies that remove the username password altogether so that there is nothing to be stolen or compromised in the first place.”
Explain to us how CertiVox’s M-Pin strong Authentication works and the benefits to both consumers and businesses it can offer?
“M-Pin provides strong multi-factor authentication which is designed to replace the vulnerable username and password login system for digital services. Instead of username/password combinations, often the target of choice for hackers, M-Pin gives the end user a four digit PIN to enter for access to content and services. The M-Pin mobile client also alleviates concerns about accessing services from a PC not under a user’s control, by allowing login through the users’ smartphone.
“M-Pin is based on strong elliptic curve cryptography and delivers multi-factor authentication for websites, enterprise and mobile applications, using HTML5 web apps, meaning no browser plug-ins or software is required. Authentication is performed between the M-Pin Client and the M-Pin Authentication Server using the M-Pin Protocol, a zero knowledge proof construct. The result is that the M-Pin server has just one leakproof cryptographic key, which if compromised or stolen reveals nothing about users in an enterprise or your web application. In addition, M-Pin operates on a principle of distributed trust, whereby the root key generators are split between CertiVox’s servers and those belonging to the client, meaning that any attack would have to compromise both of these systems to have any chance of being successful.”
What have CertiVox got planned for 2014?
“We can’t talk about the details at this stage but we have a lot going on in a variety of sectors, including financial services, in 2014. Expect to see product upgrades, high profile customers and a real step up in our drive to stop the slew of data breaches and establish real trust between consumers and organisations.”