By Mark Leonard, CEO, Secure Cloudlink
With the rollout of the open banking initiative underway across the UK, one could be forgiven for thinking that this event would see a root and branch rethink on how sensitive data can be secured more effectively. Given the numerous hacks and cyber attacks that targeted commercial and public organisations in 2017alone, cybersecurity has never been so important as it is now. Yet despite this, banks and organisations appear wedded to old-style approaches to cybersecurity. Given the investment to date, it is perhaps understandable however it continues a policy that retains inherent flaws and weaknesses. If banks are to reform the way they view and address cybersecurity, the question becomes how they can do so in a way that removes the flaws of the old whilst strengthening their defences so they are truly prepared for what lies ahead.
The flaws in our security…
The Open Banking Initiative is predicated on sharing individuals’ highly sensitive financial information between banks and other financial services providers. As such it means that links have to be created between many different and disparate data stores. Unfortunately, more links usually mean more opportunities for cybercriminals to exploit.
It’s often said that any security is only as effective as its weakest link. The problem is that the growing plethora of IT infrastructure has only served to widen the security vulnerabilities. It’s no surprise that spending on security-related hardware, software and services rose to $73.7 billion in 2016 and is expected to reach $101.6 billion by 2020 according to IDC. The difficulty in today’s digital environment is that whilst the threat environment has become global in nature and more complex, certain aspects of the security, authentication and verification process remains rooted in a bygone age. Specifically the continued use of passwords as a means to both access and authenticate individuals leaves individuals and organisations alike susceptible to continued and repeated cyber attacks.
Passwords, Falability& Artificial Intelligence – An unholy muddle
With the open banking initiative live and GDPR on the horizon, financial institutions are under even greater scrutiny to ensure the data they hold remains secure and is only accessible to those authorised to view it. Despite advances in security protocols and procedures, passwords remain an integral part of the login/sign-in process used to authenticate and grant access of our secure information.
The problem is that we as a society have an over-reliance on passwords to secure our data. Passwords are amongst the most popular form of authentication yet they are fundamentally flawed. Human nature, being what it is, is often the primary weak spot in most system breaches. One only needs to look at the range of cyber attacks that were launched last year to see evidence of this. The WannaCry attack that crippled the NHS last year tapped into the curiosity of individuals while the cyber attack on the UK Parliament exploited weak email passwords. Passwords have become easy to crack by hackers and hard to remember by users, who often write them down or use the same, simple password across multiple sites and services.
To compound matters, the rapid advance of artificial intelligence and deep learning technology serves only to further highlight the inadequacy and limit of password-protected systems. As hackers start to tap into deep learning and other AI based technologies to gain access to our digital identities, it will become more and more of a problem. Recent academic research has already shown that theory-grounded password generation approach based on machine learning outperforms current password guessing tools.
Securing the individual to secure the organisation….
The usual response following previous cyber attacks has been to patch up any gaps and to build higher cyber walls around institutions. This has not solved the problem, if anything it has created a false sense of security and further adds to the vulnerability that individuals and organisations face.
Rather than continuing to try and turn financial institutions into impregnable digital fortresses, it’s time to secure the digital identity of the individual. For one, no bank can truly become an impregnable digital fortress for the simple reason that it has to conduct transactions and therefore needs to have digital doors. The question is how one passes through these digital gateways.
The answer lies in Anonymised User Access to web services. Such an approach enables greater levels of security and lowered costs for banks and service providers to access internet-based applications over the web more securely, without the user’s unique security credentials being transmitted or stored in the user authentication steps. This innovative approach, originally built for highly secure implementations, is now commercially available to organisations that want to make their customers’ digital identities and the data they control truly safe. Moreover, the approach uses a highly secure, patented, encrypted, transient token capability that works with biometrics, pattern recognition technology and has an inbuilt one-time code for authorising users. Add an inbuilt, configurable, risk engine that assesses you in real time against factors like device, location, and previous patterns and will demand 2nd factor authentication on the fly and you effectively secure the individual. Anonymising and redacting all user data and target system information removes the opportunity and risk of an interception by malware or the many ‘man in the middle’ attacks. Securing the digital identity of the individual creates a far more robust and secure environment – one that eliminates the human factor and removes the need for passwords altogether.
Open Banking need not be an open door to cybercriminals…
For banks and financial services organisations, who are guardians of corporate and consumer data, addressing cybersecurity now requires a new way of thinking – one that eliminates human fallibilities whilst strengthening the authentication and verification process at the same time. The open banking initiative is a turning point in how financial institutions address cybersecurity by the mere fact that individuals’ financial data will be shared between institutions and third parties. Open banking offers the promise of convenience and simplicity for the consumer. Convenience however comes at a price and that price cannot be the continued unfettered and unauthorised access of consumer data due to security breaches caused by antiquated methods of security. It’s time for banks to accept that the password approach to cybersecurity no longer holds sway and that that securing the digital identity of the individual will ultimately secure their own future.