Robert Capps
Robert Capps Nov 22, 2017

How to bank on code before bad actors break it

In the race to secure customer satisfaction, banks must balance security and convenience. With an estimated 265.9 mobile phone users in the United States, banks are ramping up their mobile offerings. But they’re also finding that they need to tighten up security—or else face leaving the vault wide open for cyber criminals.

In a restless 24/7 effort that typifies our digital age, cybercriminals continuously probe mobile applications and online banking business logic for vulnerabilities. And as digital technology grows more sophisticated, so do they: Many of them find holes in critical functions such as identification, authentication and authorization of users.

Yet how do banks respond to this threat? Many often rely on just one or two layers of consumer validation. And this invites disaster.

Institutions need to incorporate various layers of positive consumer validation that utilizes layered technologies. These include automation and anomaly detection, multi-factor authentication, passive biometrics and behavioral analytics—which allow banks to identify the true customer and detect the imposter before they access critical account functions.

Holes in the code

Banks and their customers are being silently robbed because of vulnerabilities present in the mechanisms used to identify, authenticate and authorize users. This problem doesn’t impact just a select few organizations; a recent report by Positive Technologies found that two thirds of remote banking applications are vulnerable to some form of brute force attack. The number of maximum attacks against one company in a single day? 19,889. As their report for the first quarter of 2017 states, “Attackers don’t take weekends.”

Unaddressed flaws could result in theft of funds, unauthorized access to client data and other sensitive bank and consumer information. Also according to Positive Technologies, banking applications developed by third-party vendors had on average twice as many vulnerabilities as those created by in-house technology teams. This means every piece of code must be tested for such vulnerabilities in function and logic and then approved in-house, before implementation, to ensure the integrity of the banking application.

Open sesame? Says who?

Passwords to open accounts have become a dime a dozen on the Dark Web. Two-factor authentication and physical biometrics such as fingerprints, iris scans and selfies have a place in the security and authentication stack. But individually, each solution can be subverted by hackers. This article describes how one researcher claims to have defeated the facial recognition feature on the new iPhone X with a $150 mask.

Solutions based on consumer behavior and interactional signals lead the way to provide more safety for consumers with less customer experience friction and marketplace fraud. Layering behavioral biometrics with other solutions such as Mastercard’s Identity Check Mobile or fingerprint sensors provides an excellent example of how passive and active biometrics work in tandem to balance security and user experience. 

Passive biometrics can track the angle of a handheld device when in use, pressure applied to the keys or screen, and the length of gaps between typing and swiping—all these can help separate good users from bad. These signals are virtually impossible for a non-human interface to replicate. Anomalous behavior can be identified by analyzing these signals, even in large data sets, and comparing the patterns of known human users with unusual patterns.

Let the leverage begin

Technology solutions can now identify machines from humans, then separate good machines from bad; select known humans from unknown humans; and finally sort unknown humans who demonstrate low-risk signals from unknown humans with high-risk signals. This process lets organizations fast track known and low-risk users for an optimal experience, saving the friction and traditional authentication methods for the highest risk users.

Thus financial institutions can leverage a unique, powerful ability to secure transactions and improve verification authenticity. As the name implies, integrated authentication combines physical biometrics (such as facial recognition or a fingerprint) with behavioral analytics and risk decisioning within robust offerings.

Until banks move to multi-modal approach, their remote banking apps will continue to be vulnerable, leaving their customers trust waning. Left unattended, holes in the code can soon erode into rabbit holes.


Want more Banking Strategies? Sign up for our free newsletter!

Robert Capps is authentication strategist, vice president for NuData Security. A recognized technologist, thought leader and advisor, Capps has more than 20 years experience in the design, management, and protection of complex information systems.

BAI Banking Strategies

Thank you for visiting BAI Banking Strategies. To view more, please Subscribe or Login.

Dismiss