The Future of Authentication for Banks and Financial Institutions
As IT systems have advanced, so have security measures. For its customers' sake, the financial services sector must not fall behind.
Finance Monthly hears from Nic Sarginson, Principal Solutions Engineer at Yubico, on emerging trends in data security that may soon be coming to financial services.
This past year has prompted a rise in take-up of digital banking services. As people stayed at home they went online to work, shop, stay in touch and manage their money. While this shift to online banking presents an opportunity to service providers with a digital-first approach, it also presents a target for cybercriminals intent on profiting from data breaches and account takeovers. Banks and their customers are adapting to a new, remote, relationship; as they do, the strength of online security protection will become a greater talking point and, for some institutions, even a source of competitive advantage.
According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year. Customers setting up their accounts will have created a password/PIN to use with a user ID to gain access. This form of authentication will be familiar from other log-in services; what may be less so is the additional strong customer authentication (SCA) check, such as a one-time passcode generated by a card reader or sent as a text to a registered mobile phone.
This second line of defence is incredibly important for financial services, as passwords are notoriously weak at preventing bank account takeovers. Reused passwords render multiple accounts vulnerable should a data breach put this information into the hands of cybercriminals. Passwords can also be guessed with a range of common word and number combinations in use, and bank details are some of the most coveted data breach spoils.
Additional ID checks therefore boost security, but not all forms of stronger authentication are completely resistant to security threats. Mobile-based one-time codes that are so popular with banks, for example, can be vulnerable to SIM-swap and modern man-in-the-middle (MitM) and phishing attacks.
According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year.
During a MiTM attack the innocent party believes they are communicating with a legitimate organisation, such as their bank, but in reality information is being intercepted and relayed by a malicious third party. It isn’t easy to recognise this type of attack, even for the cyber savvy, as attackers create personalised and convincing communications to trick their targets. Routes in can include unprotected Wi-Fi and manipulated URLs.
In the more widely known phishing attack, people are tricked into parting with personal information such as login details. Phished credentials are then used to gain access to the user’s account and may be tried against other services as part of a multiple account takeover.
Managing the customer experience
For financial services, the strongest possible authentication to protect data and accounts does not always marry with the best customer experience. Each additional check can add time and frustration to the log-in experience, preventing customers from accessing their accounts whenever they want to – if, for example, they are in a mobile-restricted location.
Strong authentication therefore must meet the dual requirement of protecting account details and financial and personal information, while also providing a convenient, preferably frictionless, user experience. Added to that is another consideration - how simple it is to integrate additional authentication into back-end systems for both the existing product portfolio and future innovations. With the rate at which financial services are digitising, and payments moving cashless, this is a challenge most banks will find concerning. The finance industry is also faced with the critical need to ensure compliance with various industry regulations including GDPR, PCI DSS and PSD2 mandates that govern access to sensitive data.
Protecting corporate infrastructure
Financial institutions must also protect access to their own systems and applications. Here, the challenge is exacerbated by the fact that most banking infrastructures are a mix of legacy on-premise systems, and private or public cloud-hosted services. They must all be protected against unauthorised access, a challenge that has been heightened by the rapid transition to large-scale homeworking of the past year.
Finance teams and employees working from unfamiliar locations expand the potential attack surface with home networks and personal devices suddenly a part of a bank’s corporate IT estate. Seamless, convenient and high-assurance multi-factor authentication (MFA) must be in place to protect data and corporate assets so that employees can securely access systems remotely without introducing new risks and vulnerabilities.
Financial services are starting to embrace hardware-based tools such as security keys as a route to strong authentication, which protects business and customer data without inconveniencing increasingly impatient financial customers. When it comes to their financial data, users appreciate authentication devices being something they have, as opposed to something they know, to protect against phishing attacks. For customers, they provide protection for accounts, while in the corporate setting they can secure access to systems and applications. Whether tasked with upgrading a bank’s legacy infrastructure, or a new generation of fintech developers operating solely in the cloud, such an approach can offer seamless integration with operating systems, and conformance with global authentication standards.
If the finance industry is to effectively protect customers and customer data while providing the user experience that today’s consumers expect, they must look beyond basic protection methods to provide strong yet frictionless authentication. It’s shocking that social media accounts are often more secure than bank accounts as of today. Since consumers are increasingly exposed to better protection elsewhere, they'll soon be demanding the same security assurances for their bank account.