Evolution better than revolution in online banking authentication
As more banking is done online, financial institutions have had to rethink their customer authentication strategies to ensure they remain relevant in a rapidly changing technological age. But for all the talk of biometric security, the principal focus remains relatively low tech.
Banks and their customers must be aware of numerous forms of online attack. But the growing popularity of online banking has made three particularly popular with hackers: phishing attacks, where emails trick customers into offering up sensitive identity information; pharming, where hackers obtain the same information via the installation of malicious software; and malware, which looks for bank account number patterns.
To combat these threats, banks have an array of tools at their disposal. They include customer passwords; personal identification numbers (PIN); digital certificates using a public key infrastructure, where data is encrypted and only the user has the key to transcribe the meaning; physical devices such as card readers; transaction profile scripts, which monitor customer behaviour patterns; and biometric identification.
Part of the problem is the difficulty in quantifying the threat. “Banking institutions do not provide public information about suspicious activities that occur in their computer systems,” says Susan Bradley of the SANS Institute in a white paper on how small businesses can protect themselves while banking online. “There is no mandate to release to the public information technology audits and reviews performed on the bank or credit union.”
Among the plethora of options, industry best practice remains relatively low tech: something the customer knows (security questions or a PIN) and something they own, such as a card reader.
Banks are investing heavily in research into the most effective ways to keep their customers safe online. This is crucial to protect their reputations as trustworthy guardians of money. “The most significant cost is the reputational damage that a bank suffers as a result of the breach,” says Jonathan Turner, a financial services technology partner at PwC.
Banks therefore consider the problem in relative terms, aiming not to eradicate fraud altogether, which is probably impossible, but to be more secure than their competitors. “An individual bank can reduce its likelihood of attack if it keeps its security levels in the top quartile relative to other targets,” says Turner.
“The challenge is to minimize both the risk of a breach occurring and the time to detect and remediate any breaches which do initially succeed,” adds Tom Lewis, head of forensic technology solutions at PwC.
Many banks have embraced mutual authentication, where the bank proves its identity to the customer in the same way the customer does to the bank, to protect against phishing attacks. The solution has the advantage of being cheap, as well as effective.
Security questions have been tightened, traditional questions about maternal maiden names being replaced with more obscure information that is less easily found on social media sites, or realtime information that only the customer would know, such as details of a recent transaction, says Turner.
As time goes on people are being asked to remember an increasing number of user names and passwords. Many people can only cope by simplifying the passwords, making them easier to crack for hackers. Using a single password across multiple channels also compromises the effectiveness of the password.
According to Ofcom’s Adults’ Media Use and Attitudes Report 2013, “more than half (55%) of adult internet users admit they use the same password for most, if not all, websites,” while “a quarter (26%) say they tend to use easy to remember passwords such as birthdays or names.”
Forcing customers to choose more complex and unique passwords reduces the risk of an account being hacked but costs financial institutions in other ways, for example in the increased resources needed at helpdesks to assist those who have forgotten their login details.
There are many ideas for enhancing digital security systems, applicable in the banking sector and beyond, and across the full spectrum of platforms, whether banking on the phone, a mobile or a desktop. But critics warn these are too often gimmicks and do not improve on existing security.
“Technology companies just want to innovate, but in compliance we don't care much whether products get better, so much as whether the people using them get safer,” says Colin Clark, operations manager EMEA at PSC, a payments and security consultant.
The most interesting innovations in online security are less glamorous developments, such as improvements to firewalls, but this is not where the money is, according to Clark. For technology developers and vendors marketability is the deciding factor, hence the skew towards eye-catching innovations such as Apple’s fingerprint reader.
Digital fingerprints and iris recognition have aroused excitement in consumer electronics, but as yet have not convinced the banks of their worth. Implementing such technology will be costly and will not prove the silver bullet customers hope for.
“A card reader interrogates the card, you can’t do that with a fingerprint,” says Clark. “If you have a problem with your card reader or your password you can change them. Even a chip implanted under your skin can be replaced or reformatted. You can’t change your fingerprint or your iris.”
As exciting as it sounds, biometric security remains too flawed. A fingerprint is unique, but copies of it are left scattered wherever customers have been, such as on glasses in pubs, or on ATM machines. However, biometric security will eventually be adopted by the banks, says Turner, “not as a standalone defence but as the third factor of authentication”.