The "breach a week" phenomenon of the current global banking environment requires that we seek out new and better solutions to safeguard our digital assets.
With thousands of confirmed breaches and billions of stolen accounts tallied, it's now an old story that security has reached board level concern. In fact, being security-aware in your job – is essential to help shape even the smallest decisions that could help prevent a banking security incident. Here are several mega trends shaping digital banking, that look to transform banking and the global economy beyond that, in years to come.
Security is going multi-channel and multifactor
Banks that want to compete are pushing new services to all channels and in particular, mobile devices, to gain and retain customers. But as night follows the day, so does the sophistication of the fraudster. Mobile device hacking is one of the fastest growing areas of cybersecurity. Biometrics combined with computing intelligence, offer an intriguing possibility to help remedy fraud across banking channels –applied to both employees and to customers.
These days, many consumers use fingerprint authentication to gain quick and convenient access through their mobile devices. Financial institutions are betting on the same type of security/convenience benefit. Facial recognition is also gaining traction as an authentication protocol.
A fingerprint delivered through a mobile device to authenticate a user means that the user at the other end of the transaction is in possession of their device. Combine that with a software-based, contextual/behavioral approach that looks for any variations in your typical login patterns- and you present a more secure identity assurance than a mere password. Not one single modality necessarily fits in all channels. Bank IT directors must look at solutions that are flexible, scalable and fit regional market preferences - across ATM, online, mobile, teller channels and more.
Multifactor authentication is evolving to accommodate new digital banking demands. Multifactor authentication (MFA), has now become a staple in banking security technology. A bevy of global regulations and security best practices have dictated its use internally going back decades. Originally, MFA was deployed within banks for employees to gain remote access using the virtual private network. High net worth accounts followed. In some parts of the world, many consumer banks still issue hardware one-time password, (OTP), tokens to customers for online access. Hardware tokens are inconvenient and burdensome in comparison to newer options.
MFA is evolving. Compromised (phished, guessed, overused) passwords are the number one reason online fraud is at a record high. Most online accounts are still only protected with a flimsy static password. At the same time, end users are demanding easier, more convenient access to their financial accounts across all channels. This seems like a quandary.
If you are a bank in Europe or North America, you may be familiar with risk-based authentication. The essence of it is that when you connect via a mobile application or browser, there is a handshake between client and host. During this setup, certain information about device, location, and network are shared. When analyzed by a sophisticated machine's learning-based risk engine, based on Big Data analysis and cognitive computing algorithms, an assurance as to the user's identity can be gauged. You can then apply policies on when to present the user with a supplemental challenge at login, also called "step-up authentication". The technology is now mature enough that, if widely enough deployed, it can have a material impact on account compromise and fraud risk. Its promise is to visibly challenge the user less, thereby delivering on convenience/productivity while at the same time securing the user's account from inappropriate access.
Solving for security concerns
The regulatory landscape on cybersecurity within financial services continues to grow in complexity across the globe – including mandates such as the General Data Protection Regulation (GDPR) within the European Union, New York State's 'Title 23' cybersecurity regulation in the U.S., and country-specific mandates in a host of Asian countries such as Singapore and Australia.
In many countries, online account setup relies on the fact that there are records of one's existence, such as a government issued identity or number, credit and work history. But this makes it possible to provision new customers who never make contact physical contact with the bank – posing a great threat. New technologies that rely on the mobile device for biometric enrollment and then enforce subsequent access using that biometric have the potential to revolutionize this process and brings payroll, bill pay, licensing, tax, lending and other services to these markets. The Mobile Information Device Profile provides a footprint that is specific to mobile devices, and sits on top of the Connected Limited Device Configuration (CLDC) protocol – which is gaining increasing traction in mobile banking.
Crossmatch DigitalPersona is helping banks modernize their cybersecurity technology to protect against internal threats such as sale of confidential data or simple monetary theft, and external threats such as duplicate loan account applications – using advanced composite authentication technology. As security-aware digital bankers, we owe it to ourselves to explore how these trends can better help us reach new customers and protect their accounts. These trends will shape the future of digital banking and make the global economy a safer place to perform transactions.
By Michel Nerrant
Director Business Solution Financial Market